Bug 315231 (CVE-2007-4769)

Summary: CVE-2007-4769 postgresql integer overflow in regex code
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mmaslano, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 8.2.6-1.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-11 22:14:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 427135, 427136, 427137, 427138, 427220, 427221, 427772, 427773, 427774    
Bug Blocks:    

Description Tomas Hoger 2007-10-02 11:06:35 UTC 
Will Drewry of Google Security Team has reported an integer overflow in regular
expression parsing code, which results in out of bound read and most frequently
in a crash.  This crash affects worker process spawned for database connection,
but may have impact on main prostgresql processes and render database
unavailable for new connections.
Comment 4 Tom Lane 2007-10-02 15:07:44 UTC 
Note that Postgres' regex library is borrowed lock-stock-and-barrel from Tcl, therefore this issue 
probably affects Tcl too.
Comment 5 Tomas Hoger 2007-10-02 16:05:04 UTC 
Tom, thanks for that info.  It seems that there was more significant change in
regex component between 7.3 and 7.4.  Are both version based on tcl?
Comment 6 Tom Lane 2007-10-02 16:13:54 UTC 
No, the Tcl regex code was adopted in 7.4, so RHEL2.1 and RHEL3 are not affected.

I tried to reproduce this in tclsh and could not.  Investigation shows that 'chr' type is unsigned short in a 
default Tcl build, therefore overflow problem cannot happen.  However, in a UCS-4-enabled Tcl build, the 
problem would exist because then they type 'chr' as unsigned int.  So we ought to let them know about 
this --- do we have any Tcl security contacts?
Comment 7 Tomas Hoger 2007-10-02 16:31:54 UTC 
Tom, I will communicate that information to Will and coordinate communication
towards tcl team.
Comment 8 Tom Lane 2007-10-02 17:15:32 UTC 
Also, I've confirmed that the infinite loops Will reported (CVE-2007-4772) do happen in Tcl, so even if the 
crash is a low-priority problem for them, the looping is an issue.

If you file separate bugzillas for the Tcl forms of these problems, would you put me on the cc list?  I'd 
really like to coordinate fixes with them, particularly for the looping --- there is not anyone in the 
Postgres project who's intimate with that code, so it will probably take us awhile to figure it out if we have 
to fix it by ourselves.
Comment 16 Tomas Hoger 2008-01-07 13:54:47 UTC 
Public now, lifting embargo:

http://www.postgresql.org/about/news.905
http://www.postgresql.org/support/security.html
Comment 18 Tomas Hoger 2008-01-08 09:38:57 UTC 
TCL is not really affected by this as explained in previous Tom's comments. 
Upstream have applied the patch to add checks:

http://tcl.cvs.sourceforge.net/tcl/tcl/generic/regc_lex.c?r1=1.7&r2=1.8
Comment 21 Fedora Update System 2008-01-11 22:13:58 UTC 
postgresql-8.2.6-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2008-01-11 22:24:08 UTC 
postgresql-8.2.6-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 24 Red Hat Product Security 2008-02-01 15:09:35 UTC 
This issue was addressed in:

Red Hat Application Stack:
  http://rhn.redhat.com/errata/RHSA-2008-0040.html

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0038.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-0552
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-0478