Bug 400931 (CVE-2007-6067)

Summary: CVE-2007-6067 postgresql: tempory DoS caused by slow regex NFA cleanup
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, mmaslano, security-response-team, tgl
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 8.2.6-1.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-08 08:58:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 427135, 427136, 427137, 427138, 427220, 427221, 427772, 427773, 427774, 867793    
Bug Blocks: 816611    

Description Tomas Hoger 2007-11-27 13:23:31 UTC 
Will Drewry reported a problem in a regular expression handling code used by
PosgreSQL.  This problem can be used to trigger temporary DoS attack by causing
PosgreSQL server to consume large amount of system memory and CPU resources.

On systems with memory overcommit enabled (default setting), database server can
be terminated by kernel OOM killer (see 'Managing Kernel Resources' section in
PosgreSQL documentation about more information on memory overcommit
configuration on Linux).

Regular expression code used by PosgreSQL was adopted from TCL.
Comment 3 Tomas Hoger 2008-01-07 13:57:35 UTC 
Public now, lifting embargo:

http://www.postgresql.org/about/news.905
http://www.postgresql.org/support/security.html
Comment 6 Tomas Hoger 2008-01-08 09:44:32 UTC 
TCL fixed in 8.5.0 and 8.4.17, patches (in 8.5 branch):

http://tcl.cvs.sourceforge.net/tcl/tcl/generic/regc_color.c?r1=1.10&r2=1.11
http://tcl.cvs.sourceforge.net/tcl/tcl/generic/regc_nfa.c?r1=1.10&r2=1.11
http://tcl.cvs.sourceforge.net/tcl/tcl/generic/regerrs.h?r1=1.4&r2=1.5
http://tcl.cvs.sourceforge.net/tcl/tcl/generic/regex.h?r1=1.8&r2=1.9
http://tcl.cvs.sourceforge.net/tcl/tcl/generic/regguts.h?r1=1.10&r2=1.11

TCL bug report:

http://sourceforge.net/tracker/index.php?func=detail&aid=1810264&group_id=10894&atid=110894
Comment 9 Fedora Update System 2008-01-11 22:14:04 UTC 
postgresql-8.2.6-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2008-01-11 22:24:17 UTC 
postgresql-8.2.6-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Red Hat Product Security 2008-02-01 15:10:01 UTC 
This issue was addressed in:

Red Hat Application Stack:
  http://rhn.redhat.com/errata/RHSA-2008-0040.html

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0038.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-0552
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-0478
Comment 14 errata-xmlrpc 2013-01-08 04:51:40 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0122 https://rhn.redhat.com/errata/RHSA-2013-0122.html