Bug 488156 (CVE-2009-0922)
| Summary: | CVE-2009-0922 postgresql: potential DoS due to conversion functions | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | azelinka, jlieskov, kreilly, kseifried, kvolny, mjc, overholt, tgl |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-10-25 18:46:39 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 525282, 525283, 525284, 525285, 812238 | ||
| Bug Blocks: | |||
|
Description
Vincent Danen
2009-03-02 21:49:04 UTC
On a second look, the postmaster and postgres logging processes are not killed, but this does impact other connections as anyone attempting to interact with the db immediately after the crash will get "The postmaster has commanded this server process to roll back the current transaction and exit, because another server process exited abnormally and possibly corrupted shared memory." After a brief wait, however, without restarting the client, commands can be executed. BTW, has anyone assigned a CVE number to this? Upstream will be preparing a release tomorrow, and it'd be good to cite the number if there is one. Not that I have seen, but I'll see if I can find one. For reference, since I didn't know it before, this is also filed in Debian's BTS: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=517405 Doesn't look like a CVE request was ever done. Okay, I did one ... it's CVE-2009-0922 Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0922 to the following vulnerability: PostgreSQL 8.3.6 allows remote authenticated users to cause a denial of service (stack consumption) via mismatched encoding conversion requests. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0922 http://www.openwall.com/lists/oss-security/2009/03/11/4 http://archives.postgresql.org/pgsql-bugs/2009-02/msg00172.php http://archives.postgresql.org//pgsql-bugs/2009-02/msg00176.php http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=517405 Mitre's original description is a bit wrong (not their fault, I sent them only limited info). Here is the more complete description I just sent: PostgreSQL allows remote authenticated users to cause a momentary denial of service (crash due to stack consumption) when there is a failure to convert a localized error message to the client-specified encoding. In releases 8.3.6, 8.2.12, 8.1.16. 8.0.20, and 7.4.24, a trivial misconfiguration is sufficient to provoke a crash. In older releases it is necessary to select a locale and client encoding for which specific messages fail to translate, and so a given installation may or may not be vulnerable depending on the administrator-determined locale setting. Releases 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 are secure against all known variants of this issue. postgresql-8.3.7-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/postgresql-8.3.7-1.fc10 postgresql-8.3.7-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/postgresql-8.3.7-1.fc9 postgresql-8.3.7-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. postgresql-8.3.7-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue has been addressed in following products: Red Hat Web Application Stack for RHEL 5 Via RHSA-2009:1067 https://rhn.redhat.com/errata/RHSA-2009-1067.html After some investigation, it appears that postgresql 7.3.21 as shipped in RHEL-3 is not vulnerable to this issue. The recursive error condition can't arise, partly because the error handling logic is quite a bit different/simpler, and partly because no translation is shipped anyway for the critical "character has no equivalent" message. Also, the problem of encoding conversion functions throwing Assert aborts when misused (which was one component of the original issue) isn't an issue for RHEL-3 because Asserts aren't enabled in our builds. This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1484 https://rhn.redhat.com/errata/RHSA-2009-1484.html This issue has been addressed in: Red Hat Application Stack v2 for Enterprise Linux (v.5) RHSA-2009:1067 Red Hat Enterprise Linux version 4 RHSA-2009:1484 Red Hat Enterprise Linux version 5 RHSA-2009:1484 |