|Summary:||PostgreSQL 8.0.23 bitsubstr overflow|
|Product:||Red Hat Enterprise Linux 5||Reporter:||David Kovalsky <dkovalsk>|
|Component:||postgresql||Assignee:||Tom Lane <tgl>|
|Status:||CLOSED DUPLICATE||QA Contact:||qe-baseos-daemons|
|Version:||5.4||CC:||benl, hhorak, jlieskov, kvolny, thoger|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|:||559195 (view as bug list)||Environment:|
|Last Closed:||2010-04-26 18:16:58 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:|
|Bug Blocks:||559195, 559259|
Description David Kovalsky 2010-01-27 12:23:29 UTC
Comment 1 Tom Lane 2010-01-27 15:21:47 UTC
Huh, those people must be reading the Postgres mailing lists: http://archives.postgresql.org/pgsql-hackers/2010-01/msg00634.php http://archives.postgresql.org/pgsql-committers/2010-01/msg00125.php We didn't consider this especially serious upstream, since AFAICS it'd be difficult to exploit it for anything more than a crash --- an attacker wouldn't have much control over what got copied where.
Comment 5 Ludek Smid 2010-03-11 09:56:49 UTC
Since it is too late to address this issue in RHEL 5.5, it has been proposed for RHEL 5.6. Contact your support representative if you need to escalate this issue.
Comment 6 Tomas Hoger 2010-03-22 09:43:29 UTC
(In reply to comment #1) > an attacker wouldn't have much control over what got copied where. An attacker has control over prefix of what (taken from SQL query, specified by attacker as a stream of 0s and 1s, that is turned into bytes), where is somewhat predictable (after the buffer allocated on heap), the biggest problem is how much, as this is integer underflow, resulting in a long memory copy triggering SEGV before overwritten memory is used.
Comment 7 Jan Lieskovsky 2010-04-26 18:16:58 UTC
*** This bug has been marked as a duplicate of bug 586059 ***