Bug 81244 - Multiple Postgresql Security Vulnerabilities
Summary: Multiple Postgresql Security Vulnerabilities
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: postgresql
Version: 2.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Andrew Overholt
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-01-07 00:17 UTC by Andrew Overholt
Modified: 2007-11-30 22:06 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-01-23 18:27:09 UTC
Target Upstream Version:

Attachments (Terms of Use)
Backpatch of fixes from PostgreSQL 7.2.2, 7.2.3, and 7.3 (8.75 KB, patch)
2003-01-07 00:18 UTC, Andrew Overholt 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Description Andrew Overholt 2003-01-07 00:17:20 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.6 (X11; Linux i686; U;) Gecko/20020913

Description of problem:
Quoted from the Postgresql site:

"Due to recent security vulnerabilities reported on BugTraq, concerning several
buffer overruns found in PostgreSQL, the PostgreSQL Global Development Team
today released v7.2.2 of PostgreSQL that fixes these vulnerabilities.

The following buffer overruns have been identified and addressed:

    * in handling long datetime input
    * in repeat()
    * in lpad() and rpad() with multibyte
    * in SET TIME ZONE and TZ env var "

The version of PostgreSQL that was shipped with Red Hat Linux Advanced Server
2.1 was vulnerable to these buffer overruns.  The multibyte code that can be
exploited was not added until PostgreSQL 7.2, but it is part of my attached
patch nonetheless.

Other URL's with information on these multiple vulnerabilities include:

http://lwn.net/Articles/8445/
http://marc.theaimsgroup.com/?l=postgresql-announce&m=103062536330644
http://marc.theaimsgroup.com/?l=bugtraq&m=102978152712430
http://marc.theaimsgroup.com/?l=bugtraq&m=102987306029821
http://marc.theaimsgroup.com/?l=postgresql-general&m=102995302604086
http://online.securityfocus.com/archive/1/288334
http://online.securityfocus.com/archive/1/288305
http://online.securityfocus.com/archive/1/288036 

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. a. $ pgsql -U template1
1. b. template1=# select repeat('xxx',1431655765);
2. a. $ pgsql -U template1
2. b. template1=# select cash_words('-700000000000000000000000000000');

Actual Results:  1. pqReadData() -- backend closed the channel unexpectedly.
        This probably means the backend terminated abnormally
        before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
!#

2. pqReadData() -- backend closed the channel unexpectedly.
        This probably means the backend terminated abnormally
        before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
!#

Expected Results:  1. ERROR:  Requested buffer is too large.
2.                                                   cash_words                
                                    
--------------------------------------------------------------------------------------------------------------------
 Minus twenty one million four hundred seventy four thousand eight hundred
thirty six dollars and forty eight cents
(1 row)

Additional info:
Comment 1 Andrew Overholt 2003-01-07 00:18:43 UTC 
Created attachment 89177 [details]
Backpatch of fixes from PostgreSQL 7.2.2, 7.2.3, and 7.3

This is the proposed backpatch of the fixes from more recent versions of
PostgreSQL as provided by the PostgreSQL Global Development Group.
Comment 2 Andrew Overholt 2003-01-23 18:27:09 UTC 
Erratum pushed.  Closing.
Note You need to log in before you can comment on or make changes to this bug.