Bug 315231 (CVE-2007-4769) - CVE-2007-4769 postgresql integer overflow in regex code
Summary: CVE-2007-4769 postgresql integer overflow in regex code
Alias: CVE-2007-4769
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 427135 427136 427137 427138 427220 427221 427772 427773 427774
TreeView+ depends on / blocked
Reported: 2007-10-02 11:06 UTC by Tomas Hoger
Modified: 2019-09-29 12:21 UTC (History)
2 users (show)

Fixed In Version: 8.2.6-1.fc8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-01-11 22:14:13 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0038 normal SHIPPED_LIVE Moderate: postgresql security update 2008-01-11 12:39:13 UTC
Red Hat Product Errata RHSA-2008:0040 normal SHIPPED_LIVE Moderate: postgresql security update 2008-02-01 14:55:29 UTC

Description Tomas Hoger 2007-10-02 11:06:35 UTC
Will Drewry of Google Security Team has reported an integer overflow in regular
expression parsing code, which results in out of bound read and most frequently
in a crash.  This crash affects worker process spawned for database connection,
but may have impact on main prostgresql processes and render database
unavailable for new connections.

Comment 4 Tom Lane 2007-10-02 15:07:44 UTC
Note that Postgres' regex library is borrowed lock-stock-and-barrel from Tcl, therefore this issue 
probably affects Tcl too.

Comment 5 Tomas Hoger 2007-10-02 16:05:04 UTC
Tom, thanks for that info.  It seems that there was more significant change in
regex component between 7.3 and 7.4.  Are both version based on tcl?

Comment 6 Tom Lane 2007-10-02 16:13:54 UTC
No, the Tcl regex code was adopted in 7.4, so RHEL2.1 and RHEL3 are not affected.

I tried to reproduce this in tclsh and could not.  Investigation shows that 'chr' type is unsigned short in a 
default Tcl build, therefore overflow problem cannot happen.  However, in a UCS-4-enabled Tcl build, the 
problem would exist because then they type 'chr' as unsigned int.  So we ought to let them know about 
this --- do we have any Tcl security contacts?

Comment 7 Tomas Hoger 2007-10-02 16:31:54 UTC
Tom, I will communicate that information to Will and coordinate communication
towards tcl team.

Comment 8 Tom Lane 2007-10-02 17:15:32 UTC
Also, I've confirmed that the infinite loops Will reported (CVE-2007-4772) do happen in Tcl, so even if the 
crash is a low-priority problem for them, the looping is an issue.

If you file separate bugzillas for the Tcl forms of these problems, would you put me on the cc list?  I'd 
really like to coordinate fixes with them, particularly for the looping --- there is not anyone in the 
Postgres project who's intimate with that code, so it will probably take us awhile to figure it out if we have 
to fix it by ourselves.

Comment 16 Tomas Hoger 2008-01-07 13:54:47 UTC
Public now, lifting embargo:


Comment 18 Tomas Hoger 2008-01-08 09:38:57 UTC
TCL is not really affected by this as explained in previous Tom's comments. 
Upstream have applied the patch to add checks:


Comment 21 Fedora Update System 2008-01-11 22:13:58 UTC
postgresql-8.2.6-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2008-01-11 22:24:08 UTC
postgresql-8.2.6-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.