Bug 400931 (CVE-2007-6067) - CVE-2007-6067 postgresql: tempory DoS caused by slow regex NFA cleanup
Summary: CVE-2007-6067 postgresql: tempory DoS caused by slow regex NFA cleanup
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-6067
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 427135 427136 427137 427138 427220 427221 427772 427773 427774 867793
Blocks: 816611
TreeView+ depends on / blocked
 
Reported: 2007-11-27 13:23 UTC by Tomas Hoger
Modified: 2019-09-29 12:22 UTC (History)
4 users (show)

Fixed In Version: 8.2.6-1.fc8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-08 08:58:18 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0038 0 normal SHIPPED_LIVE Moderate: postgresql security update 2008-01-11 12:39:13 UTC
Red Hat Product Errata RHSA-2008:0040 0 normal SHIPPED_LIVE Moderate: postgresql security update 2008-02-01 14:55:29 UTC
Red Hat Product Errata RHSA-2013:0122 0 normal SHIPPED_LIVE Moderate: tcl security and bug fix update 2013-01-08 09:10:07 UTC

Description Tomas Hoger 2007-11-27 13:23:31 UTC
Will Drewry reported a problem in a regular expression handling code used by
PosgreSQL.  This problem can be used to trigger temporary DoS attack by causing
PosgreSQL server to consume large amount of system memory and CPU resources.

On systems with memory overcommit enabled (default setting), database server can
be terminated by kernel OOM killer (see 'Managing Kernel Resources' section in
PosgreSQL documentation about more information on memory overcommit
configuration on Linux).

Regular expression code used by PosgreSQL was adopted from TCL.

Comment 3 Tomas Hoger 2008-01-07 13:57:35 UTC
Public now, lifting embargo:

http://www.postgresql.org/about/news.905
http://www.postgresql.org/support/security.html

Comment 9 Fedora Update System 2008-01-11 22:14:04 UTC
postgresql-8.2.6-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2008-01-11 22:24:17 UTC
postgresql-8.2.6-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 errata-xmlrpc 2013-01-08 04:51:40 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0122 https://rhn.redhat.com/errata/RHSA-2013-0122.html


Note You need to log in before you can comment on or make changes to this bug.