Bug 1188684 (CVE-2015-0241) - CVE-2015-0241 postgresql: buffer overflow in the to_char() function
Summary: CVE-2015-0241 postgresql: buffer overflow in the to_char() function
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-0241
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1192909 1192910 1198651 1198652 1198653 1198654 1198663 1198672 1198673 1198733
Blocks: 1188677
TreeView+ depends on / blocked
 
Reported: 2015-02-03 14:22 UTC by Martin Prpič
Modified: 2023-05-12 07:13 UTC (History)
13 users (show)

Fixed In Version: postgresql 9.0.19, postgresql 9.1.15, postgresql 9.2.10, postgresql 9.3.6, postgresql 9.4.1
Doc Type: Bug Fix
Doc Text:
A buffer overflow flaw was found in the way PostgreSQL handled certain numeric formatting. An authenticated database user could use a specially crafted timestamp formatting template to cause PostgreSQL to crash or, under certain conditions, execute arbitrary code with the permissions of the user running PostgreSQL.
Clone Of:
Environment:
Last Closed: 2021-10-20 10:49:38 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0699 0 normal SHIPPED_LIVE Moderate: postgresql92-postgresql security update 2015-03-18 20:35:35 UTC
Red Hat Product Errata RHSA-2015:0750 0 normal SHIPPED_LIVE Moderate: postgresql security update 2015-03-30 15:30:43 UTC
Red Hat Product Errata RHSA-2015:0856 0 normal SHIPPED_LIVE Moderate: postgresql92-postgresql security update 2015-04-20 13:46:03 UTC

Description Martin Prpič 2015-02-03 14:22:00 UTC 
The PostgreSQL project reports the following issue:

When to_char() processes a numeric formatting template calling for a large number of digits, PostgreSQL would read past the end of a buffer. When processing a crafted timestamp formatting template, PostgreSQL would write past the end of a buffer. Either case could crash the server. We have not ruled out the possibility of attacks that lead to privilege escalation, though they seem unlikely.

Acknowledgements:

Red Hat would like to thank the PostgreSQL project for reporting this issue. Upstream acknowledges Andres Freund, Peter Geoghegan, Bernd Helmle, and Noah Misch as the original reporters.
Comment 1 Huzaifa S. Sidhpurwala 2015-02-16 05:16:48 UTC 
External References:

http://www.postgresql.org/about/news/1569/
Comment 2 Huzaifa S. Sidhpurwala 2015-02-16 06:20:47 UTC 
Upstream commit:

https://github.com/postgres/postgres/commit/0150ab567bcf5e5913e2b62a1678f84cc272441f
Comment 3 Huzaifa S. Sidhpurwala 2015-02-16 06:52:57 UTC 
This issue was addressed in Fedora 20 and Fedora 21 via the following security advisories:

https://admin.fedoraproject.org/updates/FEDORA-2015-1728/postgresql-9.3.6-1.fc20
https://admin.fedoraproject.org/updates/FEDORA-2015-1745/postgresql-9.3.6-1.fc21
Comment 12 errata-xmlrpc 2015-03-18 16:36:13 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:0699 https://rhn.redhat.com/errata/RHSA-2015-0699.html
Comment 13 errata-xmlrpc 2015-03-30 11:31:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2015:0750 https://rhn.redhat.com/errata/RHSA-2015-0750.html
Comment 14 errata-xmlrpc 2015-04-20 09:46:31 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite Server v 5.7

Via RHSA-2015:0856 https://rhn.redhat.com/errata/RHSA-2015-0856.html
Note You need to log in before you can comment on or make changes to this bug.