[MBT] new ticket for pkg postgresql "Multiple buffer overflows"

bugs at pld.org.pl bugs at pld.org.pl
Wed Jan 29 10:58:16 CET 2003 

Date: 2003-01-29 10:58:15+01	Author:  (kreutzm) <kreutzm at itp.uni-hannover.de> 
Title:         Multiple buffer overflows
Ticket ID:     #549
Ticket URL:    http://bugs.pld.org.pl/?bug=549
Package:       postgresql-7.2.2-1
Distribution:  PLD-Ra.main
Category:      security problem
Current state: opened
Text:

There are multiple buffer overflows. According to the changelog, there was a 
Revision 1.167  2002/08/24 19:56:30  kloczek
- updated to 7.2.2: security fixes.

But it is not clear to me which security fixes are included; since some buffer overflows (see below) still apply not all.

*)DSA 165-1
  CAN-2002-0972
 http://marc.theaimsgroup.com/?l=bugtraq&m=102987608300785&w=2

   Exploit does NOT work.

  The debian security team however writes:
Except for the last three, these problems are fixed in the upstream release 7.2.2 of PostgreSQL which is the recommended version to use.                                      

  So there seem to be some patches NOT applied upstream (see also below)


*)RHSA-2003:010-10
  Multiple CAN references. The RH conclusion is
The PostgreSQL Global Development Team has released versions of PostgreSQL that fixes these vulnerabilities,

   which confuses a little. (See also below)

The following CANs are listed:
-CAN-2002-0972
  see above

-CAN-2002-1397
http://marc.theaimsgroup.com/?l=bugtraq&m=102977465204357&w=2
   exploit does NOT work

-CAN-2002-1398
http://marc.theaimsgroup.com/?l=bugtraq&m=102978152712430&w=2
To my knowledge, the PostgreSQL developers do not think this warrant an additional 7.2.x release.  They expect that users do not trust the PostgreSQL parsers and write input validation checks.

Also this mentions a working buffer overflow:
template1=# select cash_out(2);
server closed the connection unexpectedly
        This probably means the server terminated abnormally
        before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.

http://marc.theaimsgroup.com/?l=bugtraq&m=103021186622725&w=2
Says its fixed upstream
http://archives.postgresql.org/pgsql-announce/2002-08/msg00004.php
ditto

CAN-2002-1400
http://marc.theaimsgroup.com/?l=bugtraq&m=102987306029821&w=2
Exploit does NOT work

CAN-2002-1401
http://archives.postgresql.org/pgsql-hackers/2002-08/msg02047.php
Exploit works !!
template1=# select polygon(268435455,'((1,2),3)'::circle);
server closed the connection unexpectedly
        This probably means the server terminated abnormally
        before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
http://archives.postgresql.org/pgsql-hackers/2002-08/msg02081.php

CAN-2002-1402
included in upstream security release (see above)

Sorry that this report is so messy; but I thought it would be wise to point out what is fixed and what not.

Thanks for your efforts

More information about the pld-bugs mailing list