Skip site navigation (1) Skip section navigation (2)

Re: VU#352803 - postgresql

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: CERT Coordination Center <cert(at)cert(dot)org>
Cc: PostgreSQL <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: VU#352803 - postgresql
Date: 2002-08-29 18:27:43
Message-ID: 200208291827.g7TIRix13700@candle.pha.pa.us (view raw or flat)
Thread:
Lists: pgsql-bugs
CERT Coordination Center wrote:
> 
> 
> Hello folks,
> 
> We have received report regarding a vulnerability in one of your 
> products. We would appreciate greatly your help in reviewing this 
> issue so that we can document it in our public database.
> 
> Please review the following vulnerability note for accuracy and 
> answer these questions:
> 1. Have you verified the existence of this vulnerability?

Yes.

> 2. Can you tell us how this vulnerability might be exploited? We do 
> not publish exploit information, but it would help us better 
> understand and describe the vulnerability itself.

You just issue a query calling the function with improper input:

	select cash_words('-700000000000000000000000000000');

> 3. Can you provide more specific information on the impact of this 
> vulnerability?

Well, it does require that you have permission to connect to the server
and issue queries.  It is _not_ something that can be exploited by an
unauthorized user by just connecting to the TCP port.

> 4. Has it been corrected in a released update or new version of the 
> product? If yes, please provide links to more information, including 
> how users can obtain the update or new version.

It is fixed in 7.2.1, which was released on 2002-03-21.  We just
released 7.2.2 on 2002-08-23 which contains even more security fixes.

> 5. If not yet released, when do you plan on releasing an update to 
> fix this vulnerability? What should users do in the meantime to limit 
> exposure to this vulnerability?

Released.  We are working with Sir Mordred The Traitor on other
vulnerabilities.  He is reporting to us directly now and we are fixing
all the problems he finds.

We will have more security fixes in 7.3, due out in a few months.

---------------------------------------------------------------------------


> 
> CERT/CC Vulnerability Note Draft:
> 
> VU#352803 - PostgreSQL contains buffer overflow in "cash_words()" 
> function
> 
> CVE: CVE-NO-MATCH
> 
> KEYWORDS: 
> PostgreSQL
> buffer overflow
> cash_words() function
> 
> OVERVIEW
> 
> PostgreSQL contains a buffer-overflow vulnerability in its 
> cash_words() function.
> 
> DESCRIPTION
> 
> PostgreSQL is a database management system implementing a subset of 
> the SQL standard.  The cash_words() function contains a stack-based 
> buffer-overflow vulnerability.
> 
> IMPACT
> 
> Attackers can force a PostgreSQL connection to close and may be able 
> to execute malicious PostgreSQL code.
> 
> SOLUTION
> 
> Upgrade
> 
> Upgrade to version 7.2.1 of PostgreSQL.
> 
> 
> 
> REFERENCES
> 
> http://www.securityfocus.com/bid/5497
> 
> CREDIT
> 
> Thanks to Sir Mordred The Traitor for reporting this vulnerability.
> 
> This document was written by Shawn Van Ittersum.
> 
> If there are any mistakes or inaccuracies in the above vulnerability 
> note, please let me know so they can be corrected before publication.
> 
> Regards,
> Shawn Van Ittersum
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> 
>  
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
> 
> http://www.postgresql.org/users-lounge/docs/faq.html
> 

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

In response to

pgsql-bugs by date

Next:From: Pavel StehuleDate: 2002-08-29 20:18:41
Subject: Re: LATIN2 ORDER BY
Previous:From: Bruce MomjianDate: 2002-08-29 17:47:54
Subject: Re: Bug #743: pg_dump -a -c without DELETE FROM

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group