Skip site navigation (1) Skip section navigation (2)

@(#)Mordre Labs advisory 0x0005: Several buffer overruns in PostgreSQL

From: Sir Mordred The Traitor <mordred(at)s-mail(dot)com>
To: pgsql-hackers(at)postgresql(dot)org
Subject: @(#)Mordre Labs advisory 0x0005: Several buffer overruns in PostgreSQL
Date: 2002-08-28 09:51:31
Message-ID: 3d6c9d23.e349d38e@s-mail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
//@(#) Mordred Labs advisory 0x0005

Release data: 23/08/02
Name: Several buffer overruns in PostgreSQL
Versions affected: all versions
Risk: from average to low

--[ Description:

PostgreSQL provides you with several builint geo types
(circle,polygon,box...etc). 
Unfortunately the code for geo functions written in a very insecure style
and should be totally rewritten, as a quick search revealed this:

---[ Details:

1)

Upon invoking a polygon(integer, circle) function 
a src/backend/utils/adt/geo_ops.c:circle_poly() function will gets called,
which suffers from a buffer overflow.

2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a buffer
overrun condition. It is called in multiple places, the most
interesting are path_out() and poly_out() functions.

3) Upon converting a char string to a path object, a
src/backend/utils/adt/geo_ops.c:path_in() function will gets called,
which suffers from a buffer overrun, caused by a very long argument.

4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to detect a
buffer 
overrun condition caused by a very long argument.

5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect a
simple buffer
overrun.

6)

And finally, a truly dumb feature (not a security related though) in
postmaster: 
$ postmaster -o `perl -e 'print "\x66" x 1200'`
Segmentation fault (core dumped)

--[ How to reproduce:

I only show how to reproduce a first buffer overrun condition, as the others
too memory consuming :-)

1)

template1=# select polygon(268435455,'((1,2),3)'::circle);
pqReadData() -- backend closed the channel unexpectedly.
        This probably means the backend terminated abnormally
        before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
!#

--[ Solution

Drop the vulnerable functions.




________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com/inf/en

Responses

pgsql-hackers by date

Next:From: Larry RosenmanDate: 2002-08-28 11:39:29
Subject: Re: [SQL] LIMIT 1 FOR UPDATE or FOR UPDATE LIMIT 1?
Previous:From: Henshall, Stuart - WCPDate: 2002-08-28 09:27:19
Subject: tell Bugtraq about 7.2.2

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group