Skip site navigation (1) Skip section navigation (2)

Re: [ANNOUNCE] IMPORTANT: two new PostgreSQL security problems

From: Tatsuo Ishii <t-ishii(at)sra(dot)co(dot)jp>
To: pgsql-general(at)postgresql(dot)org
Subject: Re: [ANNOUNCE] IMPORTANT: two new PostgreSQL security problems
Date: 2005-05-03 03:08:58
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-adminpgsql-announcepgsql-general
> Two serious security errors have been found in PostgreSQL 7.3 and newer
> releases.  These errors at least allow an unprivileged database user to
> crash the backend process, and may make it possible for an unprivileged
> user to gain the privileges of a database superuser.
> We are currently preparing new releases that will correct these problems
> in freshly initdb'd installations.  However, because these problems are
> really incorrect system catalog entries, updating to a new release will
> NOT by itself solve the problems in an existing installation.  Instead,
> it is necessary for the database administrator to fix the catalog entries
> manually, as described below.  We are releasing this advisory to encourage
> administrators of PostgreSQL installations to perform these fixes as soon
> as possible.
> Character conversion vulnerability
> ----------------------------------
> The more severe of the two errors is that the functions that support
> client-to-server character set conversion can be called from SQL commands
> by unprivileged users, but these functions are not designed to be safe
> against malicious choices of argument values.  This problem exists in
> PostgreSQL 7.3.* through 8.0.*.  The recommended fix is to disable public
> EXECUTE access for these functions.  This does not affect normal usage of
> the functions for character set conversion, but it will prevent misuse.

I apologize as the original developer for CREATE CONVERSION. I should
have made these functions only accessible by privileged users when I
developed it.
Tatsuo Ishii

In response to

pgsql-announce by date

Next:From: comptechDate: 2005-05-03 12:21:13
Subject: REMOVE
Previous:From: David WheelerDate: 2005-05-02 23:23:29
Subject: Re: [Dbdpg-general] [ANNOUNCE] pgtop, display PostgreSQL processes in `top' style

pgsql-admin by date

Next:From: Tom LaneDate: 2005-05-03 03:48:50
Subject: Re: Bad copy-n-paste on character conversion fix - how
Previous:From: C. BensendDate: 2005-05-03 01:58:32
Subject: Re: Bad copy-n-paste on character conversion fix - how

pgsql-general by date

Next:From: Dinesh PandeyDate: 2005-05-03 04:25:41
Subject: Re: unable to open editor.
Previous:From: Greg Sabino MullaneDate: 2005-05-03 02:01:33
Subject: Re: [Dbdpg-general] Re: 'prepare' is not quite schema-safe

Privacy Policy | About PostgreSQL
Copyright © 1996-2018 The PostgreSQL Global Development Group