Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


SOT Linux Advisory: postgresql

Nov 30, 2003, 00:35 (0 Talkback[s])

SOT Linux Security Advisory

Subject: Updated postgresql package for SOT Linux 2003
Advisory ID: SLSA-2003:54
Date: Saturday, November 29, 2003
Product: SOT Linux 2003

1. Problem description

PostgreSQL is an advanced Object-Relational database management system (DBMS).
Two bugs that can lead to buffer overflows have been found in the PostgreSQL abstract data type to ASCII conversion routines. A remote attacker who is able to influence the data passed to the to_ascii functions may be able to execute arbitrary code in the context of the PostgreSQL server. These issues affect PostgreSQL 7.2.x, and 7.3.x before 7.3.4. The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2003-0901 to these issues. In addition, a bug that can lead to leaks has been found in the string to timestamp abstract data type conversion routine. If the input string to the to_timestamp() routine is shorter than what the template string is expecting, the routine will run off the end of the input string, resulting in a leak of previous timestamp behavior and unstable behavior. Users of PostgreSQL are advised to upgrade to these erratum packages, which contain backported patches that correct these issues.

2. Updated packages

SOT Linux 2003 Server:

i386:
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-contrib-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-devel-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-docs-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-jdbc-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-libs-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-odbc-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-perl-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-python-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-server-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-tcl-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-test-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-tk-7.2.4-1.i386.rpm SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/postgresql-7.2.4-1.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata relevant to your system have been applied. Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from the SOT Linux FTP site (use the links above) or from one of our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command: rpm -Uvh <filename>

4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command: rpm --checksig <filename>

If you wish to verify the integrity of the downloaded package, run "md5sum <filename>" and compare the output with data given below.

Package Name MD5 sum


/Server/i386/postgresql-7.2.4-1.i386.rpm bd69df83276d2c0f6e8985911fd0974a
/Server/i386/postgresql-contrib-7.2.4-1.i386.rpm 6d681ded480be80c3264fa16a6e01958
/Server/i386/postgresql-devel-7.2.4-1.i386.rpm 4cf02881e9e85b9c9a5622607033e110
/Server/i386/postgresql-docs-7.2.4-1.i386.rpm c6088d5a230b57f07f2d1e22bc21c5d9
/Server/i386/postgresql-jdbc-7.2.4-1.i386.rpm c7ec1d79774ce8bfa94a03ff090f951e
/Server/i386/postgresql-libs-7.2.4-1.i386.rpm 30331059bc8548d81633ae3e8f705e4a
/Server/i386/postgresql-odbc-7.2.4-1.i386.rpm a3cc8cd3f675993d586f0a47fe91341d
/Server/i386/postgresql-perl-7.2.4-1.i386.rpm 4983e462bbaabee4712ff615fcc40e22
/Server/i386/postgresql-python-7.2.4-1.i386.rpm 8797d9fe3768670b50e09f6cf535c3ae
/Server/i386/postgresql-server-7.2.4-1.i386.rpm d7d4b4d331d694e0450ba3a3cd1e5ca6
/Server/i386/postgresql-tcl-7.2.4-1.i386.rpm b5659daa8637c4a7ee3287f6ab559ce1
/Server/i386/postgresql-test-7.2.4-1.i386.rpm 5dd7bfe4af412f3aa0bfb7d7675e368e
/Server/i386/postgresql-tk-7.2.4-1.i386.rpm bbfc9c0b3d410a02a00dead3b6e30cb7
/Server/SRPMS/postgresql-7.2.4-1.src.rpm 75d56ef663252bfa327735b7a960f721

5. References

http://archives.postgresql.org/pgsql-bugs/2003-09/msg00014.php http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0901

Copyright(c) 2001-2003 SOT