Linux Today: Linux News On Internet Time.

More on LinuxToday

Conectiva Linux Advisory: postgresql

Sep 20, 2002, 02:24 (0 Talkback[s])

- --------------------------------------------------------------------------
- --------------------------------------------------------------------------

PACKAGE   : postgresql
SUMMARY   : Buffer overflow vulnerabilities
DATE      : 2002-09-19 16:17:00
ID        : CLA-2002:524
RELEASES  : 6.0, 7.0, 8

- -------------------------------------------------------------------------

 Postgresql[1] is a sophisticated relational database which supports
 almost all SQL constructs, including subselects, transactions and
 user-defined types and functions.
 Mordred Labs <> announced[3][4][5] several
 vulnerabilities in the postgresql database:
 - buffer overflow in the rpad() and lpad() functions;
 - buffer overflow in the repeat() function;
 - buffer overflow in the cash_words() function;
 Other vulnerabilities were also fixed[2] by the postgresql
 - buffer overflow in functions dealing with date/time and timezone;
 - more buffer overflows, this time in the circle_poly(),
 path_encode() and path_addr() functions, reported again by
 <>. Fixes for these overflows are available only in
 CVS[6] at this time and were not included in the official 7.2.2
 release, but are included in this update. Thanks to Martin Schulze
 <> for alerting us about these last-minute fixes.
 In order to exploit any of these vulnerabilities, it is necessary for
 the attacker to be able to query the database somehow. Some scenarios
 where this could happen:
 - the attacker already has an account in the database server and can
 execute queries;
 - for example, web applications which query the database but do not
 adequately filter form or URL data and are vulnerable to SQL command
 Whatever the scenario is, it is not possible to directly obtain root
 privileges through these vulnerabilities, because the postgresql
 service runs as a non-root user specifically created for it. But it
 is likely possible to compromise the data in the database and/or
 execute other attacks after exploring the above vulnerabilities.

 It is recommended that all postgresql users upgrade their packages.
 Conectiva Linux 8 was shipped with postgresql 7.2.1, and this update
 upgrades the packages to version 7.2.2. According to the authors,
 there is no need to dump the database before upgrading 7.2.1 to
 7.2.2. However, this is a recommended practice with every upgrade.
 Conectiva Linux 7.0 and 6.0 have older versions which have been
 patched instead to fix these vulnerabilities.
 IMPORTANT: please restart the service after the upgrade if it was
 already running. To do so, execute, as root:
 /sbin/service postgresql restart


 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr] 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
Instructions on how to check the signatures of the RPM packages can be
found at
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at