SOT Linux Security Advisory
Subject: | Updated postgresql package for SOT Linux 2003 |
Advisory ID: | SLSA-2003:54 |
Date: | Saturday, November 29, 2003 |
Product: | SOT Linux 2003 |
1. Problem description
PostgreSQL is an advanced Object-Relational database management
system (DBMS).
Two bugs that can lead to buffer overflows have been found in the
PostgreSQL abstract data type to ASCII conversion routines. A
remote attacker who is able to influence the data passed to the
to_ascii functions may be able to execute arbitrary code in the
context of the PostgreSQL server. These issues affect PostgreSQL
7.2.x, and 7.3.x before 7.3.4. The Common Vulnerabilities and
Exposures project (cve.mitre.org/) has assigned the name
CAN-2003-0901 to these issues. In addition, a bug that can lead to
leaks has been found in the string to timestamp abstract data type
conversion routine. If the input string to the to_timestamp()
routine is shorter than what the template string is expecting, the
routine will run off the end of the input string, resulting in a
leak of previous timestamp behavior and unstable behavior. Users of
PostgreSQL are advised to upgrade to these erratum packages, which
contain backported patches that correct these issues.
2. Updated packages
SOT Linux 2003 Server:
i386:
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-contrib-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-devel-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-docs-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-jdbc-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-libs-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-odbc-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-perl-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-python-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-server-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-tcl-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-test-7.2.4-1.i386.rpm
ftp://ftp.sot.com/updates/2003/Server/i386/postgresql-tk-7.2.4-1.i386.rpm
SRPMS:
ftp://ftp.sot.com/updates/2003/Server/SRPMS/postgresql-7.2.4-1.src.rpm
3. Upgrading package
Before applying this update, make sure all previously released
errata relevant to your system have been applied. Use up2date to
automatically upgrade the fixed packages.
If you want to upgrade manually, download the updated package
from the SOT Linux FTP site (use the links above) or from one of
our mirrors. The list of mirrors can be obtained at www.sot.com/en/linux
Update the package with the following command: rpm -Uvh
<filename>
4. Verification
All packages are PGP signed by SOT for security.
You can verify each package with the following command: rpm
–checksig <filename>
If you wish to verify the integrity of the downloaded package,
run “md5sum <filename>” and compare the output with data
given below.
Package Name MD5 sum
/Server/i386/postgresql-7.2.4-1.i386.rpm
bd69df83276d2c0f6e8985911fd0974a
/Server/i386/postgresql-contrib-7.2.4-1.i386.rpm
6d681ded480be80c3264fa16a6e01958
/Server/i386/postgresql-devel-7.2.4-1.i386.rpm
4cf02881e9e85b9c9a5622607033e110
/Server/i386/postgresql-docs-7.2.4-1.i386.rpm
c6088d5a230b57f07f2d1e22bc21c5d9
/Server/i386/postgresql-jdbc-7.2.4-1.i386.rpm
c7ec1d79774ce8bfa94a03ff090f951e
/Server/i386/postgresql-libs-7.2.4-1.i386.rpm
30331059bc8548d81633ae3e8f705e4a
/Server/i386/postgresql-odbc-7.2.4-1.i386.rpm
a3cc8cd3f675993d586f0a47fe91341d
/Server/i386/postgresql-perl-7.2.4-1.i386.rpm
4983e462bbaabee4712ff615fcc40e22
/Server/i386/postgresql-python-7.2.4-1.i386.rpm
8797d9fe3768670b50e09f6cf535c3ae
/Server/i386/postgresql-server-7.2.4-1.i386.rpm
d7d4b4d331d694e0450ba3a3cd1e5ca6
/Server/i386/postgresql-tcl-7.2.4-1.i386.rpm
b5659daa8637c4a7ee3287f6ab559ce1
/Server/i386/postgresql-test-7.2.4-1.i386.rpm
5dd7bfe4af412f3aa0bfb7d7675e368e
/Server/i386/postgresql-tk-7.2.4-1.i386.rpm
bbfc9c0b3d410a02a00dead3b6e30cb7
/Server/SRPMS/postgresql-7.2.4-1.src.rpm
75d56ef663252bfa327735b7a960f721
5. References
http://archives.postgresql.org/pgsql-bugs/2003-09/msg00014.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0901
Copyright(c) 2001-2003 SOT