[Full-Disclosure] [OpenPKG-SA-2003.048] OpenPKG Security Advisory (postgresql)

From: OpenPKG (openpkg_at_openpkg.org)
Date: 11/11/03

  • Next message: Thorsten Mayr: "AW: [Full-Disclosure] pc-anywhere (version 9.2) - telnet kills service"
    To: full-disclosure@lists.netsys.com
    Date: Tue, 11 Nov 2003 21:09:39 +0100

    Hash: SHA1


    OpenPKG Security Advisory The OpenPKG Project
    http://www.openpkg.org/security.html http://www.openpkg.org
    openpkg-security@openpkg.org openpkg@openpkg.org
    OpenPKG-SA-2003.048 11-Nov-2003

    Package: postgresql
    Vulnerability: remote code execution
    OpenPKG Specific: no

    Affected Releases: Affected Packages: Corrected Packages:
    OpenPKG CURRENT <= postgresql-7.3.3-20030723 >= postgresql-7.3.4-20030725
    OpenPKG 1.3 N.A. none
    OpenPKG 1.2 <= postgresql-7.3.1-1.2.3 >= postgresql-7.3.1-1.2.4

    Dependent Packages: none

      This is an update for the OpenPKG security advisory
      OpenPKG-SA-2003.047 [7], released on 30-Oct-2003. Unfortunately, the
      package postgresql-7.3.1-1.2.3 (for OpenPKG 1.2 only) accompanying the
      original security advisory was broken because the created security
      patch was accidentally not included into the resulting source RPM
      package. Thanks to Andreas from Conectiva for discovering this
      packaging bug. The package postgresql-7.3.1-1.2.4 accompanying this
      updated security advisory is now fixed by correctly including the
      necessary security patch.

      Two bugs leading to a buffer overflow in the PostgreSQL [0] RDBMS,
      versions 7.2.x and 7.3.x prior to 7.3.4, were discovered. The
      vulnerability exists in the PostgreSQL abstract data type (ADT) to
      ASCII conversion functions.

      It has been conjectured that excessive data passed to the involved
      to_ascii_xxx() functions may overrun the bounds of an insufficient
      buffer reserved in heap memory, resulting in the corruption of heap
      based memory management structures that are adjacent to it. It is
      currently believed that under the correct circumstances an attacker
      may use this to execute arbitrary instructions in the context of the
      PostgreSQL server.

      The Common Vulnerabilities and Exposures (CVE) project assigned the id
      CAN-2003-0901 [1] to the problem.

      Please check whether you are affected by running "<prefix>/bin/rpm -q
      postgresql". If you have the "postgresql" package installed and its
      version is affected (see above), we recommend that you immediately
      upgrade it (see Solution). [2][3]

      Select the updated source RPM appropriate for the OpenPKG release
      [4], fetch it from the OpenPKG FTP service [5] or a mirror location,
      verify its integrity [6], build a corresponding binary RPM from it
      [2] and update your OpenPKG installation by applying the binary RPM
      [3]. For the release OpenPKG 1.2, perform the following operations
      to permanently fix the security problem (for other releases adjust

      $ ftp ftp.openpkg.org
      ftp> bin
      ftp> cd release/1.2/UPD
      ftp> get postgresql-7.3.1-1.2.4.src.rpm
      ftp> bye
      $ <prefix>/bin/rpm -v --checksig postgresql-7.3.1-1.2.4.src.rpm
      $ <prefix>/bin/rpm --rebuild postgresql-7.3.1-1.2.4.src.rpm
      $ su -
      # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/postgresql-7.3.1-1.2.4.*.rpm

      [0] http://www.postgresql.org/
      [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0901
      [2] http://www.openpkg.org/tutorial.html#regular-source
      [3] http://www.openpkg.org/tutorial.html#regular-binary
      [4] ftp://ftp.openpkg.org/release/1.2/UPD/postgresql-7.3.1-1.2.4.src.rpm
      [5] ftp://ftp.openpkg.org/release/1.2/UPD/
      [6] http://www.openpkg.org/security.html#signature
      [7] http://www.openpkg.org/security/OpenPKG-SA-2003.047-postgresql.html

    For security reasons, this advisory was digitally signed with the
    OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the
    OpenPKG project which you can retrieve from http://pgp.openpkg.org and
    hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
    for details on how to verify the integrity of this advisory.

    Comment: OpenPKG <openpkg@openpkg.org>

    -----END PGP SIGNATURE-----

    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Thorsten Mayr: "AW: [Full-Disclosure] pc-anywhere (version 9.2) - telnet kills service"

    Relevant Pages