Re: @(#) Mordred Labs advisory 0x0001: Buffer overflow in PostgreSQL

From: Florian Weimer (Weimer@CERT.Uni-Stuttgart.DE)
Date: 08/19/02 

To: Sir Mordred The Traitor <mordred@s-mail.com>
From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Date: Mon, 19 Aug 2002 19:30:52 +0200

Sir Mordred The Traitor <mordred@s-mail.com> writes:

> --[ How to reproduce:
> psql> select cash_words('-700000000000000000000000000000');
> pgReadData() -- backend closed the channel unexpectedly.
> .... ....
> The connection to the server was lost...
>
> --[ Solution:
> Upgrade to version 7.2.1.

PostgreSQL 7.2.1 has a buffer overflow bug in the date parser (which
is invoked each time a string is converted to a datetime object). If
a frontend does not perform proper date checking and rejects overlong
date strings, a buffer is overwritten by parser. The string has to
pass some checks of the parser, so it is not immediately obvious that
this can be exploited. Denial of service is possible, though,
especially if the frontend does not automatically reestablish the
database connection. (All connections are affected, not just the one
that is issueing the query.)

To my knowledge, the PostgreSQL developers do not think this warrants
an additional 7.2.x release. They expect that users do not trust the
PostgreSQL parsers and write input validation checks. That gives me
the creeps---how can I trust a database which manipulates complex
in-memory and on-disk data structures to keep my data, if its
developers say I shouldn't rely on a simple thing they wrote, such as
a date parser?

A different problem: "select cash_out(2);". Known for ages, no fix in
sight (seems to be a design problem which is not easy to resolve).

*sigh* 

-- 
Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          fax +49-711-685-5898

Relevant Pages

  • Re: Postgre/PHP installation woes
    ... > But when we go to login to our PHP site, our login is rejected and we ... Is the login prompt not hitting the database? ... that connection seems to be broken and the first time it is used ... you postgresql isn't listening for TCP connections. ...
    (Debian-User)
  • Re: PostgreSQL and Firebird comparison via digg
    ... How would postgreSQL handle the following? ... I have a multithreaded app that connects to a postgreSQL DB and I fire off ... Can a single connection be shared between several requests/threads in my ...
    (borland.public.delphi.non-technical)
  • Re: Anyone know a good Pygresql Tutorial for Interfacing between Python &Postgresql
    ... It relies on pyPgSQL but PyGreSQL ... Example code how to read data from a PostgreSQL database. ... the calls are not database dependent except of connection URL ... Peter Maas, M+R Infosysteme, D-52070 Aachen, Hubert-Wienen-Str. ...
    (comp.lang.python)
  • Re: MySQL Version 4
    ... > I like PostgreSQL as far as it's simplicity and things go. ... > connection alone was taking over 1MB of memory. ... threading mechanisms, and developer time spent on threading is ...
    (Fedora)
  • Re: Connection string information
    ... Well I managed to reproduce the parser from SqlConnectionString and it ... connection string was sent to the SQL Server but since your post, ... If an element exists within the connection string it parses ...
    (microsoft.public.dotnet.framework.adonet)
Quantcast