[Secure-testing-team] Bug#517405: postgresql-8.3: Server crashes if using wrong (mismatch) conversion
Afonin Denis
vadm at itkm.ru
Fri Feb 27 13:57:25 UTC 2009
Package: postgresql-8.3
Version: 8.3.6-1
Severity: serious
Tags: security
Justification: must
As reported in http://archives.postgresql.org/pgsql-bugs/2009-02/msg00172.php
using conversion functions width mismatched specified and database codepages causes postgresql to segfault.
A serious issue is that a regular user can do that and bring down the whole system.
Upstream came up with a patch just hours after the report, and it seems
to be slated for 8.3.6:
http://archives.postgresql.org/pgsql-bugs/2009-02/msg00176.php
-- System Information:
Debian Release: 5.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.18+openvz (SMP w/8 CPU cores)
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)
Shell: /bin/sh linked to /bin/bash
Versions of packages postgresql-8.3 depends on:
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libkrb53 1.6.dfsg.4~beta1-5 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries
ii libpam0g 1.0.1-5 Pluggable Authentication Modules l
ii libpq5 8.3.6-1 PostgreSQL C client library
ii libssl0.9.8 0.9.8g-15 SSL shared libraries
ii libxml2 2.6.32.dfsg-5 GNOME XML library
ii locales 2.7-18 GNU C Library: National Language (
ii postgresql-client-8.3 8.3.6-1 front-end programs for PostgreSQL
ii postgresql-common 94lenny1 PostgreSQL database-cluster manage
ii ssl-cert 1.0.23 simple debconf wrapper for OpenSSL
ii tzdata 2008h-2 time zone and daylight-saving time
postgresql-8.3 recommends no packages.
Versions of packages postgresql-8.3 suggests:
ii pidentd [ident-server] 3.0.19.ds1-4 TCP/IP IDENT protocol server with
-- no debconf information
More information about the Secure-testing-team
mailing list