Ubuntu
postgresql package

multiple buffer overflows in gram.y (CAN-2005-0247)

Bug #12704 reported by Debian Bug Importer
6
Affects Status Importance Assigned to Milestone
postgresql (Debian)
Fix Released
Unknown
postgresql (Ubuntu)
Fix Released
High
Martin Pitt

Bug Description

Automatically imported from Debian bug report #294406 http://bugs.debian.org/294406

See original description
Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #294406 http://bugs.debian.org/294406

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 9 Feb 2005 11:30:54 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: multiple buffer overflows in gram.y (CAN-2005-0247)

--8t9RHnE3ZwKMSgU+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: postgresql
Version: 7.4.7-1
Severity: grave
Tags: security patch

Multiple buffer overflows in gram.y for PostgreSQL 8.0.1 and earlier may al=
low
attackers to execute arbitrary code via (1) a large number of variables in a
SQL statement being handled by the read_sql_construct function, (2) a large
number of INTO variables in a SELECT statement being handled by the
make_select_stmt function, (4) a large number of arbitrary variables in a
SELECT statement being handled by the make_select_stmt function, and (4) a
large number of INTO variables in a FETCH statement being handled by the
make_fetch_stmt function, a different set of vulnerabilities than
CAN-2005-0245.

This is fixed in cvs for version 7.4 here:
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/pl/plpgsql/src/gram.y.=
diff?r1=3D1.48.2.1;r2=3D1.48.2.2

--=20
see shy jo

--8t9RHnE3ZwKMSgU+
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCCjq+d8HHehbQuO8RAvtnAKCwNUGr5/jOAqDwg5azkjoQgr5/JgCdEfpl
cqj1fn3zhindk84c02Pt80g=
=rbMu
-----END PGP SIGNATURE-----

--8t9RHnE3ZwKMSgU+--

Revision history for this message
In , Joey Hess (joeyh) wrote : Re: Bug#294406: Acknowledgement (multiple buffer overflows in gram.y (CAN-2005-0247))

I should note that this is different from the gram.y overflows fixed in
7.4.7 (CAN-2005-0245). The patch applies to debian's 7.4.7-1.

--
see shy jo

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 9 Feb 2005 12:01:28 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: Re: Bug#294406: Acknowledgement (multiple buffer overflows in gram.y (CAN-2005-0247))

--qMm9M+Fa2AknHoGS
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I should note that this is different from the gram.y overflows fixed in
7.4.7 (CAN-2005-0245). The patch applies to debian's 7.4.7-1.

--=20
see shy jo

--qMm9M+Fa2AknHoGS
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCCkHod8HHehbQuO8RAuabAKCx9eVjKBECZf/psrPV3tKF+P11sgCeICZZ
T+81KAmMalx5X0MsFj/ewwA=
=XBJM
-----END PGP SIGNATURE-----

--qMm9M+Fa2AknHoGS--

Revision history for this message
In , Martin Pitt (pitti) wrote : Bug#294406: fixed in postgresql 7.4.7-2
Download full text (4.3 KiB)

Source: postgresql
Source-Version: 7.4.7-2

We believe that the bug you reported is fixed in the latest version of
postgresql, which is due to be installed in the Debian FTP archive:

libecpg-dev_7.4.7-2_i386.deb
  to pool/main/p/postgresql/libecpg-dev_7.4.7-2_i386.deb
libecpg4_7.4.7-2_i386.deb
  to pool/main/p/postgresql/libecpg4_7.4.7-2_i386.deb
libpgtcl-dev_7.4.7-2_i386.deb
  to pool/main/p/postgresql/libpgtcl-dev_7.4.7-2_i386.deb
libpgtcl_7.4.7-2_i386.deb
  to pool/main/p/postgresql/libpgtcl_7.4.7-2_i386.deb
libpq3_7.4.7-2_i386.deb
  to pool/main/p/postgresql/libpq3_7.4.7-2_i386.deb
postgresql-client_7.4.7-2_i386.deb
  to pool/main/p/postgresql/postgresql-client_7.4.7-2_i386.deb
postgresql-contrib_7.4.7-2_i386.deb
  to pool/main/p/postgresql/postgresql-contrib_7.4.7-2_i386.deb
postgresql-dev_7.4.7-2_i386.deb
  to pool/main/p/postgresql/postgresql-dev_7.4.7-2_i386.deb
postgresql-doc_7.4.7-2_all.deb
  to pool/main/p/postgresql/postgresql-doc_7.4.7-2_all.deb
postgresql_7.4.7-2.diff.gz
  to pool/main/p/postgresql/postgresql_7.4.7-2.diff.gz
postgresql_7.4.7-2.dsc
  to pool/main/p/postgresql/postgresql_7.4.7-2.dsc
postgresql_7.4.7-2_i386.deb
  to pool/main/p/postgresql/postgresql_7.4.7-2_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Pitt <email address hidden> (supplier of updated postgresql package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 10 Feb 2005 13:04:02 +0100
Source: postgresql
Binary: postgresql-client libecpg4 libpgtcl-dev libpq3 postgresql-doc libecpg-dev postgresql-dev postgresql libpgtcl postgresql-contrib
Architecture: source i386 all
Version: 7.4.7-2
Distribution: unstable
Urgency: high
Maintainer: Martin Pitt <email address hidden>
Changed-By: Martin Pitt <email address hidden>
Description:
 libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
 libecpg4 - run-time library for ECPG programs
 libpgtcl - Tcl procedural language, library and front-end for PostgreSQL
 libpgtcl-dev - Tcl library for PostgreSQL - development files
 libpq3 - PostgreSQL C client library
 postgresql - object-relational SQL database management system
 postgresql-client - front-end programs for PostgreSQL
 postgresql-contrib - additional facilities for PostgreSQL
 postgresql-dev - development files for libpq (PostgreSQL library)
 postgresql-doc - documentation for the PostgreSQL database management system
Closes: 294406
Changes:
 postgresql (7.4.7-2) unstable; urgency=high
 .
   * Urgency high since this fixes a security vulnerability (and nothing else).
   * Added patch 50CAN-2005-0247:
     - Fix multiple buffer overflows in the PL/PGSQL parser's gram.y file.
     - CAN-2005-0247
     - Closes: #294406
   * Added CAN numbers to previous ch...

Read more...

Revision history for this message
In , Martin Pitt (pitti) wrote : Re: Bug#294406: multiple buffer overflows in gram.y (CAN-2005-0247)

reopen 294406
tag 294406 woody sarge
thanks

Sid is now fixed, but Sarge and Woody still need the fix(es).

Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (4.5 KiB)

Message-Id: <email address hidden>
Date: Thu, 10 Feb 2005 08:02:38 -0500
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Bug#294406: fixed in postgresql 7.4.7-2

Source: postgresql
Source-Version: 7.4.7-2

We believe that the bug you reported is fixed in the latest version of
postgresql, which is due to be installed in the Debian FTP archive:

libecpg-dev_7.4.7-2_i386.deb
  to pool/main/p/postgresql/libecpg-dev_7.4.7-2_i386.deb
libecpg4_7.4.7-2_i386.deb
  to pool/main/p/postgresql/libecpg4_7.4.7-2_i386.deb
libpgtcl-dev_7.4.7-2_i386.deb
  to pool/main/p/postgresql/libpgtcl-dev_7.4.7-2_i386.deb
libpgtcl_7.4.7-2_i386.deb
  to pool/main/p/postgresql/libpgtcl_7.4.7-2_i386.deb
libpq3_7.4.7-2_i386.deb
  to pool/main/p/postgresql/libpq3_7.4.7-2_i386.deb
postgresql-client_7.4.7-2_i386.deb
  to pool/main/p/postgresql/postgresql-client_7.4.7-2_i386.deb
postgresql-contrib_7.4.7-2_i386.deb
  to pool/main/p/postgresql/postgresql-contrib_7.4.7-2_i386.deb
postgresql-dev_7.4.7-2_i386.deb
  to pool/main/p/postgresql/postgresql-dev_7.4.7-2_i386.deb
postgresql-doc_7.4.7-2_all.deb
  to pool/main/p/postgresql/postgresql-doc_7.4.7-2_all.deb
postgresql_7.4.7-2.diff.gz
  to pool/main/p/postgresql/postgresql_7.4.7-2.diff.gz
postgresql_7.4.7-2.dsc
  to pool/main/p/postgresql/postgresql_7.4.7-2.dsc
postgresql_7.4.7-2_i386.deb
  to pool/main/p/postgresql/postgresql_7.4.7-2_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Pitt <email address hidden> (supplier of updated postgresql package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 10 Feb 2005 13:04:02 +0100
Source: postgresql
Binary: postgresql-client libecpg4 libpgtcl-dev libpq3 postgresql-doc libecpg-dev postgresql-dev postgresql libpgtcl postgresql-contrib
Architecture: source i386 all
Version: 7.4.7-2
Distribution: unstable
Urgency: high
Maintainer: Martin Pitt <email address hidden>
Changed-By: Martin Pitt <email address hidden>
Description:
 libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
 libecpg4 - run-time library for ECPG programs
 libpgtcl - Tcl procedural language, library and front-end for PostgreSQL
 libpgtcl-dev - Tcl library for PostgreSQL - development files
 libpq3 - PostgreSQL C client library
 postgresql - object-relational SQL database management system
 postgresql-client - front-end programs for PostgreSQL
 postgresql-contrib - additional facilities for PostgreSQL
 postgresql-dev - development files for libpq (PostgreSQL library)
 postgresql-doc - documentation for the PostgreSQL database management system
Closes: 294406
Changes:
 postgresql (7.4.7-2) unstable; urgency=high
 .
   * Urgency high since this fixes a security vulnerability (...

Read more...

Revision history for this message
Martin Pitt (pitti) wrote :

Fixed Hoary:
 postgresql (7.4.7-2ubuntu1) hoary; urgency=low
 .
   * debian/postgresql.init: Use LSB functions. (Ubuntu #6181)
   * debian/control: Add dependency to lsb-base.
 .
 postgresql (7.4.7-2) unstable; urgency=high
 .
   * Urgency high since this fixes a security vulnerability (and nothing else).
   * Added patch 50CAN-2005-0247:
     - Fix multiple buffer overflows in the PL/PGSQL parser's gram.y file.
     - CAN-2005-0247
     - Closes: #294406
   * Added CAN numbers to previous changelog version.

Warty fix is in the build queue.

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 10 Feb 2005 14:35:26 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: Bug#294406: multiple buffer overflows in gram.y (CAN-2005-0247)

--jI8keyz6grp/JLjh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

reopen 294406
tag 294406 woody sarge
thanks

Sid is now fixed, but Sarge and Woody still need the fix(es).

Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--jI8keyz6grp/JLjh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCC2MeDecnbV4Fd/IRAsKhAKCjmwEe1SYvm3OSxKkC3gNYOMz/ZwCffCMR
PQAGb3Ih9LsO8n3pCaQoqEI=
=LvVd
-----END PGP SIGNATURE-----

--jI8keyz6grp/JLjh--

Revision history for this message
In , Martin Pitt (pitti) wrote : Updated woody packages available

Hi Joey!

I prepared new PostgreSQL woody packages to fix CAN-2005-024[57], here
is the interdiff:

 http://people.debian.org/~mpitt/psql-woody/postgresql.woody8.diff

 postgresql (7.2.1-2woody8) stable-security; urgency=low
 .
   * Maintainer security upload to fix various vulnerabilities.
   * src/pl/plpgsql/src/gram.y:
     - Check various array boundaries to prevent buffer overflows.
     - References:
       CAN-2005-0245
       CAN-2005-0247
   * Notes:
     - 7.2 does not yet support GRANT on functions, thus CAN-2005-0244 does not
       apply.
     - 7.2 does not yet contain the "intagg" contrib module, thus CAN-2005-0246
       does not apply.
   * Added CAN number to previous changelog.

The source and i386 debs are at

  http://people.debian.org/~mpitt/psql-woody/

Please upload the packages at will.

Thanks and have a nice day!

Martin

--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

Revision history for this message
Martin Pitt (pitti) wrote :

Warty fixed in USN-79-1.

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 10 Feb 2005 16:08:37 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Updated woody packages available

--Kj7319i9nmIyA2yE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Joey!

I prepared new PostgreSQL woody packages to fix CAN-2005-024[57], here
is the interdiff:

 http://people.debian.org/~mpitt/psql-woody/postgresql.woody8.diff=20

 postgresql (7.2.1-2woody8) stable-security; urgency=3Dlow
 .
   * Maintainer security upload to fix various vulnerabilities.
   * src/pl/plpgsql/src/gram.y:
     - Check various array boundaries to prevent buffer overflows.
     - References:
       CAN-2005-0245
       CAN-2005-0247
   * Notes:
     - 7.2 does not yet support GRANT on functions, thus CAN-2005-0244 does=
 not
       apply.
     - 7.2 does not yet contain the "intagg" contrib module, thus CAN-2005-=
0246
       does not apply.
   * Added CAN number to previous changelog.

The source and i386 debs are at

  http://people.debian.org/~mpitt/psql-woody/

Please upload the packages at will.

Thanks and have a nice day!

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--Kj7319i9nmIyA2yE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCC3j0DecnbV4Fd/IRAhk1AKCibuYPOlUQcxZ0WfZXMi8J1i5/4wCg+vej
9SSJGdkQO+XF+YcPc3ns5Zw=
=XKOv
-----END PGP SIGNATURE-----

--Kj7319i9nmIyA2yE--

Revision history for this message
In , Martin Schulze (joey-infodrom) wrote :

Martin Pitt wrote:
> Hi Joey!
>
> I prepared new PostgreSQL woody packages to fix CAN-2005-024[57], here
> is the interdiff:

Thanks.

Regards,

 Joey

--
GNU GPL: "The source will be with you... always."

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 10 Feb 2005 16:55:12 +0100
From: Martin Schulze <email address hidden>
To: Martin Pitt <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Updated woody packages available

Martin Pitt wrote:
> Hi Joey!
>
> I prepared new PostgreSQL woody packages to fix CAN-2005-024[57], here
> is the interdiff:

Thanks.

Regards,

 Joey

--
GNU GPL: "The source will be with you... always."

Revision history for this message
In , Steve Langasek (vorlon) wrote : fix has reached sarge

tags 294406 -sarge
thanks

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 15 Feb 2005 06:54:00 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: fix has reached sarge

tags 294406 -sarge
thanks

Revision history for this message
In , Martin Pitt (pitti) wrote : Closing

All releases (Sarge, Sid, Woody) are fixed now, closing.

Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 15 Feb 2005 18:58:09 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Closing

--PNTmBPCT7hxwcZjr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

All releases (Sarge, Sid, Woody) are fixed now, closing.

Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--PNTmBPCT7hxwcZjr
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCEjgxDecnbV4Fd/IRAl6iAKCNgnw6nO+8XDtxljPWnczPPV+zCQCg38x7
F/qBrWAzS2YvbWuV3RsnnMg=
=4dbN
-----END PGP SIGNATURE-----

--PNTmBPCT7hxwcZjr--

Bug Watch Updater (bug-watch-updater)
Changed in postgresql:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.