[gentoo-announce] [ GLSA 200505-12 ] PostgreSQL: Multiple vulnerabilities - gentoo-announce

From:	Sune Kloppenborg Jeppesen <jaervosz@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200505-12 ] PostgreSQL: Multiple vulnerabilities
Date:	Sun, 15 May 2005 10:41:16
Message-Id:	`200505151241.20306.jaervosz@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200505-12

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: PostgreSQL: Multiple vulnerabilities

9

      Date: May 15, 2005

10

      Bugs: #91231

11

        ID: 200505-12

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

PostgreSQL is vulnerable to Denial of Service attacks and possibly

19

allows unprivileged users to gain administrator rights.

20

21

Background

22

==========

23

24

PostgreSQL is a SQL compliant, open source object-relational database

25

management system.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package            /  Vulnerable  /                    Unaffected

32

    -------------------------------------------------------------------

33

  1  dev-db/postgresql     < 8.0.2-r1                     *>= 7.4.7-r2

34

                                                          *>= 8.0.1-r3

35

                                                           >= 8.0.2-r1

36

37

Description

38

===========

39

40

PostgreSQL gives public EXECUTE access to a number of character

41

conversion routines, but doesn't validate the given arguments

42

(CAN-2005-1409). It has also been reported that the contrib/tsearch2

43

module of PostgreSQL misdeclares the return value of some functions as

44

"internal" (CAN-2005-1410).

45

46

Impact

47

======

48

49

An attacker could call the character conversion routines with specially

50

setup arguments to crash the backend process of PostgreSQL or to

51

potentially gain administrator rights. A malicious user could also call

52

the misdeclared functions of the contrib/tsearch2 module, resulting in

53

a Denial of Service or other, yet uninvestigated, impacts.

54

55

Workaround

56

==========

57

58

There is no known workaround at this time.

59

60

Resolution

61

==========

62

63

All PostgreSQL users should update to the latest available version and

64

follow the guide at http://www.postgresql.org/about/news.315

65

66

    # emerge --sync

67

    # emerge --ask --oneshot --verbose dev-db/postgresql

68

69

References

70

==========

71

72

  [ 1 ] CAN-2005-1409

73

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1409

74

  [ 2 ] CAN-2005-1410

75

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1410

76

  [ 3 ] PostgreSQL Announcement

77

        http://www.postgresql.org/about/news.315

78

79

Availability

80

============

81

82

This GLSA and any updates to it are available for viewing at

83

the Gentoo Security Website:

84

85

  http://security.gentoo.org/glsa/glsa-200505-12.xml

86

87

Concerns?

88

=========

89

90

Security is a primary focus of Gentoo Linux and ensuring the

91

confidentiality and security of our users machines is of utmost

92

importance to us. Any security concerns should be addressed to

93

security@g.o or alternatively, you may file a bug at

94

http://bugs.gentoo.org.

95

96

License

97

=======

98

99

Copyright 2005 Gentoo Foundation, Inc; referenced text

100

belongs to its owner(s).

101

102

The contents of this document are licensed under the

103

Creative Commons - Attribution / Share Alike license.

104

105

http://creativecommons.org/licenses/by-sa/2.0

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200505-12
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: PostgreSQL: Multiple vulnerabilities
9	Date: May 15, 2005
10	Bugs: #91231
11	ID: 200505-12
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	PostgreSQL is vulnerable to Denial of Service attacks and possibly
19	allows unprivileged users to gain administrator rights.
20
21	Background
22	==========
23
24	PostgreSQL is a SQL compliant, open source object-relational database
25	management system.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 dev-db/postgresql < 8.0.2-r1 *>= 7.4.7-r2
34	*>= 8.0.1-r3
35	>= 8.0.2-r1
36
37	Description
38	===========
39
40	PostgreSQL gives public EXECUTE access to a number of character
41	conversion routines, but doesn't validate the given arguments
42	(CAN-2005-1409). It has also been reported that the contrib/tsearch2
43	module of PostgreSQL misdeclares the return value of some functions as
44	"internal" (CAN-2005-1410).
45
46	Impact
47	======
48
49	An attacker could call the character conversion routines with specially
50	setup arguments to crash the backend process of PostgreSQL or to
51	potentially gain administrator rights. A malicious user could also call
52	the misdeclared functions of the contrib/tsearch2 module, resulting in
53	a Denial of Service or other, yet uninvestigated, impacts.
54
55	Workaround
56	==========
57
58	There is no known workaround at this time.
59
60	Resolution
61	==========
62
63	All PostgreSQL users should update to the latest available version and
64	follow the guide at http://www.postgresql.org/about/news.315
65
66	# emerge --sync
67	# emerge --ask --oneshot --verbose dev-db/postgresql
68
69	References
70	==========
71
72	[ 1 ] CAN-2005-1409
73	http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1409
74	[ 2 ] CAN-2005-1410
75	http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1410
76	[ 3 ] PostgreSQL Announcement
77	http://www.postgresql.org/about/news.315
78
79	Availability
80	============
81
82	This GLSA and any updates to it are available for viewing at
83	the Gentoo Security Website:
84
85	http://security.gentoo.org/glsa/glsa-200505-12.xml
86
87	Concerns?
88	=========
89
90	Security is a primary focus of Gentoo Linux and ensuring the
91	confidentiality and security of our users machines is of utmost
92	importance to us. Any security concerns should be addressed to
93	security@g.o or alternatively, you may file a bug at
94	http://bugs.gentoo.org.
95
96	License
97	=======
98
99	Copyright 2005 Gentoo Foundation, Inc; referenced text
100	belongs to its owner(s).
101
102	The contents of this document are licensed under the
103	Creative Commons - Attribution / Share Alike license.
104
105	http://creativecommons.org/licenses/by-sa/2.0

Gentoo Archives: gentoo-announce