SuSE: PostgreSQL buffer overflow problems (SUSE-SA-2005:027) Security Update
Summary
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: postgresql
Announcement-ID: SUSE-SA:2005:027
Date: Wed, 20 Apr 2005 09:00:00 +0000
Affected products: 8.2, 9.0, 9.1, 9.2, 9.3
SUSE Linux Desktop 1.0
SUSE Linux Enterprise Server 8, 9
Novell Linux Desktop 9
Vulnerability Type: remote code execution
Severity (1-10): 5
SUSE default package: no
Cross References: CAN-2005-0247
Content of this advisory:
1) security vulnerability resolved:
code execution due to bugs in several SQL commands
problem description
2) solution/workaround
3) special instructions and notes
4) package location and checksums
5) pending vulnerabilities, solutions, workarounds:
none
6) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion
Several problems were identified and fixed in the PostgreSQL
database server.
Multiple buffer overflows in the low level parsing routines may
allow attackers to execute arbitrary code via:
(1) a large number of variables in a SQL statement being handled by
the read_sql_construct() function,
(2) a large number of INTO variables in a SELECT statement being
handled by the make_select_stmt function,
(3) a large number of arbitrary variables in a SELECT statement being
handled by the make_select_stmt function, and
(4) a large number of INTO variables in a FETCH statement being
handled by the make_fetch_stmt function.
This is tracked by the Mitre CVE ID CAN-2005-0247.
2) solution/workaround
None, please install the updated packages.
3) special instructions and notes
If you are running a PostgreSQL server please make sure that it
is stopped or at least doesn't have any client connections during
the update.
4) package location and checksums
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
x86 Platform:
SUSE Linux 9.3:
678cf8fac25f43217a75ff1b69afa1e1
9f71e3a477cb37e96b6252d3e41af5d0
13befe8d62a70898b576f46332b04016
d51a60a473567c87c3f94cc0d5abde2d
50af9cba7571c4859b033a420782c5c3
3d68c0e2f026e3c1f1d33ec828ade723
4601a1e4308348a7a27fbe4dd0bfe029
55c4a7c5b510b4a05b789540adbcca00
SUSE Linux 9.2:
6d5ca6b626a70cee2b34e49d33855648
62020a1c26ed41635cf07f37f1c22817
eb20f825e8c1ee955e6904bd718ad1ba
79194edc8a6a6ad10104b964e66cf789
67353952335be148e0f3719a50edf8c5
caad51baf0dfca24df09fec5d4385555
55a89a0f695e5dc892fa31af6140e367
91ac32a40b548d187ca78fb095f182ac
SUSE Linux 9.1:
7027aa706e60a5074b294edba529479c
f7f3ef933b3cef23e892ede41d30b7e2
8b48f30541f0834d14c7c1297202a55f
e4456b0be9e08ffab52bc8476d2a25c8
9a936afc00a75b243c7c7bd040eb3e97
7037b8f9f9ca4d0c3325b1f52a38338c
a6699829779cf0f1adc9eb899e028cce
6d7c782b577a97024d5b388957686eb9
source rpm(s):
10074702f7983e615b0d4da932915419
SUSE Linux 9.0:
dbefa2ff236099277275e050196832f9
9e933821ae869b86c9dbb9899df86d75
8c2f83c0acb4bda10989a90082126324
4fa5151ac425ef2765600082c8772d38
c038222567e7692081dfef91f56fa73b
57730936587d5214f45d498721abc0d4
a66b7aa7172c4accefad29b98b725452
c2d0256ea4ce83f12e73e4f23a0f4929
0a754eb5f8535cd7a291ffefb724f537
source rpm(s):
174eb88726ae089eb80327613d0191c9
SUSE Linux 8.2:
a2b5993ddc330ffc4caf596b95cd44da
80f40fb76c5eb8b04634836f5da87839
e97783f94a2e103b4f36d8309525e03b
df6f2407af9063765d3100efda4e9fd7
158525f64b5ce8b4e84307442c55cf69
b214dab6c7691e408c8cb94f3d89266b
ef2c190ddcca664c6d24c30cee18b06a
598bc10d2956c68c44bbc15c1048b961
source rpm(s):
b9607afe3c591211cd4828387b78e844
x86-64 Platform:
SUSE Linux 9.3:
a608a80f0c5e52244ef0e06f71179eec
3fc4c4e413857244670ec31d132ecf6e
604493537efd3eefdb6c2268c76d9fce
4f9cdf3fef5cbc05655a61c0d40188ac
1693e687c7175143a8417a1971b7561d
231201858f97d931a342cc54197fede0
cf53838797c30f7c0d6c20780b3df994
source rpm(s):
72d273fb0e710ce3b36f8a75760faca0
b12ca9ab8d1e1403d64608447cef61af
SUSE Linux 9.2:
376426e12fa067ed9750ff729e7af64f
a2a1174114c9f2cd8b0bd24dc15603ad
52c49022348810ee55dc74a986a10324
c4ffdce772938cb5ca851a09eb05ccb9
b89fbdd68337b6f6d557e030fdee385c
6fe8b6011a779152b659b85278176084
94bd74ce6d5e215c0cc910227606b081
source rpm(s):
b8c6138e39ecc4c75537c7bf99cbcee4
e9c71d98739d760557aa9719ac45083b
SUSE Linux 9.1:
000d9921b17457f420806deb0b52b864
7ae07a0f82e1c752a43f1d2f1d6f76a4
959493267003db19075030c88b288e53
452dc62ada42a821a7d6e8bc79e6fbd8
6d07eec96e67f4c3b316b980db2ded02
a9a394f502ce7d45b72e8d037513cc60
090f72759ce39af0b49170ff3b0e939a
source rpm(s):
8bd7c2894ca62fe59e52f5ee79a13a8c
SUSE Linux 9.0:
d9b71b21317c17281a1d0b5ac058ee7e
df00a736fbbc1fe396ca802f28556a6e
b1bc20c65730504cb68204644b53c3b1
aa2a266f6cfb859e248d7c6a9168cd5d
ff5014d8c7d7c2d3b044bb2f268c0bf8
9e9dc0405761bde26676ad71b71d18c8
0235a9bd3d8b582c8eeec89ae5cc02ff
2cd64de68e37398c11448271c87d8f9b
source rpm(s):
cb17afaeae94a5d9c982654047c46b7f
______________________________________________________________________________
5) Pending vulnerabilities in SUSE Distributions and Workarounds:
none
______________________________________________________________________________
6) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
References