Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 261223 (CVE-2009-0922) - dev-db/postgresql-* potential DoS due to conversion functions (CVE-2009-0922)
Summary: dev-db/postgresql-* potential DoS due to conversion functions (CVE-2009-0922)
Status: RESOLVED FIXED
Alias: CVE-2009-0922
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-04 20:51 UTC by Robert Buchholz (RETIRED)
Modified: 2011-10-25 07:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-04 20:51:01 UTC
Vincent Danen wrote:
A stack overflow was found in how PostgreSQL handles conversion encoding.  This
could allow an authenticated user to kill connections to the PostgreSQL server
for a small amount of time, which could interupt transactions by other
users/clients.

The original report is here:

http://archives.postgresql.org/pgsql-bugs/2009-02/msg00172.php

Upstream has a patch for this issue that causes the server to crash in a
different way (core dump due to abort() rather than core dump due to stack
overflow), but it sounds like they are still looking for a better fix.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-18 09:50:23 UTC
According to upstream [1], this issue is fixed in the following releases: 8.3.7, 8.2.13, 8.1.17, 8.0.21, 7.4.25

[1] http://www.postgresql.org/support/security.html
Comment 2 Aaron W. Swenson gentoo-dev 2010-09-24 08:59:42 UTC
This should be resolved along with bug 320967.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2011-10-25 07:50:56 UTC
This issue was resolved and addressed in
 GLSA 201110-22 at http://security.gentoo.org/glsa/glsa-201110-22.xml
by GLSA coordinator Alex Legler (a3li).