Bug 165482

Summary:	dev-db/postgresql DoS and Information Disclosure (CVE-2007-0555 CVE-2007-0556)
Product:	Gentoo Security	Reporter:	Executioner <keith>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	bernd, chainsaw, earny, esigra, pgsql-bugs
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://secunia.com/advisories/24033/
Whiteboard:	B3 [glsa] Falco
Package list:		Runtime testing required:	---

Description Executioner 2007-02-05 19:47:04 UTC

Description:
Some vulnerabilities have been reported in PostgreSQL, which can be exploited by malicious users to gain knowledge of potentially sensitive information and cause a DoS (Denial of Service).

1) An unspecified error can be used to suppress certain checks, which ensure that SQL functions return the correct data type. This can be exploited to crash the database backend or disclose potentially sensitive information.

2) An unspecified error when changing the data type of a table column can be exploited to crash the database backend or disclose potentially sensitive information.

Vulnerability #1 is reported in versions 8.0, 8.1, and 8.2. Vulnerability #2 is reported in 8.0, 8.1, 8.2, 7.3 and 7.4.

Solution:
Update to 8.2.2, 8.1.7, 8.0.11, 7.4.16, or 7.3.13.


Reproducible: Didn't try




http://www.postgresql.org/support/security

Comment 1 Jakub Moc (RETIRED) gentoo-dev

2007-02-06 07:43:23 UTC

*** Bug 165562 has been marked as a duplicate of this bug. ***

Comment 2 Ernst Herzberg 2007-02-06 19:45:00 UTC

Ooops, wait! :-)

8.1.7 and 8.2.2 are buggy, see
http://archives.postgresql.org/pgsql-hackers/2007-02/msg00286.php

Comment 3 Bernd Marienfeldt 2007-02-07 15:07:13 UTC

See update from Postgress Developer:

http://archives.postgresql.org/pgsql-announce/2007-02/msg00008.php


Kind regards

Comment 4 Martin Jackson (RETIRED) gentoo-dev

2007-02-11 22:53:55 UTC

libpq and postgresql 7.3.18 have been committed to the tree.

Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-02-12 12:50:52 UTC

(In reply to comment #4)
> libpq and postgresql 7.3.18 have been committed to the tree.
> 

Thanks, perfect.

Hi arches, please test and mark stable if appropriate those ebuilds :

libpq-7.3.18
postgresql-7.3.18
libpq-7.4.16
postgresql-7.4.16
libpq-8.0.12
postgresql-8.0.12

Comment 6 Raúl Porcel (RETIRED) gentoo-dev

2007-02-12 14:54:32 UTC

(In reply to comment #5)
> libpq-7.3.18
> postgresql-7.3.18
> libpq-7.4.16
> postgresql-7.4.16
> 

>>> Unpacking postgresql-opt-7.3.18.tar.bz2 to /var/tmp/portage/dev-db/libpq-7.3.18/work
 * Applying libpq-7.3.18-gentoo.patch ...

 * Failed Patch: libpq-7.3.18-gentoo.patch !
 *  ( /usr/portage/dev-db/libpq/files/libpq-7.3.18-gentoo.patch )

Same occurs with 7.4.16.

Comment 7 Martin Jackson (RETIRED) gentoo-dev

2007-02-13 01:49:11 UTC

The 7.3 and 7.4 problems are because I missed CVS keywords in the libpq patches for those versions.  I've committed fixes for libpq-7.3 and 7.4, and I've verified none of the other ebuilds have that problem.  Sorry for any confusion.

Comment 8 Christian Faulhammer (RETIRED) gentoo-dev

2007-02-13 10:03:29 UTC

x86 stable

Comment 9 Markus Rothe (RETIRED) gentoo-dev

2007-02-13 10:44:03 UTC

jep.. seems to work. ppc64 stable

Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev

2007-02-13 15:42:21 UTC

sparc stable.

Comment 11 Jeroen Roovers (RETIRED) gentoo-dev

2007-02-14 04:53:52 UTC

Stable for HPPA. As a side note, postgresql-7.3.18 failed the horology regression test whilst 7.4.16 did not. I did not test this for 8.0.12 within the scope of this bug.

Comment 12 Jeroen Roovers (RETIRED) gentoo-dev

2007-02-14 05:02:20 UTC

(In reply to comment #11)
> Stable for HPPA. As a side note, postgresql-7.3.18 failed the horology
> regression test whilst 7.4.16 did not. I did not test this for 8.0.12 within
> the scope of this bug.

Found the source too: compare [1] and [2]. False alarm.

[1] http://www.postgresql.org/docs/7.3/interactive/regress-platform.html
[2] http://www.postgresql.org/docs/7.4/interactive/regress-platform.html

Comment 13 Bryan Østergaard (RETIRED) gentoo-dev

2007-02-16 12:43:29 UTC

Stable on Alpha + IA64.

Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev

2007-02-18 15:37:23 UTC

ppc stable

Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-03-03 23:53:59 UTC

Hi amd64, there is something causing trouble?

Comment 16 Simon Stelling (RETIRED) gentoo-dev

2007-03-04 11:15:11 UTC

(In reply to comment #15)
> Hi amd64, there is something causing trouble?

Nothing unusual. Stable on amd64.

Comment 17 Stefan Cornelius (RETIRED) gentoo-dev

2007-03-04 12:59:57 UTC

voting no

Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-03-04 21:02:26 UTC

mmm i don't know.... CVE-2007-0556 seems a little severe.

Comment 19 Matthias Geerdsen (RETIRED) gentoo-dev

2007-03-05 21:14:43 UTC

tend to vote yes here

Comment 20 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-03-09 22:33:52 UTC

another security member with interesting arguments? Otherwise i would say "yes" too.

GLSA request filled.

Comment 21 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-03-18 22:02:50 UTC

GLSA 200701-15 sent but apprently, it never hit gentoo-announce@

Comment 22 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-03-19 00:19:49 UTC

GLSA 200703-15 seems to have finally reached g-announce. Closing then. Thanks to everybody