Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 261223 (CVE-2009-0922)

Summary: dev-db/postgresql-* potential DoS due to conversion functions (CVE-2009-0922)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: pgsql-bugs, titanofold
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=488156
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-04 20:51:01 UTC 
Vincent Danen wrote:
A stack overflow was found in how PostgreSQL handles conversion encoding.  This
could allow an authenticated user to kill connections to the PostgreSQL server
for a small amount of time, which could interupt transactions by other
users/clients.

The original report is here:

http://archives.postgresql.org/pgsql-bugs/2009-02/msg00172.php

Upstream has a patch for this issue that causes the server to crash in a
different way (core dump due to abort() rather than core dump due to stack
overflow), but it sounds like they are still looking for a better fix.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-18 09:50:23 UTC 
According to upstream [1], this issue is fixed in the following releases: 8.3.7, 8.2.13, 8.1.17, 8.0.21, 7.4.25

[1] http://www.postgresql.org/support/security.html
Comment 2 Aaron W. Swenson gentoo-dev 2010-09-24 08:59:42 UTC 
This should be resolved along with bug 320967.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2011-10-25 07:50:56 UTC 
This issue was resolved and addressed in
 GLSA 201110-22 at http://security.gentoo.org/glsa/glsa-201110-22.xml
by GLSA coordinator Alex Legler (a3li).