Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 81350

Summary: dev-db/postgresql: Buffer overflows in PL/PgSQL parser (CAN-2005-0247)
Product: Gentoo Security Reporter: Matthias Geerdsen (RETIRED) <vorlon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: esigra, pgsql-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B1 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-09 05:11:19 UTC
Following CANs list <=8.0.1 as affected:


244 and 246 appear to be fixed according to the 8.0.1 changelog, maybe someone can verify that.

(Additional) patches for 245 and 246 seem to have been introduced after the release though.

postgresql team, pls verify|patch|advise
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-10 11:32:44 UTC
Ubuntu fixed those with USN-79-1
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-02-10 13:10:05 UTC
Confirming fixed in 7.4.7 :

They also fixed : "Avoid buffer overrun when plpgsql cursor declaration has too
many parameters (Neil)" This appears to be CAN-2004-0245.

This leaves CAN-2004-0247 to treat, the patch for 7.4.7 can be found at :;r2=;only_with_tag=REL7_4_STABLE

postgresql maintainers: You might want to also patch 8.0.1 using :;r2=;only_with_tag=REL8_0_STABLE
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-11 12:40:03 UTC
Of course it is CAN-2005-0247 and not CAN-2004-0247.

Koon what is the status of CAN-2005-0245, is it fixed already?

GLSA drafted, Security please review.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-02-11 13:00:55 UTC
Apparently yes. It's the same file anyway, so patching the last one will surely solve both.
Comment 5 Masatomo Nakano (RETIRED) gentoo-dev 2005-02-11 13:42:23 UTC
I've applied the patche in 
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-13 05:58:41 UTC
Arches please test and mark stable. Target keywords:

postgresql-7.3.9-r1.ebuild:KEYWORDS="x86 ppc sparc alpha amd64 hppa ia64 mips"
postgresql-7.4.7-r1.ebuild:KEYWORDS="x86 ppc sparc mips alpha arm hppa amd64 ia64 s390 ppc64"
postgresql-8.0.1.ebuild:KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~s390 ~ppc64" (Already there).
Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-02-13 08:24:16 UTC
Stable on ppc.
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2005-02-13 10:18:39 UTC
stable on ppc64
Comment 9 Olivier Crete (RETIRED) gentoo-dev 2005-02-13 12:57:20 UTC
It's already stable on x86
Comment 10 Bryan Ƙstergaard (RETIRED) gentoo-dev 2005-02-13 14:43:39 UTC
Stable on alpha.
Comment 11 Jan Brinkmann (RETIRED) gentoo-dev 2005-02-13 15:16:43 UTC
stable on amd64
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2005-02-14 07:47:28 UTC
sparc stable.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-14 14:02:13 UTC

arm, hppa, ia64, mips please remember to mark stable.
Comment 14 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-02-16 01:21:53 UTC
Stable on hppa.
Comment 15 Hardave Riar (RETIRED) gentoo-dev 2005-02-18 09:30:49 UTC
Stable on mips.