Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 165482 - dev-db/postgresql DoS and Information Disclosure (CVE-2007-0555 CVE-2007-0556)
Summary: dev-db/postgresql DoS and Information Disclosure (CVE-2007-0555 CVE-2007-0556)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/24033/
Whiteboard: B3 [glsa] Falco
Keywords:
: 165562 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-02-05 19:47 UTC by Executioner
Modified: 2020-03-02 16:40 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Executioner 2007-02-05 19:47:04 UTC
Description:
Some vulnerabilities have been reported in PostgreSQL, which can be exploited by malicious users to gain knowledge of potentially sensitive information and cause a DoS (Denial of Service).

1) An unspecified error can be used to suppress certain checks, which ensure that SQL functions return the correct data type. This can be exploited to crash the database backend or disclose potentially sensitive information.

2) An unspecified error when changing the data type of a table column can be exploited to crash the database backend or disclose potentially sensitive information.

Vulnerability #1 is reported in versions 8.0, 8.1, and 8.2. Vulnerability #2 is reported in 8.0, 8.1, 8.2, 7.3 and 7.4.

Solution:
Update to 8.2.2, 8.1.7, 8.0.11, 7.4.16, or 7.3.13.


Reproducible: Didn't try




http://www.postgresql.org/support/security
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2007-02-06 07:43:23 UTC
*** Bug 165562 has been marked as a duplicate of this bug. ***
Comment 2 Ernst Herzberg 2007-02-06 19:45:00 UTC
Ooops, wait! :-)

8.1.7 and 8.2.2 are buggy, see
http://archives.postgresql.org/pgsql-hackers/2007-02/msg00286.php

Comment 3 Bernd Marienfeldt 2007-02-07 15:07:13 UTC
See update from Postgress Developer:

http://archives.postgresql.org/pgsql-announce/2007-02/msg00008.php


Kind regards
Comment 4 Martin Jackson (RETIRED) gentoo-dev 2007-02-11 22:53:55 UTC
libpq and postgresql 7.3.18 have been committed to the tree.
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-12 12:50:52 UTC
(In reply to comment #4)
> libpq and postgresql 7.3.18 have been committed to the tree.
> 

Thanks, perfect.

Hi arches, please test and mark stable if appropriate those ebuilds :

libpq-7.3.18
postgresql-7.3.18
libpq-7.4.16
postgresql-7.4.16
libpq-8.0.12
postgresql-8.0.12

Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2007-02-12 14:54:32 UTC
(In reply to comment #5)
> libpq-7.3.18
> postgresql-7.3.18
> libpq-7.4.16
> postgresql-7.4.16
> 

>>> Unpacking postgresql-opt-7.3.18.tar.bz2 to /var/tmp/portage/dev-db/libpq-7.3.18/work
 * Applying libpq-7.3.18-gentoo.patch ...

 * Failed Patch: libpq-7.3.18-gentoo.patch !
 *  ( /usr/portage/dev-db/libpq/files/libpq-7.3.18-gentoo.patch )

Same occurs with 7.4.16.
Comment 7 Martin Jackson (RETIRED) gentoo-dev 2007-02-13 01:49:11 UTC
The 7.3 and 7.4 problems are because I missed CVS keywords in the libpq patches for those versions.  I've committed fixes for libpq-7.3 and 7.4, and I've verified none of the other ebuilds have that problem.  Sorry for any confusion.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2007-02-13 10:03:29 UTC
x86 stable
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2007-02-13 10:44:03 UTC
jep.. seems to work. ppc64 stable
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2007-02-13 15:42:21 UTC
sparc stable.
Comment 11 Jeroen Roovers gentoo-dev 2007-02-14 04:53:52 UTC
Stable for HPPA. As a side note, postgresql-7.3.18 failed the horology regression test whilst 7.4.16 did not. I did not test this for 8.0.12 within the scope of this bug.
Comment 12 Jeroen Roovers gentoo-dev 2007-02-14 05:02:20 UTC
(In reply to comment #11)
> Stable for HPPA. As a side note, postgresql-7.3.18 failed the horology
> regression test whilst 7.4.16 did not. I did not test this for 8.0.12 within
> the scope of this bug.

Found the source too: compare [1] and [2]. False alarm.

[1] http://www.postgresql.org/docs/7.3/interactive/regress-platform.html
[2] http://www.postgresql.org/docs/7.4/interactive/regress-platform.html
Comment 13 Bryan Østergaard (RETIRED) gentoo-dev 2007-02-16 12:43:29 UTC
Stable on Alpha + IA64.
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2007-02-18 15:37:23 UTC
ppc stable
Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-03 23:53:59 UTC
Hi amd64, there is something causing trouble?
Comment 16 Simon Stelling (RETIRED) gentoo-dev 2007-03-04 11:15:11 UTC
(In reply to comment #15)
> Hi amd64, there is something causing trouble?

Nothing unusual. Stable on amd64.
Comment 17 Stefan Cornelius (RETIRED) gentoo-dev 2007-03-04 12:59:57 UTC
voting no
Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-04 21:02:26 UTC
mmm i don't know.... CVE-2007-0556 seems a little severe.
Comment 19 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-05 21:14:43 UTC
tend to vote yes here
Comment 20 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-09 22:33:52 UTC
another security member with interesting arguments? Otherwise i would say "yes" too.

GLSA request filled.
Comment 21 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-18 22:02:50 UTC
GLSA 200701-15 sent but apprently, it never hit gentoo-announce@
Comment 22 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-19 00:19:49 UTC
GLSA 200703-15 seems to have finally reached g-announce. Closing then. Thanks to everybody