__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Red Hat Updated PostgreSQL Packages Fix Buffer Overflow [RHSA-2003:313-10] November 13, 2003 20:00 GMT Number O-026 [REVISED 21 Nov 2003] ______________________________________________________________________________ PROBLEM: There are two bugs that can lead to buffer overflows in the PostgreSQL abstract data type to ASCII conversion routines. PLATFORM: Red Hat Linux 7.2, 7.3, 8.0, 9 Red Hat Enterprise Linux AS (v.2.1) Red Hat Enterprise Linux ES (v.2.1) Red Hat Enterprise Linux WS (v.2.1) Red Hat Linux Advanced Workstation 2.1 for the Itanium DAMAGE: A remote attacker may be able to execute arbitrary code in the context of the PostgreSQL server. SOLUTION: Upgrade to the appropriate patch. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An attacker would be able to remotely ASSESSMENT: access the database. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-026.shtml ORIGINAL BULLETIN: Red Hat RHSA-2003:313-10 https://rhn.redhat.com/errata/RHSA-2003-313.html ADDITIONAL INFORMATION: Red Hat RHSA-2003:314-08 https://rhn.redhat.com/errata/RHSA-2003-314.html CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2003-0901 ______________________________________________________________________________ REVISION HISTORY: 11/21/03 - Updated Platform Section and added Red Hat RHSA-2003:314-08. [***** Start RHSA-2003:313-10 *****] Updated PostgreSQL packages fix buffer overflow Advisory: RHSA-2003:313-10 Last updated on: 2003-11-13 Affected Products: Red Hat Linux 7.2 Red Hat Linux 7.3 Red Hat Linux 8.0 Red Hat Linux 9 CVEs (cve.mitre.org): CAN-2003-0901 Security Advisory Details: Updated PostgreSQL packages that correct a buffer overflow in the to_ascii routines are now available. PostgreSQL is an advanced Object-Relational database management system (DBMS). Two bugs that can lead to buffer overflows have been found in the PostgreSQL abstract data type to ASCII conversion routines. A remote attacker who is able to influence the data passed to the to_ascii functions may be able to execute arbitrary code in the context of the PostgreSQL server. These issues affect PostgreSQL 7.2.x, and 7.3.x before 7.3.4. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0901 to these issues. In addition, a bug that can lead to leaks has been found in the string to timestamp abstract data type conversion routine. If the input string to the to_timestamp() routine is shorter than what the template string is expecting, the routine will run off the end of the input string, resulting in a leak of previous timestamp behavior and unstable behavior. Users of PostgreSQL are advised to upgrade to these erratum packages, which contain backported patches that correct these issues. Updated packages: Red Hat Linux 7.2 -------------------------------------------------------------------------------- SRPMS: postgresql-7.1.3-5.72.src.rpm [ via FTP ] [ via HTTP ] 3b9e2ff8e10ee73235eee4f9878b3e2c i386: postgresql-7.1.3-5.72.i386.rpm [ via FTP ] [ via HTTP ] 7c3a5d6ca1f7f2dd8e72f5b6a8f1f08e postgresql-contrib-7.1.3-5.72.i386.rpm [ via FTP ] [ via HTTP ] 199e0b350daddc1c5b0a6863a0d594e4 postgresql-devel-7.1.3-5.72.i386.rpm [ via FTP ] [ via HTTP ] f598ffaa61d0658bc7a014f726c27eb4 postgresql-docs-7.1.3-5.72.i386.rpm [ via FTP ] [ via HTTP ] 76b24489acbefa1d68a85334e9dc75aa postgresql-jdbc-7.1.3-5.72.i386.rpm [ via FTP ] [ via HTTP ] a7fbf57b5239a0f0dc1f2090eb9986c4 postgresql-libs-7.1.3-5.72.i386.rpm [ via FTP ] [ via HTTP ] 8a0b4bc8cf4a10acaafd77ac07487841 postgresql-odbc-7.1.3-5.72.i386.rpm [ via FTP ] [ via HTTP ] f53828955915f3f85e4bdd9b5ff13100 postgresql-perl-7.1.3-5.72.i386.rpm [ via FTP ] [ via HTTP ] 2175a2b30a15ba0fd704f456e89bf620 postgresql-python-7.1.3-5.72.i386.rpm [ via FTP ] [ via HTTP ] 8daab695f8f792ebc9b6e1f7bb9e4b3e postgresql-server-7.1.3-5.72.i386.rpm [ via FTP ] [ via HTTP ] d6dcd736623928aa3bc0c86774fd677e postgresql-tcl-7.1.3-5.72.i386.rpm [ via FTP ] [ via HTTP ] 0e91e4b7df893387076d854f578899eb postgresql-tk-7.1.3-5.72.i386.rpm [ via FTP ] [ via HTTP ] d221da70f77bcfde3e45db2f5031963f ia64: postgresql-7.1.3-5.72.ia64.rpm [ via FTP ] [ via HTTP ] a08d75e1e6822ad15ad013c85e6120c7 postgresql-contrib-7.1.3-5.72.ia64.rpm [ via FTP ] [ via HTTP ] 7e28d5be8e0bd0d818165bec29ada464 postgresql-devel-7.1.3-5.72.ia64.rpm [ via FTP ] [ via HTTP ] 449ecf2e6e4366da0c40ea19cbec9d44 postgresql-docs-7.1.3-5.72.ia64.rpm [ via FTP ] [ via HTTP ] 870a3375a086024dbb39f9045d4a8e5d postgresql-jdbc-7.1.3-5.72.ia64.rpm [ via FTP ] [ via HTTP ] dca82ba0c32af1eeba14d6dd2c5900f1 postgresql-libs-7.1.3-5.72.ia64.rpm [ via FTP ] [ via HTTP ] 7011e7f2a8dc5783a85fb4aac8021318 postgresql-odbc-7.1.3-5.72.ia64.rpm [ via FTP ] [ via HTTP ] c29108c4f8aa08c10f3abbda7da44e2a postgresql-perl-7.1.3-5.72.ia64.rpm [ via FTP ] [ via HTTP ] a1de988920b4f4168cf3e5f6e1948d33 postgresql-python-7.1.3-5.72.ia64.rpm [ via FTP ] [ via HTTP ] b76c3fdd7fd75022090ab2b3e34f89c5 postgresql-server-7.1.3-5.72.ia64.rpm [ via FTP ] [ via HTTP ] 708e6aee14651d95c4545dca0ddb019b postgresql-tcl-7.1.3-5.72.ia64.rpm [ via FTP ] [ via HTTP ] c6534b3683ae56c26f2dd7cddcf18850 postgresql-tk-7.1.3-5.72.ia64.rpm [ via FTP ] [ via HTTP ] 955f17c80ebfcca0d47a51b4b673cc49 Red Hat Linux 7.3 -------------------------------------------------------------------------------- SRPMS: postgresql-7.2.4-5.73.src.rpm [ via FTP ] [ via HTTP ] 14ea1e277128556a0917ff80f0100c41 i386: postgresql-7.2.4-5.73.i386.rpm [ via FTP ] [ via HTTP ] abd2341cc0b8f427f0f84c8ce6f7710e postgresql-contrib-7.2.4-5.73.i386.rpm [ via FTP ] [ via HTTP ] 602a38f5dbd6b3a6f28c24316302d054 postgresql-devel-7.2.4-5.73.i386.rpm [ via FTP ] [ via HTTP ] d6bcea09edb4a5f2b4e359aec148fac6 postgresql-docs-7.2.4-5.73.i386.rpm [ via FTP ] [ via HTTP ] 3676c768fd98d65afaa36cf87a425f52 postgresql-jdbc-7.2.4-5.73.i386.rpm [ via FTP ] [ via HTTP ] 7fd081b51a0f58d4fe0cb0c9ab9f75cf postgresql-libs-7.2.4-5.73.i386.rpm [ via FTP ] [ via HTTP ] 18783f38869468526aa6b08f3a83be20 postgresql-odbc-7.2.4-5.73.i386.rpm [ via FTP ] [ via HTTP ] 0a8755748029b7a00cd72fdd983cd393 postgresql-perl-7.2.4-5.73.i386.rpm [ via FTP ] [ via HTTP ] 838689dc075829db6daa31008bcf023f postgresql-python-7.2.4-5.73.i386.rpm [ via FTP ] [ via HTTP ] f9ba380c5ffb8d60ea3a3a56a058a026 postgresql-server-7.2.4-5.73.i386.rpm [ via FTP ] [ via HTTP ] f7c597c8a1e570b05cc2e96aaff36976 postgresql-tcl-7.2.4-5.73.i386.rpm [ via FTP ] [ via HTTP ] 5953fa3fb0b5c9b60995fea6f4d7a0bc postgresql-test-7.2.4-5.73.i386.rpm [ via FTP ] [ via HTTP ] 9ed994f7a7bb893ad7231e9f061d6096 postgresql-tk-7.2.4-5.73.i386.rpm [ via FTP ] [ via HTTP ] eecaf538b82017ef9d9477e705dfe43e Red Hat Linux 8.0 -------------------------------------------------------------------------------- SRPMS: postgresql-7.2.4-5.80.src.rpm [ via FTP ] [ via HTTP ] 41ddf2310b09192ece222c63db493bed i386: postgresql-7.2.4-5.80.i386.rpm [ via FTP ] [ via HTTP ] 10db84d5b83030a2e067863409c1483b postgresql-contrib-7.2.4-5.80.i386.rpm [ via FTP ] [ via HTTP ] 355456728b812be50b511ac5ae5463cc postgresql-devel-7.2.4-5.80.i386.rpm [ via FTP ] [ via HTTP ] 2030c7cbaf2f6d9e7f8e418d85a5ae60 postgresql-docs-7.2.4-5.80.i386.rpm [ via FTP ] [ via HTTP ] 9d6573e6a1a28b3b49bcda3623bef83c postgresql-jdbc-7.2.4-5.80.i386.rpm [ via FTP ] [ via HTTP ] aba014dc312cb5f7456d9b95127d9c2d postgresql-libs-7.2.4-5.80.i386.rpm [ via FTP ] [ via HTTP ] ef7265999840169355faa8e1154d589c postgresql-odbc-7.2.4-5.80.i386.rpm [ via FTP ] [ via HTTP ] 10f6deacdcf4a8a0c0c033b339dd303f postgresql-perl-7.2.4-5.80.i386.rpm [ via FTP ] [ via HTTP ] 10266423863102563567bbc0a938d513 postgresql-python-7.2.4-5.80.i386.rpm [ via FTP ] [ via HTTP ] 6918680b05f07654ca75996555df4d1d postgresql-server-7.2.4-5.80.i386.rpm [ via FTP ] [ via HTTP ] f0fbf27d2057e2eb89fb50dd8ec2f98f postgresql-tcl-7.2.4-5.80.i386.rpm [ via FTP ] [ via HTTP ] 1a55f8dd7106b2986cad8a0a1160d6af postgresql-test-7.2.4-5.80.i386.rpm [ via FTP ] [ via HTTP ] cd10624a6f4a4d23e9d4d689972bb139 postgresql-tk-7.2.4-5.80.i386.rpm [ via FTP ] [ via HTTP ] acfcdc841d428c6546f5394906a8f488 Red Hat Linux 9 -------------------------------------------------------------------------------- SRPMS: postgresql-7.3.4-3.rhl9.src.rpm [ via FTP ] [ via HTTP ] ea813d6b53f8d59a68409c6ef567be2f postgresql72-1-4.rhl9.src.rpm [ via FTP ] [ via HTTP ] 9fce9c3b0b03ff17d7c4e07adcd5e586 i386: postgresql-7.3.4-3.rhl9.i386.rpm [ via FTP ] [ via HTTP ] a04d50e0d624f303757838666c330694 postgresql-contrib-7.3.4-3.rhl9.i386.rpm [ via FTP ] [ via HTTP ] 5ea368b9969bc8398304e30565ff9eea postgresql-devel-7.3.4-3.rhl9.i386.rpm [ via FTP ] [ via HTTP ] 714c16b8231b455751313a39adf62551 postgresql-docs-7.3.4-3.rhl9.i386.rpm [ via FTP ] [ via HTTP ] 4abc44081cc8a7b3990ac56381d05695 postgresql-jdbc-7.3.4-3.rhl9.i386.rpm [ via FTP ] [ via HTTP ] 8f74c8789290e339f978dfdd2ca31e98 postgresql-libs-7.3.4-3.rhl9.i386.rpm [ via FTP ] [ via HTTP ] f466ae466664eb36444660405d6d0356 postgresql-pl-7.3.4-3.rhl9.i386.rpm [ via FTP ] [ via HTTP ] a1408c200bbe537636cb220c675f9e00 postgresql-python-7.3.4-3.rhl9.i386.rpm [ via FTP ] [ via HTTP ] f835b6362b70f5feda9badb3658f32d2 postgresql-server-7.3.4-3.rhl9.i386.rpm [ via FTP ] [ via HTTP ] 8295e804046d6817c59eccdfa69bb44b postgresql-tcl-7.3.4-3.rhl9.i386.rpm [ via FTP ] [ via HTTP ] 8cf2d9dc83d75423dade021d6f791722 postgresql-test-7.3.4-3.rhl9.i386.rpm [ via FTP ] [ via HTTP ] 514ebe0beda8da4446fda4cb4b221bbe postgresql72-libs-1-4.rhl9.i386.rpm [ via FTP ] [ via HTTP ] bbfb1a97b62ecb8f8f653c3b1bff5d65 Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. Please note that this update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Note that no initdb will be necessary from previous PostgreSQL packages. Bugs fixed: (see bugzilla for more information) 108079 - CAN-2003-0901 PostgreSQL To_Ascii() Buffer Overflow Vulnerability 109068 - to_timestamp not stable if date string shorter than template References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0901 http://www.securityfocus.com/bid/8741 http://archives.postgresql.org/pgsql-bugs/2003-09/msg00014.php -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html [***** End RHSA-2003:313-10 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-016: Apache HTTP Server 1.3.29 Release Fixes Security Vulnerability O-017: SQL Injection Vulnerability in Oracle9i Application Server O-018: Hewlett Packard Java VM Classloader (J2SE) O-019: Hewlett Packard NLSPATH may contain any path O-020: Sun Buffer Overflow Vulnerability in the CDE DtHelp Library O-021: Microsoft Cumulative Security Update for Internet Explorer O-022: Microsoft Buffer Overrun Vulnerability in Workstation Service O-023: Microsoft Word and Excel Vulnerabilities O-024: Microsoft Buffer Overrun in Microsoft FrontPage O-025: ISS PeopleSoft IClient Servlet Remote Command Execution Vulnerability