Rapid7 Vulnerability & Exploit Database

RHSA-2003:010: Updated PostgreSQL packages fix buffer overrun vulnerabilities

Back to Search

RHSA-2003:010: Updated PostgreSQL packages fix buffer overrun vulnerabilities

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
01/17/2003
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

Updated PostgreSQL packages are available for Red Hat Linux 6.2, 7, 7.1, and 7.2 where we have backported a number of security fixes. A separate advisory deals with updated PostgreSQL packages for Red Hat Linux 7.3 and 8.0.

PostgreSQL is an advanced Object-Relational database management system (DBMS). A number of security issues have been found that affect PostgreSQL versions shipped with Red Hat Linux. Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of service and possibly execute arbitrary code via long arguments to the lpad or rpad functions. CAN-2002-0972 Buffer overflow in the cash_words() function for PostgreSQL 7.2 and earlier allows local users to cause a denial of service and possibly execute arbitrary code via a malformed argument. CAN-2002-1397 Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows attackers to cause a denial of service and possibly execute arbitrary code via a long date string, also known as a vulnerability "in handling long datetime input." CAN-2002-1398 Heap-based buffer overflow in the repeat() function for PostgreSQL before 7.2.2 allows attackers to execute arbitrary code by causing repeat() to generate a large string. CAN-2002-1400 Buffer overflows in circle_poly, path_encode and path_add allow attackers to cause a denial of service and possibly execute arbitrary code. Note that these issues have been fixed in our packages and in PostgreSQL CVS, but are not included in PostgreSQL version 7.2.2 or 7.2.3. CAN-2002-1401 Buffer overflows in the TZ and SET TIME ZONE enivronment variables for PostgreSQL 7.2.1 and earlier allow local users to cause a denial of service and possibly execute arbitrary code. CAN-2002-1402 Note that these vulnerabilities are only critical on open or shared systems because connecting to the database is required before the vulnerabilities can be exploited. The PostgreSQL Global Development Team has released versions of PostgreSQL that fixes these vulnerabilities, and these fixes have been isolated and backported to the various versions of PostgreSQL that originally shipped with each Red Hat Linux distribution. All users of PostgreSQL are advised to install these updated packages.

Solution(s)

  • redhat-upgrade-postgresql
  • redhat-upgrade-postgresql-contrib
  • redhat-upgrade-postgresql-devel
  • redhat-upgrade-postgresql-docs
  • redhat-upgrade-postgresql-jdbc
  • redhat-upgrade-postgresql-libs
  • redhat-upgrade-postgresql-odbc
  • redhat-upgrade-postgresql-perl
  • redhat-upgrade-postgresql-python
  • redhat-upgrade-postgresql-server
  • redhat-upgrade-postgresql-tcl
  • redhat-upgrade-postgresql-test
  • redhat-upgrade-postgresql-tk

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;