Rapid7 Vulnerability & Exploit Database

RHSA-2009:0479: perl-DBD-Pg security update

Back to Search

RHSA-2009:0479: perl-DBD-Pg security update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
04/30/2009
Created
07/25/2018
Added
09/12/2009
Modified
07/04/2017

Description

Perl DBI is a database access Application Programming Interface (API) forthe Perl language. perl-DBD-Pg allows Perl applications to accessPostgreSQL database servers.A heap-based buffer overflow flaw was discovered in the pg_getline functionimplementation. If the pg_getline or getline functions read large,untrusted records from a database, it could cause an application usingthese functions to crash or, possibly, execute arbitrary code.(CVE-2009-0663)Note: After installing this update, pg_getline may return more data thanspecified by its second argument, as this argument will be ignored. This isconsistent with current upstream behavior. Previously, the length limit(the second argument) was not enforced, allowing a buffer overflow.A memory leak flaw was found in the function performing the de-quoting ofBYTEA type values acquired from a database. An attacker able to cause anapplication using perl-DBD-Pg to perform a large number of SQL queriesreturning BYTEA records, could cause the application to use excessiveamounts of memory or, possibly, crash. (CVE-2009-1341)All users of perl-DBD-Pg are advised to upgrade to this updated package,which contains backported patches to fix these issues. Applications usingperl-DBD-Pg must be restarted for the update to take effect.

Solution(s)

  • redhat-upgrade-perl-dbd-pg

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;