Quick Links

Re: [GENERAL] PostgreSQL 7.2.2: Security Release

From:	Gavin Sherry <swm(at)linuxworld(dot)com(dot)au>
To:	Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc:	Neil Conway <neilc(at)samurai(dot)com>, "Marc G(dot) Fournier" <scrappy(at)hub(dot)org>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject:	Re: [GENERAL] PostgreSQL 7.2.2: Security Release
Date:	2002-08-25 13:44:03
Message-ID:	Pine.LNX.4.21.0208252336280.19755-100000@linuxworld.com.au
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-announce pgsql-general pgsql-hackers

On Sat, 24 Aug 2002, Bruce Momjian wrote:

>
> The issue is data-provoked crashes vs. query-invoked crashes. Marc's
> point, and I think it was clear enough, is that you can't just poke at
> the TCP port and hope to do anything bad, which was the thrust of the
> argument, I think.

Bruce,

I am convinced that someone with enough time on their hands and some code
pointed to by Florian Weimer could exploit the datetime overrun issue by
crafting a datetime string in such a way as to overrun the buffer and
smash the stack.

In applications which pass date/time data directly to the database without
any validation (is this datetime string greater than 52 bytes? does it
look like a date/time string?) then a malicious user without direct
database access could crash the database by taking advantage of the short
comings in Postgres and the application.

As such, I would recommend all people who offer direct access to the
database and/or have applications which user date/time data
types/functionality to upgrade to 7.2.2.

Gavin

In response to

Re: [GENERAL] PostgreSQL 7.2.2: Security Release at 2002-08-24 04:38:07 from Bruce Momjian

Responses

Re: [GENERAL] PostgreSQL 7.2.2: Security Release at 2002-08-25 14:34:29 from Bruce Momjian

Browse pgsql-announce by date

	From	Date	Subject
Next Message	Bruce Momjian	2002-08-25 14:34:29	Re: [GENERAL] PostgreSQL 7.2.2: Security Release
Previous Message	Marc G. Fournier	2002-08-24 19:29:50	Re: [GENERAL] PostgreSQL 7.2.2: Security Release

Browse pgsql-general by date

	From	Date	Subject
Next Message	Nigel J. Andrews	2002-08-25 14:31:00	Unwanted redirection from gborg to sourceforge?
Previous Message	Devrim GUNDUZ	2002-08-25 11:40:36	Re: Problems compiling PostgreSQL 7.2.2 rpm

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Bruce Momjian	2002-08-25 14:34:29	Re: [GENERAL] PostgreSQL 7.2.2: Security Release
Previous Message	Nigel J. Andrews	2002-08-25 13:37:31	A configure.in patch check (fwd)