Your message dated Thu, 10 Feb 2005 08:02:38 -0500 with message-id <[EMAIL PROTECTED]> and subject line Bug#294406: fixed in postgresql 7.4.7-2 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 9 Feb 2005 16:30:32 +0000 >From [EMAIL PROTECTED] Wed Feb 09 08:30:32 2005 Return-path: <[EMAIL PROTECTED]> Received: from kitenet.net [64.62.161.42] (postfix) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1CyujY-00025z-00; Wed, 09 Feb 2005 08:30:32 -0800 Received: from dragon.kitenet.net (unknown [66.168.94.144]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Joey Hess", Issuer "Joey Hess" (verified OK)) by kitenet.net (Postfix) with ESMTP id A1B6017F13 for <[EMAIL PROTECTED]>; Wed, 9 Feb 2005 16:29:11 +0000 (GMT) Received: by dragon.kitenet.net (Postfix, from userid 1000) id 27CE26E20E; Wed, 9 Feb 2005 11:30:54 -0500 (EST) Date: Wed, 9 Feb 2005 11:30:54 -0500 From: Joey Hess <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: multiple buffer overflows in gram.y (CAN-2005-0247) Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+" Content-Disposition: inline X-Reportbug-Version: 3.7.1 User-Agent: Mutt/1.5.6+20040907i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: postgresql Version: 7.4.7-1 Severity: grave Tags: security patch Multiple buffer overflows in gram.y for PostgreSQL 8.0.1 and earlier may al= low attackers to execute arbitrary code via (1) a large number of variables in a SQL statement being handled by the read_sql_construct function, (2) a large number of INTO variables in a SELECT statement being handled by the make_select_stmt function, (4) a large number of arbitrary variables in a SELECT statement being handled by the make_select_stmt function, and (4) a large number of INTO variables in a FETCH statement being handled by the make_fetch_stmt function, a different set of vulnerabilities than CAN-2005-0245. This is fixed in cvs for version 7.4 here: http://developer.postgresql.org/cvsweb.cgi/pgsql/src/pl/plpgsql/src/gram.y.= diff?r1=3D1.48.2.1;r2=3D1.48.2.2 --=20 see shy jo --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCCjq+d8HHehbQuO8RAvtnAKCwNUGr5/jOAqDwg5azkjoQgr5/JgCdEfpl cqj1fn3zhindk84c02Pt80g= =rbMu -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+-- --------------------------------------- Received: (at 294406-close) by bugs.debian.org; 10 Feb 2005 13:08:02 +0000 >From [EMAIL PROTECTED] Thu Feb 10 05:08:02 2005 Return-path: <[EMAIL PROTECTED]> Received: from newraff.debian.org [208.185.25.31] (mail) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1CzE37-0007jK-00; Thu, 10 Feb 2005 05:08:01 -0800 Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian)) id 1CzDxu-0003QV-00; Thu, 10 Feb 2005 08:02:38 -0500 From: Martin Pitt <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.55 $ Subject: Bug#294406: fixed in postgresql 7.4.7-2 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Thu, 10 Feb 2005 08:02:38 -0500 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: Source: postgresql Source-Version: 7.4.7-2 We believe that the bug you reported is fixed in the latest version of postgresql, which is due to be installed in the Debian FTP archive: libecpg-dev_7.4.7-2_i386.deb to pool/main/p/postgresql/libecpg-dev_7.4.7-2_i386.deb libecpg4_7.4.7-2_i386.deb to pool/main/p/postgresql/libecpg4_7.4.7-2_i386.deb libpgtcl-dev_7.4.7-2_i386.deb to pool/main/p/postgresql/libpgtcl-dev_7.4.7-2_i386.deb libpgtcl_7.4.7-2_i386.deb to pool/main/p/postgresql/libpgtcl_7.4.7-2_i386.deb libpq3_7.4.7-2_i386.deb to pool/main/p/postgresql/libpq3_7.4.7-2_i386.deb postgresql-client_7.4.7-2_i386.deb to pool/main/p/postgresql/postgresql-client_7.4.7-2_i386.deb postgresql-contrib_7.4.7-2_i386.deb to pool/main/p/postgresql/postgresql-contrib_7.4.7-2_i386.deb postgresql-dev_7.4.7-2_i386.deb to pool/main/p/postgresql/postgresql-dev_7.4.7-2_i386.deb postgresql-doc_7.4.7-2_all.deb to pool/main/p/postgresql/postgresql-doc_7.4.7-2_all.deb postgresql_7.4.7-2.diff.gz to pool/main/p/postgresql/postgresql_7.4.7-2.diff.gz postgresql_7.4.7-2.dsc to pool/main/p/postgresql/postgresql_7.4.7-2.dsc postgresql_7.4.7-2_i386.deb to pool/main/p/postgresql/postgresql_7.4.7-2_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Martin Pitt <[EMAIL PROTECTED]> (supplier of updated postgresql package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Thu, 10 Feb 2005 13:04:02 +0100 Source: postgresql Binary: postgresql-client libecpg4 libpgtcl-dev libpq3 postgresql-doc libecpg-dev postgresql-dev postgresql libpgtcl postgresql-contrib Architecture: source i386 all Version: 7.4.7-2 Distribution: unstable Urgency: high Maintainer: Martin Pitt <[EMAIL PROTECTED]> Changed-By: Martin Pitt <[EMAIL PROTECTED]> Description: libecpg-dev - development files for ECPG (Embedded PostgreSQL for C) libecpg4 - run-time library for ECPG programs libpgtcl - Tcl procedural language, library and front-end for PostgreSQL libpgtcl-dev - Tcl library for PostgreSQL - development files libpq3 - PostgreSQL C client library postgresql - object-relational SQL database management system postgresql-client - front-end programs for PostgreSQL postgresql-contrib - additional facilities for PostgreSQL postgresql-dev - development files for libpq (PostgreSQL library) postgresql-doc - documentation for the PostgreSQL database management system Closes: 294406 Changes: postgresql (7.4.7-2) unstable; urgency=high . * Urgency high since this fixes a security vulnerability (and nothing else). * Added patch 50CAN-2005-0247: - Fix multiple buffer overflows in the PL/PGSQL parser's gram.y file. - CAN-2005-0247 - Closes: #294406 * Added CAN numbers to previous changelog version. Files: 453cbb42e518d79c3a6baa14fd72f3d4 973 misc optional postgresql_7.4.7-2.dsc e1a38f5f6ffe2bbe9711aaa3709d1657 149729 misc optional postgresql_7.4.7-2.diff.gz d4e6ed26245f6a4faf6662bae72ff74a 2392310 doc optional postgresql-doc_7.4.7-2_all.deb d7de152d1941fcaa113815670001b2ac 3792608 misc optional postgresql_7.4.7-2_i386.deb bd301d08b30188d5d2f6fd3935990739 537336 misc optional postgresql-client_7.4.7-2_i386.deb dd01e499e2b3d4cf5865a9f8094ecf30 512248 libdevel optional postgresql-dev_7.4.7-2_i386.deb f8497089698e3127152034b7bec97324 124418 libs optional libpq3_7.4.7-2_i386.deb 77d8959da4d49c81cceef57905517085 93412 libs optional libecpg4_7.4.7-2_i386.deb c97b77e83de76d9baede288ff15a6f49 204722 libdevel optional libecpg-dev_7.4.7-2_i386.deb e993f6af4e2a457b602e7182682fab65 75452 libs optional libpgtcl_7.4.7-2_i386.deb e4bdcf23f249b850adf947406288d525 53268 libdevel optional libpgtcl-dev_7.4.7-2_i386.deb 4955dff14d526e7ac466adbe3e197204 619628 misc optional postgresql-contrib_7.4.7-2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFCC1fwDecnbV4Fd/IRAtBSAKCuUpcv57UEcYSQrjeafOK6bf3AfQCgkNuO yxJhfSnrIdJ4PxyN4XNfX1M= =fV0t -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]