//@(#) Mordred Labs advisory 0x0005
Release data: 23/08/02 Name: Several buffer overruns in PostgreSQL Versions affected: all versions Risk: from average to low --[ Description: PostgreSQL provides you with several builint geo types (circle,polygon,box...etc). Unfortunately the code for geo functions written in a very insecure style and should be totally rewritten, as a quick search revealed this: ---[ Details: 1) Upon invoking a polygon(integer, circle) function a src/backend/utils/adt/geo_ops.c:circle_poly() function will gets called, which suffers from a buffer overflow. 2) A src/backend/adt/utils/geo_ops.c:path_encode() fails to detect a buffer overrun condition. It is called in multiple places, the most interesting are path_out() and poly_out() functions. 3) Upon converting a char string to a path object, a src/backend/utils/adt/geo_ops.c:path_in() function will gets called, which suffers from a buffer overrun, caused by a very long argument. 4) A src/backend/utils/adt/geo_ops.c:poly_in() function fails to detect a buffer overrun condition caused by a very long argument. 5) A src/backend/utils/adt/geo_ops.c:path_add() also fails to detect a simple buffer overrun. 6) And finally, a truly dumb feature (not a security related though) in postmaster: $ postmaster -o `perl -e 'print "\x66" x 1200'` Segmentation fault (core dumped) --[ How to reproduce: I only show how to reproduce a first buffer overrun condition, as the others too memory consuming :-) 1) template1=# select polygon(268435455,'((1,2),3)'::circle); pqReadData() -- backend closed the channel unexpectedly. This probably means the backend terminated abnormally before or while processing the request. The connection to the server was lost. Attempting reset: Failed. !# --[ Solution Drop the vulnerable functions. ________________________________________________________________________ This letter has been delivered unencrypted. We'd like to remind you that the full protection of e-mail correspondence is provided by S-mail encryption mechanisms if only both, Sender and Recipient use S-mail. Register at S-mail.com: http://www.s-mail.com/inf/en ---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])