Bugtraq mailing list archives

Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL

From: Lamar Owen <lamar.owen () wgcr org>
Date: Wed, 21 Aug 2002 11:02:51 -0400

On Tuesday 20 August 2002 10:28 am, Sir Mordred The Traitor wrote:

--[ Solution

Do you still running postgresql? ...Can't believe that...
If so, execute the following command as a root: "killall -9 postmaster",
and wait until the patch will be available.


This is irresponsible advice, as one should never kill -9 postmaster.

Furthermore, postmaster doesn't run as root, thus this vulnerability cannot be 
used as a remote root exploit.

Even further, if someone has direct SQL access to your database, they can 
already do more damage than what this vulnerability addresses.  Specifically 
DROP TABLE is available to users with direct SQL command line access.  
Untrusted users should never be given an SQL command line interface, and this 
particular vulnerability requires that sort of access.

The datetime parser overrun is more serious, and has been fixed for the 
upcoming 7.3 beta cycle.  Backpatching of the fix is being performed now; it 
remains to be seen how the fix for 7.2.x will be distributed.  Of note is the 
fact that a working arbitrary code exploit has not yet been posted.  As noted 
above, since the postmaster and its backend processes do not run as root, 
privilege escalation with this bug is not possible.  

This is not to say the bug shouldn't be fixed; it of course should be fixed.  
But it is not so serious that PostgreSQL users should simply stop running the 
postmaster until a patch is released.  Some common sense should be applied 
here -- if you don't use the DATE type in a manner that would allow an 
untrusted user to input dates, for instance, you needn't worry about that 
portion.  If you don't allow untrusted SQL cli users, the cash_words and 
repeat bugs shouldn't cause you any problems.  By default postmaster doesn't 
accept connections over TCP/IP, making the default installation with no 
network accessible clients not vulnerable to a remote exploit.

Having said all that, it would have been nice had a heads up been given to the 
developers.  As far as I know no notification of any kind was given, making 
this an irresponsible advisory.  There have been an increasing number of 
these of late, unfortunately.

The various bugs mentioned are being addressed by the developers, who are 
working to see the best means of fixing and distributing fixes for these 
problems.
-- 
Lamar Owen
WGCR Internet Radio
1 Peter 4:11

Current thread:

@(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL Sir Mordred The Traitor (Aug 20)
- Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL Florian Weimer (Aug 21)
- Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL Lamar Owen (Aug 21)
  - Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL Steffen Dettmer (Aug 22)