@(#)Mordred Labs advisory 0x0002: Buffer overflow in PostgreSQL
Seems like this one was lost or was filtered out...
//@(#)Mordred Labs advisory 0x0002
Release data: 19/08/02
Name: Buffer overflow in PostgreSQL
Versions affected: all versions
Risk: high
--[ Description:
There exists a buffer overflow in a SET TIME ZONE command, that
allows an attacker to execute malicious code.
--[ Details:
Upon executing the SET TIME ZONE 'STRING' command, parse_timezone()
function is invoked,
which will overwrite a static buffer tzbuf with the supplied string.
Look at the src/backend/commands/variable.c if you need something to laugh
at.
--[ How to reproduce:
psql> SET TIMEZONE to 'XXXXXX...very long string...XXXXX'
...
NOTICE: Buffer Leak: [27191] (freeNext=0, freePrev=0, rel=0/0, blockNum=0,
flags=0x0, refcount=0 128)
NOTICE: Buffer Leak: [27192] (freeNext=0, freePrev=0, rel=0/0, blockNum=0,
flags=0x0, refcount=0 1249)
NOTICE: Buffer Leak: [27193] (freeNext=0, freePrev=0, rel=0/0, blockNum=0,
flags=0x0, refcount=0 1651799137)
NOTICE: Buffer Leak: [27194] (freeNext=0, freePrev=0, rel=0/0, blockNum=0,
flags=0x0, refcount=0 1818326649)
...
pqReadData() -- backend closed the channel unexpectedly.
This probably means the backend terminated abnormally
before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
--[ Solution:
Just wait...
________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com/inf/en
Sir Mordred The Traitor <mordred@s-mail.com> writes:
There exists a buffer overflow in a SET TIME ZONE command, that
allows an attacker to execute malicious code.
Here's a patch for the problem. I also fixed some other potential
buffer overruns nearby, and added a little paranoia to another routine
that uses a statically sized buffer.
Thanks for the report.
Cheers,
Neil
--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC
Attachments:
set_time_zone-3.patchtext/x-patchDownload+25-25
Neil Conway <neilc@samurai.com> writes:
Sir Mordred The Traitor <mordred@s-mail.com> writes:
There exists a buffer overflow in a SET TIME ZONE command, that
allows an attacker to execute malicious code.Here's a patch for the problem. I also fixed some other potential
buffer overruns nearby, and added a little paranoia to another routine
that uses a statically sized buffer.
The handling of the TZ environmental variable is subject to a buffer
overrun. To see the problem, try:
export TZ=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
postmaster -D /foo/bar&
psql
You get:
NOTICE: Buffer Leak: [26914] (freeNext=0, freePrev=0, rel=0/0, blockNum=0, flags=0x0, refcount=0 1)
[ lots more NOTICEs ]
psql: server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.
A revised patch is attached that fixes the problem.
Cheers,
Neil
--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC
Attachments:
set_time_zone-4.patchtext/x-patchDownload+41-41
Your patch has been added to the PostgreSQL unapplied patches list at:
http://candle.pha.pa.us/cgi-bin/pgpatches
I will try to apply it within the next 48 hours.
---------------------------------------------------------------------------
Neil Conway wrote:
Sir Mordred The Traitor <mordred@s-mail.com> writes:
There exists a buffer overflow in a SET TIME ZONE command, that
allows an attacker to execute malicious code.Here's a patch for the problem. I also fixed some other potential
buffer overruns nearby, and added a little paranoia to another routine
that uses a statically sized buffer.Thanks for the report.
Cheers,
Neil
--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC
[ Attachment, skipping... ]
---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073Your patch has been added to the PostgreSQL unapplied patches list at:
http://candle.pha.pa.us/cgi-bin/pgpatches
I will try to apply it within the next 48 hours.
---------------------------------------------------------------------------
Neil Conway wrote:
Neil Conway <neilc@samurai.com> writes:
Sir Mordred The Traitor <mordred@s-mail.com> writes:
There exists a buffer overflow in a SET TIME ZONE command, that
allows an attacker to execute malicious code.Here's a patch for the problem. I also fixed some other potential
buffer overruns nearby, and added a little paranoia to another routine
that uses a statically sized buffer.The handling of the TZ environmental variable is subject to a buffer
overrun. To see the problem, try:export TZ=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
postmaster -D /foo/bar&
psqlYou get:
NOTICE: Buffer Leak: [26914] (freeNext=0, freePrev=0, rel=0/0, blockNum=0, flags=0x0, refcount=0 1)
[ lots more NOTICEs ]
psql: server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.A revised patch is attached that fixes the problem.
Cheers,
Neil
--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC
[ Attachment, skipping... ]
---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
Neil Conway <neilc@samurai.com> writes:
The handling of the TZ environmental variable is subject to a buffer
overrun.
This problem is long gone in current sources, no?
regards, tom lane
Tom Lane wrote:
Neil Conway <neilc@samurai.com> writes:
The handling of the TZ environmental variable is subject to a buffer
overrun.This problem is long gone in current sources, no?
The patch looks like it does prevent some problems.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073Bruce Momjian <pgman@candle.pha.pa.us> writes:
Tom Lane wrote:
Neil Conway <neilc@samurai.com> writes:
The handling of the TZ environmental variable is subject to a buffer
overrun.This problem is long gone in current sources, no?
I quickly tested current sources, and it seems the bug is fixed. I
only fixed it to begin with because I saw it while fixing the reported
problem.
The patch looks like it does prevent some problems.
Yes: namely, it fixes the bug in REL7_2_STABLE.
Cheers,
Neil
--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC
What would you like done with the patch you submitted?
---------------------------------------------------------------------------
Neil Conway wrote:
Bruce Momjian <pgman@candle.pha.pa.us> writes:
Tom Lane wrote:
Neil Conway <neilc@samurai.com> writes:
The handling of the TZ environmental variable is subject to a buffer
overrun.This problem is long gone in current sources, no?
I quickly tested current sources, and it seems the bug is fixed. I
only fixed it to begin with because I saw it while fixing the reported
problem.The patch looks like it does prevent some problems.
Yes: namely, it fixes the bug in REL7_2_STABLE.
Cheers,
Neil
--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073Bruce Momjian <pgman@candle.pha.pa.us> writes:
What would you like done with the patch you submitted?
I'd like to see it applied to CVS HEAD and REL7_2_STABLE.
Cheers,
Neil
--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC
Neil Conway <neilc@samurai.com> writes:
Bruce Momjian <pgman@candle.pha.pa.us> writes:
What would you like done with the patch you submitted?
I'd like to see it applied to CVS HEAD and REL7_2_STABLE.
Uh, sorry -- wrote that without thinking. I'd like to see the patch
applied to REL7_2_STABLE. I'll prepare a revised patch for CVS HEAD.
Cheers,
Neil
--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC
Neil Conway <neilc@samurai.com> writes:
Neil Conway <neilc@samurai.com> writes:
Bruce Momjian <pgman@candle.pha.pa.us> writes:
What would you like done with the patch you submitted?
I'd like to see it applied to CVS HEAD and REL7_2_STABLE.
Uh, sorry -- wrote that without thinking. I'd like to see the patch
applied to REL7_2_STABLE. I'll prepare a revised patch for CVS HEAD.
I'm pretty certain that no such patch is necessary for HEAD.
regards, tom lane
OK, I have applied this to 7.2.X.
I have applied the lpad/rpad/repeat patch to CVS head. I assume you do
not want the others applied to CVS head because the fixes are already present.
---------------------------------------------------------------------------
Neil Conway wrote:
Neil Conway <neilc@samurai.com> writes:
Bruce Momjian <pgman@candle.pha.pa.us> writes:
What would you like done with the patch you submitted?
I'd like to see it applied to CVS HEAD and REL7_2_STABLE.
Uh, sorry -- wrote that without thinking. I'd like to see the patch
applied to REL7_2_STABLE. I'll prepare a revised patch for CVS HEAD.Cheers,
Neil
--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
Are we all caught up now on the known bugs/fixes? Would it be reasonably
safe to do up a quick v7.2.2 Security Fix Release tomorrow afternoon?
On Thu, 22 Aug 2002, Bruce Momjian wrote:
Show quoted text
OK, I have applied this to 7.2.X.
I have applied the lpad/rpad/repeat patch to CVS head. I assume you do
not want the others applied to CVS head because the fixes are already present.---------------------------------------------------------------------------
Neil Conway wrote:
Neil Conway <neilc@samurai.com> writes:
Bruce Momjian <pgman@candle.pha.pa.us> writes:
What would you like done with the patch you submitted?
I'd like to see it applied to CVS HEAD and REL7_2_STABLE.
Uh, sorry -- wrote that without thinking. I'd like to see the patch
applied to REL7_2_STABLE. I'll prepare a revised patch for CVS HEAD.Cheers,
Neil
--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly
"Marc G. Fournier" <scrappy@hub.org> writes:
Are we all caught up now on the known bugs/fixes? Would it be reasonably
safe to do up a quick v7.2.2 Security Fix Release tomorrow afternoon?
Still need to do a release-history entry and version-stamp, of course.
I will do a diff of the 7.2 branch tree this afternoon and make sure
the code looks good.
regards, tom lane
I was going to ask that too. I need to make up a list of 7.2.2 changes,
and there are quite a number of them. I will get the list together today.
---------------------------------------------------------------------------
Marc G. Fournier wrote:
Are we all caught up now on the known bugs/fixes? Would it be reasonably
safe to do up a quick v7.2.2 Security Fix Release tomorrow afternoon?On Thu, 22 Aug 2002, Bruce Momjian wrote:
OK, I have applied this to 7.2.X.
I have applied the lpad/rpad/repeat patch to CVS head. I assume you do
not want the others applied to CVS head because the fixes are already present.---------------------------------------------------------------------------
Neil Conway wrote:
Neil Conway <neilc@samurai.com> writes:
Bruce Momjian <pgman@candle.pha.pa.us> writes:
What would you like done with the patch you submitted?
I'd like to see it applied to CVS HEAD and REL7_2_STABLE.
Uh, sorry -- wrote that without thinking. I'd like to see the patch
applied to REL7_2_STABLE. I'll prepare a revised patch for CVS HEAD.Cheers,
Neil
--
Neil Conway <neilc@samurai.com> || PGP Key ID: DB3C29FC---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ?
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073Thanks, Tom. That is a big help. I will do the release history and
version stamping.
---------------------------------------------------------------------------
Tom Lane wrote:
"Marc G. Fournier" <scrappy@hub.org> writes:
Are we all caught up now on the known bugs/fixes? Would it be reasonably
safe to do up a quick v7.2.2 Security Fix Release tomorrow afternoon?Still need to do a release-history entry and version-stamp, of course.
I will do a diff of the 7.2 branch tree this afternoon and make sure
the code looks good.regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
Hi everyone,
It probably makes sense to wait about a week until releasing 7.2.2, even
if we get assembled anything else that is needed. Sir Mordred appears
to be taking a look through our 7.2.x code about now and that probably
means there's a good chance we'll hear of other patches that will need
to be applied to the 7.2.x branch.
:-)
Regards and best wishes,
Justin Clift
Oleg Bartunov wrote:
Tom,
I think it's worth to include patch for query planner which
fixes using indices with predicates for join plans. We found it's
quite useful.http://fts.postgresql.org/db/mw/msg.html?mid=1018153
Oleg
--
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
Import Notes
Reference msg id not found: Pine.GSO.4.44.0208221813050.17263-100000@ra.sai.msu.su | Resolved by subject fallback
Justin Clift <justin@postgresql.org> writes:
It probably makes sense to wait about a week until releasing 7.2.2, even
if we get assembled anything else that is needed.
I think we should go ahead and push it out; by the end of next week
we'll be trying to wrap 7.3 beta, and the confusion factor for pushing
out two releases at the same time will be much too high.
I think it is fairly unlikely that we will find anything else in the
next week that is exploitable indirectly through a web-app in the same
way that the date buffer overrun bug could be. Most of the sorts of
bugs that I'm expecting to hear about will require being able to issue
SQL commands --- and if someone can issue arbitrary SQL commands, there
are plenty of ways to create a DOS situation.
regards, tom lane
Tom,
I think it's worth to include patch for query planner which
fixes using indices with predicates for join plans. We found it's
quite useful.
http://fts.postgresql.org/db/mw/msg.html?mid=1018153
Oleg
On Thu, 22 Aug 2002, Tom Lane wrote:
"Marc G. Fournier" <scrappy@hub.org> writes:
Are we all caught up now on the known bugs/fixes? Would it be reasonably
safe to do up a quick v7.2.2 Security Fix Release tomorrow afternoon?Still need to do a release-history entry and version-stamp, of course.
I will do a diff of the 7.2 branch tree this afternoon and make sure
the code looks good.regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
Regards,
Oleg
_____________________________________________________________
Oleg Bartunov, sci.researcher, hostmaster of AstroNet,
Sternberg Astronomical Institute, Moscow University (Russia)
Internet: oleg@sai.msu.su, http://www.sai.msu.su/~megera/
phone: +007(095)939-16-83, +007(095)939-23-83
