Synopsis: Updated PostgreSQL packages fix buffer overflow
Advisory ID: RHSA-2003:314-00
Issue date: 2003-11-12
Updated on: 2003-11-12
Product: Red Hat Enterprise Linux
Keywords:
Cross references:
Obsoletes: RHSA-2002:301
CVE Names:
CAN-2003-0901
- ---------------------------------------------------------------------
1. Topic:
Updated PostgreSQL packages that correct a buffer overflow in the to_ascii
routines are now available.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
3. Problem description:
PostgreSQL is an advanced Object-Relational database management system
(DBMS).
Two bugs that can lead to buffer overflows have been found in the
PostgreSQL abstract data type to ASCII conversion routines. A remote
attacker who is able to influence the data passed to the to_ascii functions
may be able to execute arbitrary code in the context of the PostgreSQL
server. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name
CAN-2003-0901 to these issues.
In addition, a bug that can lead to leaks has been found in the string to
timestamp abstract data type conversion routine. If the input string to
the to_timestamp() routine is shorter than what the template string is
expecting, the routine will run off the end of the input string, resulting
in a leak and unstable behaviour.
Users of PostgreSQL are advised to upgrade to these erratum packages, which
contain a backported patch that corrects these issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
Please note that this update is available via Red Hat Network. To use Red
Hat Network, launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
Note that no initdb will be necessary from previous PostgreSQL packages.
5. Bug IDs fixed (
http://bugzilla.redhat.com/bugzilla for more info):
108578 -
CAN-2003-0901 PostgreSQL To_Ascii() Buffer Overflow Vulnerability
109067 - to_timestamp not stable if date string shorter than template
6. RPMs required:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/postgresql-7.1.3-5.rhel2.1AS.src.rpm
i386:
Available from Red Hat Network: postgresql-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-odbc-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-contrib-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-perl-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-test-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-devel-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-python-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-docs-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-server-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-jdbc-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-tcl-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-libs-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-tk-7.1.3-5.rhel2.1AS.i386.rpm
ia64:
Available from Red Hat Network: postgresql-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-odbc-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-contrib-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-perl-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-test-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-devel-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-python-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-docs-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-server-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-jdbc-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-tcl-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-libs-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-tk-7.1.3-5.rhel2.1AS.ia64.rpm
Red Hat Linux Advanced Workstation 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/postgresql-7.1.3-5.rhel2.1AS.src.rpm
ia64:
Available from Red Hat Network: postgresql-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-odbc-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-contrib-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-perl-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-test-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-devel-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-python-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-docs-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-server-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-jdbc-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-tcl-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-libs-7.1.3-5.rhel2.1AS.ia64.rpm
Available from Red Hat Network: postgresql-tk-7.1.3-5.rhel2.1AS.ia64.rpm
Red Hat Enterprise Linux ES version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/postgresql-7.1.3-5.rhel2.1AS.src.rpm
i386:
Available from Red Hat Network: postgresql-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-odbc-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-contrib-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-perl-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-test-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-devel-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-python-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-docs-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-server-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-jdbc-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-tcl-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-libs-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-tk-7.1.3-5.rhel2.1AS.i386.rpm
Red Hat Enterprise Linux WS version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/postgresql-7.1.3-5.rhel2.1AS.src.rpm
i386:
Available from Red Hat Network: postgresql-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-odbc-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-contrib-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-perl-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-test-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-devel-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-python-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-docs-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-server-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-jdbc-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-tcl-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-libs-7.1.3-5.rhel2.1AS.i386.rpm
Available from Red Hat Network: postgresql-tk-7.1.3-5.rhel2.1AS.i386.rpm
7. Verification:
MD5 sum Package Name
- --------------------------------------------------------------------------
c28d917a7385a7c9ce21bc3497343707 2.1AS/en/os/SRPMS/postgresql-7.1.3-5.rhel2.1AS.src.rpm
d2127cbd6ddb55152261b2de788d7edb 2.1AS/en/os/i386/postgresql-7.1.3-5.rhel2.1AS.i386.rpm
df5d2b6ca580450547012e399f1fdddd 2.1AS/en/os/i386/postgresql-contrib-7.1.3-5.rhel2.1AS.i386.rpm
4f534b7b434769170c66a9f8be0e58c2 2.1AS/en/os/i386/postgresql-devel-7.1.3-5.rhel2.1AS.i386.rpm
dae3170d0501002f0d1d82c959c968c2 2.1AS/en/os/i386/postgresql-docs-7.1.3-5.rhel2.1AS.i386.rpm
f6f584cd85ca9b22e5e0c1026a9245ad 2.1AS/en/os/i386/postgresql-jdbc-7.1.3-5.rhel2.1AS.i386.rpm
8d6c9c04a0443d7436cba148976bb026 2.1AS/en/os/i386/postgresql-libs-7.1.3-5.rhel2.1AS.i386.rpm
d4e848b03d329d304067f1949b5410e8 2.1AS/en/os/i386/postgresql-odbc-7.1.3-5.rhel2.1AS.i386.rpm
3a9cb25f8c5b43cfefa695c327ba3550 2.1AS/en/os/i386/postgresql-perl-7.1.3-5.rhel2.1AS.i386.rpm
775e7679e5ab4595ec56e8dbc96db22c 2.1AS/en/os/i386/postgresql-python-7.1.3-5.rhel2.1AS.i386.rpm
8aceee96dc6041bb8122aa50ee37579e 2.1AS/en/os/i386/postgresql-server-7.1.3-5.rhel2.1AS.i386.rpm
495e8142ef5c552853ca1bd81e009dd6 2.1AS/en/os/i386/postgresql-tcl-7.1.3-5.rhel2.1AS.i386.rpm
05c3c4b3e77dd5bec3513dc998b396e4 2.1AS/en/os/i386/postgresql-test-7.1.3-5.rhel2.1AS.i386.rpm
847c506d7cf16259465ead0ce7574980 2.1AS/en/os/i386/postgresql-tk-7.1.3-5.rhel2.1AS.i386.rpm
dfcf872a083fc54432cfcab0aef6e87a 2.1AS/en/os/ia64/postgresql-7.1.3-5.rhel2.1AS.ia64.rpm
fc14fb462aa5102a8c2d93241981f5f4 2.1AS/en/os/ia64/postgresql-contrib-7.1.3-5.rhel2.1AS.ia64.rpm
1206054843ab236253c52e0bfe9e5ae4 2.1AS/en/os/ia64/postgresql-devel-7.1.3-5.rhel2.1AS.ia64.rpm
bf3d07ac537ba024df240ddbed3ad4c4 2.1AS/en/os/ia64/postgresql-docs-7.1.3-5.rhel2.1AS.ia64.rpm
6a47776491c4baa717014b1c47324d63 2.1AS/en/os/ia64/postgresql-jdbc-7.1.3-5.rhel2.1AS.ia64.rpm
1b6fccd15c0425a4638b933d94c048aa 2.1AS/en/os/ia64/postgresql-libs-7.1.3-5.rhel2.1AS.ia64.rpm
2fe8bbb60a082f8a19e6f0fc05c0bafa 2.1AS/en/os/ia64/postgresql-odbc-7.1.3-5.rhel2.1AS.ia64.rpm
308a02650c815c40c179c4b741ea65c9 2.1AS/en/os/ia64/postgresql-perl-7.1.3-5.rhel2.1AS.ia64.rpm
c47bbe3e62e08d283c5253a3ec3747a4 2.1AS/en/os/ia64/postgresql-python-7.1.3-5.rhel2.1AS.ia64.rpm
b1b013e245b571e22e8f6c04ac949681 2.1AS/en/os/ia64/postgresql-server-7.1.3-5.rhel2.1AS.ia64.rpm
464f082aa1fc1be9032ca4cbcd856717 2.1AS/en/os/ia64/postgresql-tcl-7.1.3-5.rhel2.1AS.ia64.rpm
1bc34e28bdff372d74da9116c60a025c 2.1AS/en/os/ia64/postgresql-test-7.1.3-5.rhel2.1AS.ia64.rpm
372f68542863801b6998d2aadd966f21 2.1AS/en/os/ia64/postgresql-tk-7.1.3-5.rhel2.1AS.ia64.rpm
c28d917a7385a7c9ce21bc3497343707 2.1AW/en/os/SRPMS/postgresql-7.1.3-5.rhel2.1AS.src.rpm
dfcf872a083fc54432cfcab0aef6e87a 2.1AW/en/os/ia64/postgresql-7.1.3-5.rhel2.1AS.ia64.rpm
fc14fb462aa5102a8c2d93241981f5f4 2.1AW/en/os/ia64/postgresql-contrib-7.1.3-5.rhel2.1AS.ia64.rpm
1206054843ab236253c52e0bfe9e5ae4 2.1AW/en/os/ia64/postgresql-devel-7.1.3-5.rhel2.1AS.ia64.rpm
bf3d07ac537ba024df240ddbed3ad4c4 2.1AW/en/os/ia64/postgresql-docs-7.1.3-5.rhel2.1AS.ia64.rpm
6a47776491c4baa717014b1c47324d63 2.1AW/en/os/ia64/postgresql-jdbc-7.1.3-5.rhel2.1AS.ia64.rpm
1b6fccd15c0425a4638b933d94c048aa 2.1AW/en/os/ia64/postgresql-libs-7.1.3-5.rhel2.1AS.ia64.rpm
2fe8bbb60a082f8a19e6f0fc05c0bafa 2.1AW/en/os/ia64/postgresql-odbc-7.1.3-5.rhel2.1AS.ia64.rpm
308a02650c815c40c179c4b741ea65c9 2.1AW/en/os/ia64/postgresql-perl-7.1.3-5.rhel2.1AS.ia64.rpm
c47bbe3e62e08d283c5253a3ec3747a4 2.1AW/en/os/ia64/postgresql-python-7.1.3-5.rhel2.1AS.ia64.rpm
b1b013e245b571e22e8f6c04ac949681 2.1AW/en/os/ia64/postgresql-server-7.1.3-5.rhel2.1AS.ia64.rpm
464f082aa1fc1be9032ca4cbcd856717 2.1AW/en/os/ia64/postgresql-tcl-7.1.3-5.rhel2.1AS.ia64.rpm
1bc34e28bdff372d74da9116c60a025c 2.1AW/en/os/ia64/postgresql-test-7.1.3-5.rhel2.1AS.ia64.rpm
372f68542863801b6998d2aadd966f21 2.1AW/en/os/ia64/postgresql-tk-7.1.3-5.rhel2.1AS.ia64.rpm
c28d917a7385a7c9ce21bc3497343707 2.1ES/en/os/SRPMS/postgresql-7.1.3-5.rhel2.1AS.src.rpm
d2127cbd6ddb55152261b2de788d7edb 2.1ES/en/os/i386/postgresql-7.1.3-5.rhel2.1AS.i386.rpm
df5d2b6ca580450547012e399f1fdddd 2.1ES/en/os/i386/postgresql-contrib-7.1.3-5.rhel2.1AS.i386.rpm
4f534b7b434769170c66a9f8be0e58c2 2.1ES/en/os/i386/postgresql-devel-7.1.3-5.rhel2.1AS.i386.rpm
dae3170d0501002f0d1d82c959c968c2 2.1ES/en/os/i386/postgresql-docs-7.1.3-5.rhel2.1AS.i386.rpm
f6f584cd85ca9b22e5e0c1026a9245ad 2.1ES/en/os/i386/postgresql-jdbc-7.1.3-5.rhel2.1AS.i386.rpm
8d6c9c04a0443d7436cba148976bb026 2.1ES/en/os/i386/postgresql-libs-7.1.3-5.rhel2.1AS.i386.rpm
d4e848b03d329d304067f1949b5410e8 2.1ES/en/os/i386/postgresql-odbc-7.1.3-5.rhel2.1AS.i386.rpm
3a9cb25f8c5b43cfefa695c327ba3550 2.1ES/en/os/i386/postgresql-perl-7.1.3-5.rhel2.1AS.i386.rpm
775e7679e5ab4595ec56e8dbc96db22c 2.1ES/en/os/i386/postgresql-python-7.1.3-5.rhel2.1AS.i386.rpm
8aceee96dc6041bb8122aa50ee37579e 2.1ES/en/os/i386/postgresql-server-7.1.3-5.rhel2.1AS.i386.rpm
495e8142ef5c552853ca1bd81e009dd6 2.1ES/en/os/i386/postgresql-tcl-7.1.3-5.rhel2.1AS.i386.rpm
05c3c4b3e77dd5bec3513dc998b396e4 2.1ES/en/os/i386/postgresql-test-7.1.3-5.rhel2.1AS.i386.rpm
847c506d7cf16259465ead0ce7574980 2.1ES/en/os/i386/postgresql-tk-7.1.3-5.rhel2.1AS.i386.rpm
c28d917a7385a7c9ce21bc3497343707 2.1WS/en/os/SRPMS/postgresql-7.1.3-5.rhel2.1AS.src.rpm
d2127cbd6ddb55152261b2de788d7edb 2.1WS/en/os/i386/postgresql-7.1.3-5.rhel2.1AS.i386.rpm
df5d2b6ca580450547012e399f1fdddd 2.1WS/en/os/i386/postgresql-contrib-7.1.3-5.rhel2.1AS.i386.rpm
4f534b7b434769170c66a9f8be0e58c2 2.1WS/en/os/i386/postgresql-devel-7.1.3-5.rhel2.1AS.i386.rpm
dae3170d0501002f0d1d82c959c968c2 2.1WS/en/os/i386/postgresql-docs-7.1.3-5.rhel2.1AS.i386.rpm
f6f584cd85ca9b22e5e0c1026a9245ad 2.1WS/en/os/i386/postgresql-jdbc-7.1.3-5.rhel2.1AS.i386.rpm
8d6c9c04a0443d7436cba148976bb026 2.1WS/en/os/i386/postgresql-libs-7.1.3-5.rhel2.1AS.i386.rpm
d4e848b03d329d304067f1949b5410e8 2.1WS/en/os/i386/postgresql-odbc-7.1.3-5.rhel2.1AS.i386.rpm
3a9cb25f8c5b43cfefa695c327ba3550 2.1WS/en/os/i386/postgresql-perl-7.1.3-5.rhel2.1AS.i386.rpm
775e7679e5ab4595ec56e8dbc96db22c 2.1WS/en/os/i386/postgresql-python-7.1.3-5.rhel2.1AS.i386.rpm
8aceee96dc6041bb8122aa50ee37579e 2.1WS/en/os/i386/postgresql-server-7.1.3-5.rhel2.1AS.i386.rpm
495e8142ef5c552853ca1bd81e009dd6 2.1WS/en/os/i386/postgresql-tcl-7.1.3-5.rhel2.1AS.i386.rpm
05c3c4b3e77dd5bec3513dc998b396e4 2.1WS/en/os/i386/postgresql-test-7.1.3-5.rhel2.1AS.i386.rpm
847c506d7cf16259465ead0ce7574980 2.1WS/en/os/i386/postgresql-tk-7.1.3-5.rhel2.1AS.i386.rpm
These packages are GPG signed by Red Hat for security. Our key is
available from https://www.redhat.com/security/keys.html
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
md5sum <filename>
8. References:
http://www.securityfocus.com/bid/8741
http://archives.postgresql.org/pgsql-bugs/2003-09/msg00014.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=
CAN-2003-0901
9. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/solutions/security/news/contact.html
Copyright 2003 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/sj/7XlSAg2UNWIIRAhw3AKCKQkg1bxSgZix8Dx06rjgvCE5prgCeL113
m18ZmeM2vlB8KhQbwt8a3kQ=
=SmQ/
-----END PGP SIGNATURE-----