Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL

From: Lamar Owen (lamar.owenat_private)
Date: Wed Aug 21 2002 - 08:02:51 PDT

Next message: SGI Security Coordinator: "[Full-Disclosure] WorldView vulnerability on IRIX"

Previous message: Ed Reed: "NOVL-2002-2963349 - Rconag6 Secure IP Login Vulnerability - NW6SP2"
In reply to: Sir Mordred The Traitor: "@(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL"
Next in thread: Steffen Dettmer: "Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL"
Reply: Steffen Dettmer: "Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tuesday 20 August 2002 10:28 am, Sir Mordred The Traitor wrote:
> --[ Solution
>
> Do you still running postgresql? ...Can't believe that...
> If so, execute the following command as a root: "killall -9 postmaster",
> and wait until the patch will be available.

This is irresponsible advice, as one should never kill -9 postmaster.

Furthermore, postmaster doesn't run as root, thus this vulnerability cannot be 
used as a remote root exploit.

Even further, if someone has direct SQL access to your database, they can 
already do more damage than what this vulnerability addresses.  Specifically 
DROP TABLE is available to users with direct SQL command line access.  
Untrusted users should never be given an SQL command line interface, and this 
particular vulnerability requires that sort of access.

The datetime parser overrun is more serious, and has been fixed for the 
upcoming 7.3 beta cycle.  Backpatching of the fix is being performed now; it 
remains to be seen how the fix for 7.2.x will be distributed.  Of note is the 
fact that a working arbitrary code exploit has not yet been posted.  As noted 
above, since the postmaster and its backend processes do not run as root, 
privilege escalation with this bug is not possible.  

This is not to say the bug shouldn't be fixed; it of course should be fixed.  
But it is not so serious that PostgreSQL users should simply stop running the 
postmaster until a patch is released.  Some common sense should be applied 
here -- if you don't use the DATE type in a manner that would allow an 
untrusted user to input dates, for instance, you needn't worry about that 
portion.  If you don't allow untrusted SQL cli users, the cash_words and 
repeat bugs shouldn't cause you any problems.  By default postmaster doesn't 
accept connections over TCP/IP, making the default installation with no 
network accessible clients not vulnerable to a remote exploit.

Having said all that, it would have been nice had a heads up been given to the 
developers.  As far as I know no notification of any kind was given, making 
this an irresponsible advisory.  There have been an increasing number of 
these of late, unfortunately.

The various bugs mentioned are being addressed by the developers, who are 
working to see the best means of fixing and distributing fixes for these 
problems.
-- 
Lamar Owen
WGCR Internet Radio
1 Peter 4:11

Next message: SGI Security Coordinator: "[Full-Disclosure] WorldView vulnerability on IRIX"
Previous message: Ed Reed: "NOVL-2002-2963349 - Rconag6 Secure IP Login Vulnerability - NW6SP2"
In reply to: Sir Mordred The Traitor: "@(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL"
Next in thread: Steffen Dettmer: "Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL"
Reply: Steffen Dettmer: "Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 21 2002 - 13:18:20 PDT