[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050504145746.GA9332@box79162.elkhouse.de>
Date: Wed, 4 May 2005 16:57:46 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-118-1] PostgreSQL vulnerabilities
===========================================================
Ubuntu Security Notice USN-118-1 May 04, 2005
postgresql vulnerabilities
CAN-2005-1409, CAN-2005-1410
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
postgresql
postgresql-contrib
The problem can be corrected by upgrading the affected package to
version 7.4.5-3ubuntu0.5 (for Ubuntu 4.10) and 7.4.7-2ubuntu2.1 (for
Ubuntu 5.04). In general, a standard system upgrade is sufficient to
effect the necessary changes.
Details follow:
It was discovered that unprivileged users were allowed to call
internal character conversion functions. However, since these
functions were not designed to be safe against malicious choices of
argument values, this could potentially be exploited to execute
arbitrary code with the privileges of the PostgreSQL server (user
"postgres"). (CAN-2005-1409)
Another vulnerability was found in the "tsearch2" module of
postgresql-contrib. This module declared several functions as
internal, although they did not accept any internal argument; this
breaks the type safety of "internal" by allowing users to construct
SQL commands that invoke other functions accepting "internal"
arguments. This could eventually be exploited to crash the server, or
possibly even execute arbitrary code with the privileges of the
PostgreSQL server. (CAN-2005-1410)
These vulnerabilities must also be fixed in all existing databases
when upgrading. The post-installation script of the updated package
attempts to do this automatically; if the package installs without any
error, all existing databases have been updated to be safe against
above vulnerabilities. Should the installation fail, please contact
the Ubuntu security team (security@...ntu.com) immediately.
Updated packages for Ubuntu 4.10 (Warty Warthog):
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.5.diff.gz
Size/MD5: 149709 a5af62a8d94ef9ca4de73597c6843079
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.5.dsc
Size/MD5: 991 6229c3cc3dce2cd1c8fa5a204f21fcab
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5.orig.tar.gz
Size/MD5: 9895913 a295885a36ed8e7ec7a7e887218ceabc
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-doc_7.4.5-3ubuntu0.5_all.deb
Size/MD5: 2256658 bd42a601de3c629f30fa2158df417c1c
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.5-3ubuntu0.5_amd64.deb
Size/MD5: 207052 02eb867e6b459d6c5b305d25d2467e6c
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.5-3ubuntu0.5_amd64.deb
Size/MD5: 91476 aed90f1d1157f87c85ad6fc5b14cb465
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.5-3ubuntu0.5_amd64.deb
Size/MD5: 49184 ef9c74cc3de5c8043f0d3489f8f8d0a9
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.5-3ubuntu0.5_amd64.deb
Size/MD5: 74092 4316f4092a3258b0b17c9184bb124161
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.5-3ubuntu0.5_amd64.deb
Size/MD5: 116004 d3a2a8dd35207a947621f21081169b92
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.5-3ubuntu0.5_amd64.deb
Size/MD5: 518710 4aa862fa4d05ef90a75ec74a148364d3
http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.5-3ubuntu0.5_amd64.deb
Size/MD5: 624828 5627b561d2fdd22c21fb58bdfffa3ec6
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.5-3ubuntu0.5_amd64.deb
Size/MD5: 509694 fad5b78cd93f55d75d1649d4765e11dc
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.5_amd64.deb
Size/MD5: 3881486 19c81e38a9cd6c2a8e75022125a4b23d
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.5-3ubuntu0.5_i386.deb
Size/MD5: 195194 d1f37e56b618156ce6e167a686c3ccce
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.5-3ubuntu0.5_i386.deb
Size/MD5: 85990 6eb859dfe58341abe3e5c0e23be185a7
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.5-3ubuntu0.5_i386.deb
Size/MD5: 48150 b1ac328fde072545a962d39315345e53
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.5-3ubuntu0.5_i386.deb
Size/MD5: 70956 72972bf316675330a17edb0c0f8dd6ee
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.5-3ubuntu0.5_i386.deb
Size/MD5: 109242 a4dd62dbd6670172d4a256fdeaa9fe21
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.5-3ubuntu0.5_i386.deb
Size/MD5: 492482 47155c199d7db99a33fb24a984c7e784
http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.5-3ubuntu0.5_i386.deb
Size/MD5: 577944 1a086cdd29f49a50c929d7358c19e06a
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.5-3ubuntu0.5_i386.deb
Size/MD5: 502848 8e94333f65f3ff8f7f0c880163c867ca
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.5_i386.deb
Size/MD5: 3704312 9ca15356bb7764e46a7f869549aeb575
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.5-3ubuntu0.5_powerpc.deb
Size/MD5: 203544 307e942d1b5258b6d97ba928cc7a4cce
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.5-3ubuntu0.5_powerpc.deb
Size/MD5: 93008 3458950c8e2c07e084359a2b108281ab
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.5-3ubuntu0.5_powerpc.deb
Size/MD5: 48890 c089eddb8a89bb7e39e303526be95d2a
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.5-3ubuntu0.5_powerpc.deb
Size/MD5: 77566 4ae2087d9e262b6262c463bb7e02a997
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.5-3ubuntu0.5_powerpc.deb
Size/MD5: 110266 ca3ed25e2ebfca05ba76fa56898bb6cb
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.5-3ubuntu0.5_powerpc.deb
Size/MD5: 511404 c32d001ec5d7c8de6dee547e7aa6191f
http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.5-3ubuntu0.5_powerpc.deb
Size/MD5: 636960 bdcf9bd6f66ac4bb3ce8352e9e3fe670
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.5-3ubuntu0.5_powerpc.deb
Size/MD5: 506412 579f5abbd512823daa3860124ca8814e
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.5_powerpc.deb
Size/MD5: 4104550 03ce4d3641d35a22e5e68fad67446bed
Updated packages for Ubuntu 5.04 (Hoary Hedgehog):
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.7-2ubuntu2.1.diff.gz
Size/MD5: 152451 04988036d3cdb8d87566778df45848dc
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.7-2ubuntu2.1.dsc
Size/MD5: 991 8c8e287a5de6849b6197f8570ab2c016
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.7.orig.tar.gz
Size/MD5: 9952102 d193c58aef02a745e8657c48038587ac
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-doc_7.4.7-2ubuntu2.1_all.deb
Size/MD5: 2265342 d73061fba79aaee641e613e68903c5d0
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.7-2ubuntu2.1_amd64.deb
Size/MD5: 207782 cb96bb1a104fc2297eb8ef89b0b0487e
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.7-2ubuntu2.1_amd64.deb
Size/MD5: 94250 aa530a6f3f3f39a2703f92206d480490
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.7-2ubuntu2.1_amd64.deb
Size/MD5: 54022 829fcc583285ec31c9c0757525bd9dc0
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.7-2ubuntu2.1_amd64.deb
Size/MD5: 77192 37691c3f94597cff2a2afa4a25764753
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.7-2ubuntu2.1_amd64.deb
Size/MD5: 95096 3c2d05af2bd3d2c2f9401389843b05e0
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.7-2ubuntu2.1_amd64.deb
Size/MD5: 346814 c7b1c672b83fda570f606bcb68ed1015
http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.7-2ubuntu2.1_amd64.deb
Size/MD5: 649922 a7624f8c757bf1ab6ef4c66b3e100f82
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.7-2ubuntu2.1_amd64.deb
Size/MD5: 515198 dbe1d3be33201a058e2436675c7962a6
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.7-2ubuntu2.1_amd64.deb
Size/MD5: 3093788 7c00f7433ae47e4d0f29ac6211c28b08
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.7-2ubuntu2.1_i386.deb
Size/MD5: 203614 5413c87292dc8dd06c3340e32bd9180f
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.7-2ubuntu2.1_i386.deb
Size/MD5: 91634 3ec1b7ce7e1179643ffd661d90b929e7
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.7-2ubuntu2.1_i386.deb
Size/MD5: 53196 9b19a2a115ad041392c290d370b96901
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.7-2ubuntu2.1_i386.deb
Size/MD5: 75158 ab62acb14da5cd78496e937575c48ed4
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.7-2ubuntu2.1_i386.deb
Size/MD5: 90470 ffe055c2ad8f777a8b0cfb2be40297a3
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.7-2ubuntu2.1_i386.deb
Size/MD5: 318670 580b39a9764f0d39fec6dee69762ef62
http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.7-2ubuntu2.1_i386.deb
Size/MD5: 612580 d6825b89775d59efced1dafa9e5f3b1c
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.7-2ubuntu2.1_i386.deb
Size/MD5: 509506 103af93f11eef6c977dbb50b06006b7a
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.7-2ubuntu2.1_i386.deb
Size/MD5: 2955512 5426ad09bf89c5c74d76232d9c6bb2b0
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.7-2ubuntu2.1_powerpc.deb
Size/MD5: 208342 b49245522620ce33b64b8c6a047c5e8b
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.7-2ubuntu2.1_powerpc.deb
Size/MD5: 98220 bea5adfd18814e1e2aec718a7ecf5428
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.7-2ubuntu2.1_powerpc.deb
Size/MD5: 53116 b497334e0cb23553593b9411b98620d6
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.7-2ubuntu2.1_powerpc.deb
Size/MD5: 82354 d584607238832ee98323f18d738db254
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.7-2ubuntu2.1_powerpc.deb
Size/MD5: 93072 3416dfadebb569fba851c1bfab184463
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.7-2ubuntu2.1_powerpc.deb
Size/MD5: 352418 60c692d77ef79ab8dce69fbe8b937381
http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.7-2ubuntu2.1_powerpc.deb
Size/MD5: 681088 6f04a4c4dd4092f8c45d805a30896137
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.7-2ubuntu2.1_powerpc.deb
Size/MD5: 512420 d900231978b04798d4def26bd4c1c01e
http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.7-2ubuntu2.1_powerpc.deb
Size/MD5: 3404684 f93ab098149970b36a963805f1b6f059
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists