lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050504145746.GA9332@box79162.elkhouse.de>
Date: Wed May  4 15:57:57 2005
From: martin.pitt at canonical.com (Martin Pitt)
Subject: [USN-118-1] PostgreSQL vulnerabilities

===========================================================
Ubuntu Security Notice USN-118-1	       May 04, 2005
postgresql vulnerabilities
CAN-2005-1409, CAN-2005-1410
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

postgresql
postgresql-contrib

The problem can be corrected by upgrading the affected package to
version 7.4.5-3ubuntu0.5 (for Ubuntu 4.10) and 7.4.7-2ubuntu2.1 (for
Ubuntu 5.04).  In general, a standard system upgrade is sufficient to
effect the necessary changes.

Details follow:

It was discovered that unprivileged users were allowed to call
internal character conversion functions. However, since these
functions were not designed to be safe against malicious choices of
argument values, this could potentially be exploited to execute
arbitrary code with the privileges of the PostgreSQL server (user
"postgres"). (CAN-2005-1409)

Another vulnerability was found in the "tsearch2" module of
postgresql-contrib. This module declared several functions as
internal, although they did not accept any internal argument; this
breaks the type safety of "internal" by allowing users to construct
SQL commands that invoke other functions accepting "internal"
arguments. This could eventually be exploited to crash the server, or
possibly even execute arbitrary code with the privileges of the
PostgreSQL server. (CAN-2005-1410)

These vulnerabilities must also be fixed in all existing databases
when upgrading. The post-installation script of the updated package
attempts to do this automatically; if the package installs without any
error, all existing databases have been updated to be safe against
above vulnerabilities.  Should the installation fail, please contact
the Ubuntu security team (security@...ntu.com) immediately.

Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.5.diff.gz
      Size/MD5:   149709 a5af62a8d94ef9ca4de73597c6843079
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.5.dsc
      Size/MD5:      991 6229c3cc3dce2cd1c8fa5a204f21fcab
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5.orig.tar.gz
      Size/MD5:  9895913 a295885a36ed8e7ec7a7e887218ceabc

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-doc_7.4.5-3ubuntu0.5_all.deb
      Size/MD5:  2256658 bd42a601de3c629f30fa2158df417c1c

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.5-3ubuntu0.5_amd64.deb
      Size/MD5:   207052 02eb867e6b459d6c5b305d25d2467e6c
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.5-3ubuntu0.5_amd64.deb
      Size/MD5:    91476 aed90f1d1157f87c85ad6fc5b14cb465
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.5-3ubuntu0.5_amd64.deb
      Size/MD5:    49184 ef9c74cc3de5c8043f0d3489f8f8d0a9
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.5-3ubuntu0.5_amd64.deb
      Size/MD5:    74092 4316f4092a3258b0b17c9184bb124161
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.5-3ubuntu0.5_amd64.deb
      Size/MD5:   116004 d3a2a8dd35207a947621f21081169b92
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.5-3ubuntu0.5_amd64.deb
      Size/MD5:   518710 4aa862fa4d05ef90a75ec74a148364d3
    http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.5-3ubuntu0.5_amd64.deb
      Size/MD5:   624828 5627b561d2fdd22c21fb58bdfffa3ec6
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.5-3ubuntu0.5_amd64.deb
      Size/MD5:   509694 fad5b78cd93f55d75d1649d4765e11dc
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.5_amd64.deb
      Size/MD5:  3881486 19c81e38a9cd6c2a8e75022125a4b23d

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.5-3ubuntu0.5_i386.deb
      Size/MD5:   195194 d1f37e56b618156ce6e167a686c3ccce
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.5-3ubuntu0.5_i386.deb
      Size/MD5:    85990 6eb859dfe58341abe3e5c0e23be185a7
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.5-3ubuntu0.5_i386.deb
      Size/MD5:    48150 b1ac328fde072545a962d39315345e53
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.5-3ubuntu0.5_i386.deb
      Size/MD5:    70956 72972bf316675330a17edb0c0f8dd6ee
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.5-3ubuntu0.5_i386.deb
      Size/MD5:   109242 a4dd62dbd6670172d4a256fdeaa9fe21
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.5-3ubuntu0.5_i386.deb
      Size/MD5:   492482 47155c199d7db99a33fb24a984c7e784
    http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.5-3ubuntu0.5_i386.deb
      Size/MD5:   577944 1a086cdd29f49a50c929d7358c19e06a
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.5-3ubuntu0.5_i386.deb
      Size/MD5:   502848 8e94333f65f3ff8f7f0c880163c867ca
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.5_i386.deb
      Size/MD5:  3704312 9ca15356bb7764e46a7f869549aeb575

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.5-3ubuntu0.5_powerpc.deb
      Size/MD5:   203544 307e942d1b5258b6d97ba928cc7a4cce
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.5-3ubuntu0.5_powerpc.deb
      Size/MD5:    93008 3458950c8e2c07e084359a2b108281ab
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.5-3ubuntu0.5_powerpc.deb
      Size/MD5:    48890 c089eddb8a89bb7e39e303526be95d2a
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.5-3ubuntu0.5_powerpc.deb
      Size/MD5:    77566 4ae2087d9e262b6262c463bb7e02a997
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.5-3ubuntu0.5_powerpc.deb
      Size/MD5:   110266 ca3ed25e2ebfca05ba76fa56898bb6cb
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.5-3ubuntu0.5_powerpc.deb
      Size/MD5:   511404 c32d001ec5d7c8de6dee547e7aa6191f
    http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.5-3ubuntu0.5_powerpc.deb
      Size/MD5:   636960 bdcf9bd6f66ac4bb3ce8352e9e3fe670
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.5-3ubuntu0.5_powerpc.deb
      Size/MD5:   506412 579f5abbd512823daa3860124ca8814e
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.5-3ubuntu0.5_powerpc.deb
      Size/MD5:  4104550 03ce4d3641d35a22e5e68fad67446bed

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.7-2ubuntu2.1.diff.gz
      Size/MD5:   152451 04988036d3cdb8d87566778df45848dc
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.7-2ubuntu2.1.dsc
      Size/MD5:      991 8c8e287a5de6849b6197f8570ab2c016
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.7.orig.tar.gz
      Size/MD5:  9952102 d193c58aef02a745e8657c48038587ac

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-doc_7.4.7-2ubuntu2.1_all.deb
      Size/MD5:  2265342 d73061fba79aaee641e613e68903c5d0

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.7-2ubuntu2.1_amd64.deb
      Size/MD5:   207782 cb96bb1a104fc2297eb8ef89b0b0487e
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.7-2ubuntu2.1_amd64.deb
      Size/MD5:    94250 aa530a6f3f3f39a2703f92206d480490
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.7-2ubuntu2.1_amd64.deb
      Size/MD5:    54022 829fcc583285ec31c9c0757525bd9dc0
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.7-2ubuntu2.1_amd64.deb
      Size/MD5:    77192 37691c3f94597cff2a2afa4a25764753
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.7-2ubuntu2.1_amd64.deb
      Size/MD5:    95096 3c2d05af2bd3d2c2f9401389843b05e0
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.7-2ubuntu2.1_amd64.deb
      Size/MD5:   346814 c7b1c672b83fda570f606bcb68ed1015
    http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.7-2ubuntu2.1_amd64.deb
      Size/MD5:   649922 a7624f8c757bf1ab6ef4c66b3e100f82
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.7-2ubuntu2.1_amd64.deb
      Size/MD5:   515198 dbe1d3be33201a058e2436675c7962a6
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.7-2ubuntu2.1_amd64.deb
      Size/MD5:  3093788 7c00f7433ae47e4d0f29ac6211c28b08

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.7-2ubuntu2.1_i386.deb
      Size/MD5:   203614 5413c87292dc8dd06c3340e32bd9180f
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.7-2ubuntu2.1_i386.deb
      Size/MD5:    91634 3ec1b7ce7e1179643ffd661d90b929e7
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.7-2ubuntu2.1_i386.deb
      Size/MD5:    53196 9b19a2a115ad041392c290d370b96901
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.7-2ubuntu2.1_i386.deb
      Size/MD5:    75158 ab62acb14da5cd78496e937575c48ed4
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.7-2ubuntu2.1_i386.deb
      Size/MD5:    90470 ffe055c2ad8f777a8b0cfb2be40297a3
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.7-2ubuntu2.1_i386.deb
      Size/MD5:   318670 580b39a9764f0d39fec6dee69762ef62
    http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.7-2ubuntu2.1_i386.deb
      Size/MD5:   612580 d6825b89775d59efced1dafa9e5f3b1c
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.7-2ubuntu2.1_i386.deb
      Size/MD5:   509506 103af93f11eef6c977dbb50b06006b7a
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.7-2ubuntu2.1_i386.deb
      Size/MD5:  2955512 5426ad09bf89c5c74d76232d9c6bb2b0

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg-dev_7.4.7-2ubuntu2.1_powerpc.deb
      Size/MD5:   208342 b49245522620ce33b64b8c6a047c5e8b
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libecpg4_7.4.7-2ubuntu2.1_powerpc.deb
      Size/MD5:    98220 bea5adfd18814e1e2aec718a7ecf5428
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl-dev_7.4.7-2ubuntu2.1_powerpc.deb
      Size/MD5:    53116 b497334e0cb23553593b9411b98620d6
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpgtcl_7.4.7-2ubuntu2.1_powerpc.deb
      Size/MD5:    82354 d584607238832ee98323f18d738db254
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/libpq3_7.4.7-2ubuntu2.1_powerpc.deb
      Size/MD5:    93072 3416dfadebb569fba851c1bfab184463
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-client_7.4.7-2ubuntu2.1_powerpc.deb
      Size/MD5:   352418 60c692d77ef79ab8dce69fbe8b937381
    http://security.ubuntu.com/ubuntu/pool/universe/p/postgresql/postgresql-contrib_7.4.7-2ubuntu2.1_powerpc.deb
      Size/MD5:   681088 6f04a4c4dd4092f8c45d805a30896137
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql-dev_7.4.7-2ubuntu2.1_powerpc.deb
      Size/MD5:   512420 d900231978b04798d4def26bd4c1c01e
    http://security.ubuntu.com/ubuntu/pool/main/p/postgresql/postgresql_7.4.7-2ubuntu2.1_powerpc.deb
      Size/MD5:  3404684 f93ab098149970b36a963805f1b6f059
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050504/94bea7b9/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ