On Tuesday 20 August 2002 10:28 am, Sir Mordred The Traitor wrote: > --[ Solution > > Do you still running postgresql? ...Can't believe that... > If so, execute the following command as a root: "killall -9 postmaster", > and wait until the patch will be available. This is irresponsible advice, as one should never kill -9 postmaster. Furthermore, postmaster doesn't run as root, thus this vulnerability cannot be used as a remote root exploit. Even further, if someone has direct SQL access to your database, they can already do more damage than what this vulnerability addresses. Specifically DROP TABLE is available to users with direct SQL command line access. Untrusted users should never be given an SQL command line interface, and this particular vulnerability requires that sort of access. The datetime parser overrun is more serious, and has been fixed for the upcoming 7.3 beta cycle. Backpatching of the fix is being performed now; it remains to be seen how the fix for 7.2.x will be distributed. Of note is the fact that a working arbitrary code exploit has not yet been posted. As noted above, since the postmaster and its backend processes do not run as root, privilege escalation with this bug is not possible. This is not to say the bug shouldn't be fixed; it of course should be fixed. But it is not so serious that PostgreSQL users should simply stop running the postmaster until a patch is released. Some common sense should be applied here -- if you don't use the DATE type in a manner that would allow an untrusted user to input dates, for instance, you needn't worry about that portion. If you don't allow untrusted SQL cli users, the cash_words and repeat bugs shouldn't cause you any problems. By default postmaster doesn't accept connections over TCP/IP, making the default installation with no network accessible clients not vulnerable to a remote exploit. Having said all that, it would have been nice had a heads up been given to the developers. As far as I know no notification of any kind was given, making this an irresponsible advisory. There have been an increasing number of these of late, unfortunately. The various bugs mentioned are being addressed by the developers, who are working to see the best means of fixing and distributing fixes for these problems. -- Lamar Owen WGCR Internet Radio 1 Peter 4:11
