[pgsql-jp: 27439] Re: セキュリティー情報について

2002年 9月 18日 (水) 00:30:48 JST

永安です。

7.2.2のHISTORYには以下のようにあります。

----------------------------------------------------------------------
                                 Release Notes

                                 Release 7.2.2

     Release date: 2002-08-23

   This has a variety of fixes from 7.2.1, including the security
   problems reported on BUGTRAQ.

[...]
 Fix for buffer overrun in handling long datetime input (Thomas, Neil)
 Fix for buffer overrun in repeat() (Neil)
 Fix for buffer overrun in lpad() and rpad() with multibyte (Neil)
 Fix for buffer overrun in SET TIME ZONE and TZ env var (Neil)
----------------------------------------------------------------------

これでしょう。BUGTRAQによると、

----------------------------------------------------------------------
OVERVIEW

Several buffer overruns found in PostgreSQL

DETAIL

The PostgreSQL Global Development Team has identified and
addressed the following buffer overruns in PostgreSQL:

* in handling long datetime input
* in repeat()
* in lpad() and rpad() with multibyte
* in SET TIME ZONE and TZ env var

More information can be found on the following adresses:

http://online.securityfocus.com/archive/1/288305/2002-08-16/2002-08-22/0
http://online.securityfocus.com/archive/1/288334/2002-08-16/2002-08-22/0

The advisory sent by The PostgreSQL Global Development Team can be read at

http://online.securityfocus.com/archive/1/288998/2002-08-23/2002-08-29/0
----------------------------------------------------------------------

後にFIXされたときのアナウンスによれば、

----------------------------------------------------------------------
Package        : postgresql
Vulnerability  : buffer overflows
Problem-Type   : remote
Debian-specific: no
CVE Id         : CAN-2002-0972

Mordred Labs and others found several vulnerabilities in PostgreSQL,
an object-relational SQL database.  They are inherited from several
buffer overflows and integer overflows.  Specially crafted long date
and time input, currency, repeat data and long timezone names could
cause the PostgreSQL server to crash as well as specially crafted
input data for lpad() and rpad().  More buffer/integer overflows were
found in circle_poly(), path_encode() and path_addr().

Except for the last three, these problems are fixed in the upstream
release 7.2.2 of PostgreSQL which is the recommended version to use.

Most of these problems do not exist in the version of PostgreSQL that
Debian ships in the potato release since the corresponding
functionality is not yet implemented.  However, PostgreSQL 6.5.3 is
quite old and may bear more risks than we are aware of, which may
include further buffer overflows, and certainly include bugs that
threaten the integrity of your data.
----------------------------------------------------------------------

とあります。これらはDebianのアナウンスですけど。

-- 
NAGAYASU Satoshi <snaga ＠ snaga.org>