Afonin Denis
2009-Feb-27 13:57 UTC
[Secure-testing-team] Bug#517405: postgresql-8.3: Server crashes if using wrong (mismatch) conversion
Package: postgresql-8.3 Version: 8.3.6-1 Severity: serious Tags: security Justification: must As reported in http://archives.postgresql.org/pgsql-bugs/2009-02/msg00172.php using conversion functions width mismatched specified and database codepages causes postgresql to segfault. A serious issue is that a regular user can do that and bring down the whole system. Upstream came up with a patch just hours after the report, and it seems to be slated for 8.3.6: http://archives.postgresql.org/pgsql-bugs/2009-02/msg00176.php -- System Information: Debian Release: 5.0 APT prefers stable APT policy: (500, ''stable'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.18+openvz (SMP w/8 CPU cores) Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R) Shell: /bin/sh linked to /bin/bash Versions of packages postgresql-8.3 depends on: ii libc6 2.7-18 GNU C Library: Shared libraries ii libcomerr2 1.41.3-1 common error description library ii libkrb53 1.6.dfsg.4~beta1-5 MIT Kerberos runtime libraries ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries ii libpam0g 1.0.1-5 Pluggable Authentication Modules l ii libpq5 8.3.6-1 PostgreSQL C client library ii libssl0.9.8 0.9.8g-15 SSL shared libraries ii libxml2 2.6.32.dfsg-5 GNOME XML library ii locales 2.7-18 GNU C Library: National Language ( ii postgresql-client-8.3 8.3.6-1 front-end programs for PostgreSQL ii postgresql-common 94lenny1 PostgreSQL database-cluster manage ii ssl-cert 1.0.23 simple debconf wrapper for OpenSSL ii tzdata 2008h-2 time zone and daylight-saving time postgresql-8.3 recommends no packages. Versions of packages postgresql-8.3 suggests: ii pidentd [ident-server] 3.0.19.ds1-4 TCP/IP IDENT protocol server with -- no debconf information