Add entries for security issues.
Security: CVE-2015-0241 through CVE-2015-0244
+
+ Fix buffer overruns in to_char()
+ (Bruce Momjian)
+
+
+ When to_char() processes a numeric formatting template
+ calling for a large number of digits,
PostgreSQL+ would read past the end of a buffer. When processing a crafted
+ timestamp formatting template,
PostgreSQL would write+ past the end of a buffer. Either case could crash the server.
+ We have not ruled out the possibility of attacks that lead to
+ privilege escalation, though they seem unlikely.
+ (CVE-2015-0241)
+
+
+
+
+ Fix buffer overrun in replacement *printf() functions
+ (Tom Lane)
+
+
+
PostgreSQL includes a replacement implementation+ of printf and related functions. This code will overrun
+ a stack buffer when formatting a floating point number (conversion
+ specifiers e, E, f, F,
+ g or G) with requested precision greater than
+ about 500. This will crash the server, and we have not ruled out the
+ possibility of attacks that lead to privilege escalation.
+ A database user can trigger such a buffer overrun through
+ the to_char() SQL function. While that is the only
+ affected core
PostgreSQL functionality, extension+ modules that use printf-family functions may be at risk as well.
+
+
+ This issue primarily affects
PostgreSQL on Windows.+
PostgreSQL uses the system implementation of these+ functions where adequate, which it is on other modern platforms.
+ (CVE-2015-0242)
+
+
+
+
+ Fix buffer overruns in contrib/pgcrypto
+ (Marko Tiikkaja, Noah Misch)
+
+
+ Errors in memory size tracking within the pgcrypto
+ module permitted stack buffer overruns and improper dependence on the
+ contents of uninitialized memory. The buffer overrun cases can
+ crash the server, and we have not ruled out the possibility of
+ attacks that lead to privilege escalation.
+ (CVE-2015-0243)
+
+
+
+
+ Fix possible loss of frontend/backend protocol synchronization after
+ an error
+ (Heikki Linnakangas)
+
+
+ If any error occurred while the server was in the middle of reading a
+ protocol message from the client, it could lose synchronization and
+ incorrectly try to interpret part of the message's data as a new
+ protocol message. An attacker able to submit crafted binary data
+ within a command parameter might succeed in injecting his own SQL
+ commands this way. Statement timeout and query cancellation are the
+ most likely sources of errors triggering this scenario. Particularly
+ vulnerable are applications that use a timeout and also submit
+ arbitrary user-crafted data as binary query parameters. Disabling
+ statement timeout will reduce, but not eliminate, the risk of
+ exploit. Our thanks to Emil Lenngren for reporting this issue.
+ (CVE-2015-0244)
+
+
+
Fix information leak via constraint-violation error messages
+
+ Fix buffer overruns in to_char()
+ (Bruce Momjian)
+
+
+ When to_char() processes a numeric formatting template
+ calling for a large number of digits,
PostgreSQL+ would read past the end of a buffer. When processing a crafted
+ timestamp formatting template,
PostgreSQL would write+ past the end of a buffer. Either case could crash the server.
+ We have not ruled out the possibility of attacks that lead to
+ privilege escalation, though they seem unlikely.
+ (CVE-2015-0241)
+
+
+
+
+ Fix buffer overrun in replacement *printf() functions
+ (Tom Lane)
+
+
+
PostgreSQL includes a replacement implementation+ of printf and related functions. This code will overrun
+ a stack buffer when formatting a floating point number (conversion
+ specifiers e, E, f, F,
+ g or G) with requested precision greater than
+ about 500. This will crash the server, and we have not ruled out the
+ possibility of attacks that lead to privilege escalation.
+ A database user can trigger such a buffer overrun through
+ the to_char() SQL function. While that is the only
+ affected core
PostgreSQL functionality, extension+ modules that use printf-family functions may be at risk as well.
+
+
+ This issue primarily affects
PostgreSQL on Windows.+
PostgreSQL uses the system implementation of these+ functions where adequate, which it is on other modern platforms.
+ (CVE-2015-0242)
+
+
+
+
+ Fix buffer overruns in contrib/pgcrypto
+ (Marko Tiikkaja, Noah Misch)
+
+
+ Errors in memory size tracking within the pgcrypto
+ module permitted stack buffer overruns and improper dependence on the
+ contents of uninitialized memory. The buffer overrun cases can
+ crash the server, and we have not ruled out the possibility of
+ attacks that lead to privilege escalation.
+ (CVE-2015-0243)
+
+
+
+
+ Fix possible loss of frontend/backend protocol synchronization after
+ an error
+ (Heikki Linnakangas)
+
+
+ If any error occurred while the server was in the middle of reading a
+ protocol message from the client, it could lose synchronization and
+ incorrectly try to interpret part of the message's data as a new
+ protocol message. An attacker able to submit crafted binary data
+ within a command parameter might succeed in injecting his own SQL
+ commands this way. Statement timeout and query cancellation are the
+ most likely sources of errors triggering this scenario. Particularly
+ vulnerable are applications that use a timeout and also submit
+ arbitrary user-crafted data as binary query parameters. Disabling
+ statement timeout will reduce, but not eliminate, the risk of
+ exploit. Our thanks to Emil Lenngren for reporting this issue.
+ (CVE-2015-0244)
+
+
+
Fix information leak via constraint-violation error messages
+
+ Fix buffer overruns in to_char()
+ (Bruce Momjian)
+
+
+ When to_char() processes a numeric formatting template
+ calling for a large number of digits,
PostgreSQL+ would read past the end of a buffer. When processing a crafted
+ timestamp formatting template,
PostgreSQL would write+ past the end of a buffer. Either case could crash the server.
+ We have not ruled out the possibility of attacks that lead to
+ privilege escalation, though they seem unlikely.
+ (CVE-2015-0241)
+
+
+
+
+ Fix buffer overrun in replacement *printf() functions
+ (Tom Lane)
+
+
+
PostgreSQL includes a replacement implementation+ of printf and related functions. This code will overrun
+ a stack buffer when formatting a floating point number (conversion
+ specifiers e, E, f, F,
+ g or G) with requested precision greater than
+ about 500. This will crash the server, and we have not ruled out the
+ possibility of attacks that lead to privilege escalation.
+ A database user can trigger such a buffer overrun through
+ the to_char() SQL function. While that is the only
+ affected core
PostgreSQL functionality, extension+ modules that use printf-family functions may be at risk as well.
+
+
+ This issue primarily affects
PostgreSQL on Windows.+
PostgreSQL uses the system implementation of these+ functions where adequate, which it is on other modern platforms.
+ (CVE-2015-0242)
+
+
+
+
+ Fix buffer overruns in contrib/pgcrypto
+ (Marko Tiikkaja, Noah Misch)
+
+
+ Errors in memory size tracking within the pgcrypto
+ module permitted stack buffer overruns and improper dependence on the
+ contents of uninitialized memory. The buffer overrun cases can
+ crash the server, and we have not ruled out the possibility of
+ attacks that lead to privilege escalation.
+ (CVE-2015-0243)
+
+
+
+
+ Fix possible loss of frontend/backend protocol synchronization after
+ an error
+ (Heikki Linnakangas)
+
+
+ If any error occurred while the server was in the middle of reading a
+ protocol message from the client, it could lose synchronization and
+ incorrectly try to interpret part of the message's data as a new
+ protocol message. An attacker able to submit crafted binary data
+ within a command parameter might succeed in injecting his own SQL
+ commands this way. Statement timeout and query cancellation are the
+ most likely sources of errors triggering this scenario. Particularly
+ vulnerable are applications that use a timeout and also submit
+ arbitrary user-crafted data as binary query parameters. Disabling
+ statement timeout will reduce, but not eliminate, the risk of
+ exploit. Our thanks to Emil Lenngren for reporting this issue.
+ (CVE-2015-0244)
+
+
+
Fix information leak via constraint-violation error messages
+
+
+
+ Fix buffer overruns in to_char()
+ (Bruce Momjian)
+
+
+ When to_char() processes a numeric formatting template
+ calling for a large number of digits,
PostgreSQL+ would read past the end of a buffer. When processing a crafted
+ timestamp formatting template,
PostgreSQL would write+ past the end of a buffer. Either case could crash the server.
+ We have not ruled out the possibility of attacks that lead to
+ privilege escalation, though they seem unlikely.
+ (CVE-2015-0241)
+
+
+
+
+
+
+ Fix buffer overrun in replacement *printf() functions
+ (Tom Lane)
+
+
+
PostgreSQL includes a replacement implementation+ of printf and related functions. This code will overrun
+ a stack buffer when formatting a floating point number (conversion
+ specifiers e, E, f, F,
+ g or G) with requested precision greater than
+ about 500. This will crash the server, and we have not ruled out the
+ possibility of attacks that lead to privilege escalation.
+ A database user can trigger such a buffer overrun through
+ the to_char() SQL function. While that is the only
+ affected core
PostgreSQL functionality, extension+ modules that use printf-family functions may be at risk as well.
+
+
+ This issue primarily affects
PostgreSQL on Windows.+
PostgreSQL uses the system implementation of these+ functions where adequate, which it is on other modern platforms.
+ (CVE-2015-0242)
+
+
+
+
+
+
+ Fix buffer overruns in contrib/pgcrypto
+ (Marko Tiikkaja, Noah Misch)
+
+
+ Errors in memory size tracking within the pgcrypto
+ module permitted stack buffer overruns and improper dependence on the
+ contents of uninitialized memory. The buffer overrun cases can
+ crash the server, and we have not ruled out the possibility of
+ attacks that lead to privilege escalation.
+ (CVE-2015-0243)
+
+
+
+
+
+
+ Fix possible loss of frontend/backend protocol synchronization after
+ an error
+ (Heikki Linnakangas)
+
+
+ If any error occurred while the server was in the middle of reading a
+ protocol message from the client, it could lose synchronization and
+ incorrectly try to interpret part of the message's data as a new
+ protocol message. An attacker able to submit crafted binary data
+ within a command parameter might succeed in injecting his own SQL
+ commands this way. Statement timeout and query cancellation are the
+ most likely sources of errors triggering this scenario. Particularly
+ vulnerable are applications that use a timeout and also submit
+ arbitrary user-crafted data as binary query parameters. Disabling
+ statement timeout will reduce, but not eliminate, the risk of
+ exploit. Our thanks to Emil Lenngren for reporting this issue.
+ (CVE-2015-0244)
+
+
+
+
+
+ Fix buffer overruns in to_char()
+ (Bruce Momjian)
+
+
+ When to_char() processes a numeric formatting template
+ calling for a large number of digits,
PostgreSQL+ would read past the end of a buffer. When processing a crafted
+ timestamp formatting template,
PostgreSQL would write+ past the end of a buffer. Either case could crash the server.
+ We have not ruled out the possibility of attacks that lead to
+ privilege escalation, though they seem unlikely.
+ (CVE-2015-0241)
+
+
+
+
+
+
+ Fix buffer overrun in replacement *printf() functions
+ (Tom Lane)
+
+
+
PostgreSQL includes a replacement implementation+ of printf and related functions. This code will overrun
+ a stack buffer when formatting a floating point number (conversion
+ specifiers e, E, f, F,
+ g or G) with requested precision greater than
+ about 500. This will crash the server, and we have not ruled out the
+ possibility of attacks that lead to privilege escalation.
+ A database user can trigger such a buffer overrun through
+ the to_char() SQL function. While that is the only
+ affected core
PostgreSQL functionality, extension+ modules that use printf-family functions may be at risk as well.
+
+
+ This issue primarily affects
PostgreSQL on Windows.+
PostgreSQL uses the system implementation of these+ functions where adequate, which it is on other modern platforms.
+ (CVE-2015-0242)
+
+
+
+
+
+
+ Fix buffer overruns in contrib/pgcrypto
+ (Marko Tiikkaja, Noah Misch)
+
+
+ Errors in memory size tracking within the pgcrypto
+ module permitted stack buffer overruns and improper dependence on the
+ contents of uninitialized memory. The buffer overrun cases can
+ crash the server, and we have not ruled out the possibility of
+ attacks that lead to privilege escalation.
+ (CVE-2015-0243)
+
+
+
+
+
+
+ Fix possible loss of frontend/backend protocol synchronization after
+ an error
+ (Heikki Linnakangas)
+
+
+ If any error occurred while the server was in the middle of reading a
+ protocol message from the client, it could lose synchronization and
+ incorrectly try to interpret part of the message's data as a new
+ protocol message. An attacker able to submit crafted binary data
+ within a command parameter might succeed in injecting his own SQL
+ commands this way. Statement timeout and query cancellation are the
+ most likely sources of errors triggering this scenario. Particularly
+ vulnerable are applications that use a timeout and also submit
+ arbitrary user-crafted data as binary query parameters. Disabling
+ statement timeout will reduce, but not eliminate, the risk of
+ exploit. Our thanks to Emil Lenngren for reporting this issue.
+ (CVE-2015-0244)
+
+
+
projects / postgresql.git / commitdiff