Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit0c93924

Browse files
committed
Last-minute updates for release notes.
Add entries for security issues.Security:CVE-2015-0241 throughCVE-2015-0244
1 parentaf9c5c0 commit0c93924

File tree

2 files changed

+170
-0
lines changed

2 files changed

+170
-0
lines changed

‎doc/src/sgml/release-9.0.sgml

Lines changed: 85 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,91 @@
3434

3535
<itemizedlist>
3636

37+
<listitem>
38+
<para>
39+
Fix buffer overruns in <function>to_char()</>
40+
(Bruce Momjian)
41+
</para>
42+
43+
<para>
44+
When <function>to_char()</> processes a numeric formatting template
45+
calling for a large number of digits, <productname>PostgreSQL</>
46+
would read past the end of a buffer. When processing a crafted
47+
timestamp formatting template, <productname>PostgreSQL</> would write
48+
past the end of a buffer. Either case could crash the server.
49+
We have not ruled out the possibility of attacks that lead to
50+
privilege escalation, though they seem unlikely.
51+
(CVE-2015-0241)
52+
</para>
53+
</listitem>
54+
55+
<listitem>
56+
<para>
57+
Fix buffer overrun in replacement <function>*printf()</> functions
58+
(Tom Lane)
59+
</para>
60+
61+
<para>
62+
<productname>PostgreSQL</> includes a replacement implementation
63+
of <function>printf</> and related functions. This code will overrun
64+
a stack buffer when formatting a floating point number (conversion
65+
specifiers <literal>e</>, <literal>E</>, <literal>f</>, <literal>F</>,
66+
<literal>g</> or <literal>G</>) with requested precision greater than
67+
about 500. This will crash the server, and we have not ruled out the
68+
possibility of attacks that lead to privilege escalation.
69+
A database user can trigger such a buffer overrun through
70+
the <function>to_char()</> SQL function. While that is the only
71+
affected core <productname>PostgreSQL</> functionality, extension
72+
modules that use printf-family functions may be at risk as well.
73+
</para>
74+
75+
<para>
76+
This issue primarily affects <productname>PostgreSQL</> on Windows.
77+
<productname>PostgreSQL</> uses the system implementation of these
78+
functions where adequate, which it is on other modern platforms.
79+
(CVE-2015-0242)
80+
</para>
81+
</listitem>
82+
83+
<listitem>
84+
<para>
85+
Fix buffer overruns in <filename>contrib/pgcrypto</>
86+
(Marko Tiikkaja, Noah Misch)
87+
</para>
88+
89+
<para>
90+
Errors in memory size tracking within the <filename>pgcrypto</>
91+
module permitted stack buffer overruns and improper dependence on the
92+
contents of uninitialized memory. The buffer overrun cases can
93+
crash the server, and we have not ruled out the possibility of
94+
attacks that lead to privilege escalation.
95+
(CVE-2015-0243)
96+
</para>
97+
</listitem>
98+
99+
<listitem>
100+
<para>
101+
Fix possible loss of frontend/backend protocol synchronization after
102+
an error
103+
(Heikki Linnakangas)
104+
</para>
105+
106+
<para>
107+
If any error occurred while the server was in the middle of reading a
108+
protocol message from the client, it could lose synchronization and
109+
incorrectly try to interpret part of the message's data as a new
110+
protocol message. An attacker able to submit crafted binary data
111+
within a command parameter might succeed in injecting his own SQL
112+
commands this way. Statement timeout and query cancellation are the
113+
most likely sources of errors triggering this scenario. Particularly
114+
vulnerable are applications that use a timeout and also submit
115+
arbitrary user-crafted data as binary query parameters. Disabling
116+
statement timeout will reduce, but not eliminate, the risk of
117+
exploit. Our thanks to Emil Lenngren for reporting this issue.
118+
(CVE-2015-0244)
119+
</para>
120+
</listitem>
121+
37122
<listitem>
38123
<para>
39124
Fix information leak via constraint-violation error messages

‎doc/src/sgml/release-9.1.sgml

Lines changed: 85 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,91 @@
3434

3535
<itemizedlist>
3636

37+
<listitem>
38+
<para>
39+
Fix buffer overruns in <function>to_char()</>
40+
(Bruce Momjian)
41+
</para>
42+
43+
<para>
44+
When <function>to_char()</> processes a numeric formatting template
45+
calling for a large number of digits, <productname>PostgreSQL</>
46+
would read past the end of a buffer. When processing a crafted
47+
timestamp formatting template, <productname>PostgreSQL</> would write
48+
past the end of a buffer. Either case could crash the server.
49+
We have not ruled out the possibility of attacks that lead to
50+
privilege escalation, though they seem unlikely.
51+
(CVE-2015-0241)
52+
</para>
53+
</listitem>
54+
55+
<listitem>
56+
<para>
57+
Fix buffer overrun in replacement <function>*printf()</> functions
58+
(Tom Lane)
59+
</para>
60+
61+
<para>
62+
<productname>PostgreSQL</> includes a replacement implementation
63+
of <function>printf</> and related functions. This code will overrun
64+
a stack buffer when formatting a floating point number (conversion
65+
specifiers <literal>e</>, <literal>E</>, <literal>f</>, <literal>F</>,
66+
<literal>g</> or <literal>G</>) with requested precision greater than
67+
about 500. This will crash the server, and we have not ruled out the
68+
possibility of attacks that lead to privilege escalation.
69+
A database user can trigger such a buffer overrun through
70+
the <function>to_char()</> SQL function. While that is the only
71+
affected core <productname>PostgreSQL</> functionality, extension
72+
modules that use printf-family functions may be at risk as well.
73+
</para>
74+
75+
<para>
76+
This issue primarily affects <productname>PostgreSQL</> on Windows.
77+
<productname>PostgreSQL</> uses the system implementation of these
78+
functions where adequate, which it is on other modern platforms.
79+
(CVE-2015-0242)
80+
</para>
81+
</listitem>
82+
83+
<listitem>
84+
<para>
85+
Fix buffer overruns in <filename>contrib/pgcrypto</>
86+
(Marko Tiikkaja, Noah Misch)
87+
</para>
88+
89+
<para>
90+
Errors in memory size tracking within the <filename>pgcrypto</>
91+
module permitted stack buffer overruns and improper dependence on the
92+
contents of uninitialized memory. The buffer overrun cases can
93+
crash the server, and we have not ruled out the possibility of
94+
attacks that lead to privilege escalation.
95+
(CVE-2015-0243)
96+
</para>
97+
</listitem>
98+
99+
<listitem>
100+
<para>
101+
Fix possible loss of frontend/backend protocol synchronization after
102+
an error
103+
(Heikki Linnakangas)
104+
</para>
105+
106+
<para>
107+
If any error occurred while the server was in the middle of reading a
108+
protocol message from the client, it could lose synchronization and
109+
incorrectly try to interpret part of the message's data as a new
110+
protocol message. An attacker able to submit crafted binary data
111+
within a command parameter might succeed in injecting his own SQL
112+
commands this way. Statement timeout and query cancellation are the
113+
most likely sources of errors triggering this scenario. Particularly
114+
vulnerable are applications that use a timeout and also submit
115+
arbitrary user-crafted data as binary query parameters. Disabling
116+
statement timeout will reduce, but not eliminate, the risk of
117+
exploit. Our thanks to Emil Lenngren for reporting this issue.
118+
(CVE-2015-0244)
119+
</para>
120+
</listitem>
121+
37122
<listitem>
38123
<para>
39124
Fix information leak via constraint-violation error messages

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp