Debian Bug report logs - #567058
postgresql-8.3 - Segfault in substring

version graph

Package: postgresql-8.3; Maintainer for postgresql-8.3 is (unknown);

Reported by: Bastian Blank <waldi@debian.org>

Date: Wed, 27 Jan 2010 00:06:01 UTC

Severity: important

Tags: security

Found in version postgresql-8.3/8.3.8-0lenny1

Fixed in version postgresql-8.3/8.3.10-0lenny1

Done: Martin Pitt <mpitt@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Martin Pitt <mpitt@debian.org>:
Bug#567058; Package postgresql-8.3. (Wed, 27 Jan 2010 00:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
New Bug report received and forwarded. Copy sent to Martin Pitt <mpitt@debian.org>. (Wed, 27 Jan 2010 00:06:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: submit@bugs.debian.org
Subject: postgresql-8.3 - Segfault in substring
Date: Wed, 27 Jan 2010 01:03:00 +0100
Package: postgresql-8.3
Version: 8.3.8-0lenny1
Severity: important
Tags: security

postgresql server crashs with substring.

| => select substring(B'10101010101010101010101010101010101010101010101',33,-15);
| server closed the connection unexpectedly
|         This probably means the server terminated abnormally
|         before or while processing the request.
| The connection to the server was lost. Attempting reset: Failed.

| LOG:  server process (PID 24968) was terminated by signal 11: Segmentation fault
| LOG:  terminating any other active server processes
| WARNING:  terminating connection because of crash of another server process
| DETAIL:  The postmaster has commanded this server process to roll back the current transaction and exit, because another server process exited abnormally and possibly corrupted shared memory.

See http://intevydis.blogspot.com/2010/01/postgresql-8023-bitsubstr-overflow.html

Bastian

-- 
Yes, it is written.  Good shall always destroy evil.
		-- Sirah the Yang, "The Omega Glory", stardate unknown




Added tag(s) pending. Request was from Martin Pitt <martin.pitt@ubuntu.com> to control@bugs.debian.org. (Tue, 16 Mar 2010 17:51:17 GMT) Full text and rfc822 format available.

Reply sent to Martin Pitt <mpitt@debian.org>:
You have taken responsibility. (Sun, 25 Apr 2010 19:54:05 GMT) Full text and rfc822 format available.

Notification sent to Bastian Blank <waldi@debian.org>:
Bug acknowledged by developer. (Sun, 25 Apr 2010 19:54:05 GMT) Full text and rfc822 format available.

Message #12 received at 567058-close@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 567058-close@bugs.debian.org
Subject: Bug#567058: fixed in postgresql-8.3 8.3.10-0lenny1
Date: Sun, 25 Apr 2010 19:52:42 +0000
Source: postgresql-8.3
Source-Version: 8.3.10-0lenny1

We believe that the bug you reported is fixed in the latest version of
postgresql-8.3, which is due to be installed in the Debian FTP archive:

libecpg-compat3_8.3.10-0lenny1_amd64.deb
  to main/p/postgresql-8.3/libecpg-compat3_8.3.10-0lenny1_amd64.deb
libecpg-dev_8.3.10-0lenny1_amd64.deb
  to main/p/postgresql-8.3/libecpg-dev_8.3.10-0lenny1_amd64.deb
libecpg6_8.3.10-0lenny1_amd64.deb
  to main/p/postgresql-8.3/libecpg6_8.3.10-0lenny1_amd64.deb
libpgtypes3_8.3.10-0lenny1_amd64.deb
  to main/p/postgresql-8.3/libpgtypes3_8.3.10-0lenny1_amd64.deb
libpq-dev_8.3.10-0lenny1_amd64.deb
  to main/p/postgresql-8.3/libpq-dev_8.3.10-0lenny1_amd64.deb
libpq5_8.3.10-0lenny1_amd64.deb
  to main/p/postgresql-8.3/libpq5_8.3.10-0lenny1_amd64.deb
postgresql-8.3_8.3.10-0lenny1.diff.gz
  to main/p/postgresql-8.3/postgresql-8.3_8.3.10-0lenny1.diff.gz
postgresql-8.3_8.3.10-0lenny1.dsc
  to main/p/postgresql-8.3/postgresql-8.3_8.3.10-0lenny1.dsc
postgresql-8.3_8.3.10-0lenny1_amd64.deb
  to main/p/postgresql-8.3/postgresql-8.3_8.3.10-0lenny1_amd64.deb
postgresql-8.3_8.3.10.orig.tar.gz
  to main/p/postgresql-8.3/postgresql-8.3_8.3.10.orig.tar.gz
postgresql-client-8.3_8.3.10-0lenny1_amd64.deb
  to main/p/postgresql-8.3/postgresql-client-8.3_8.3.10-0lenny1_amd64.deb
postgresql-client_8.3.10-0lenny1_all.deb
  to main/p/postgresql-8.3/postgresql-client_8.3.10-0lenny1_all.deb
postgresql-contrib-8.3_8.3.10-0lenny1_amd64.deb
  to main/p/postgresql-8.3/postgresql-contrib-8.3_8.3.10-0lenny1_amd64.deb
postgresql-contrib_8.3.10-0lenny1_all.deb
  to main/p/postgresql-8.3/postgresql-contrib_8.3.10-0lenny1_all.deb
postgresql-doc-8.3_8.3.10-0lenny1_all.deb
  to main/p/postgresql-8.3/postgresql-doc-8.3_8.3.10-0lenny1_all.deb
postgresql-doc_8.3.10-0lenny1_all.deb
  to main/p/postgresql-8.3/postgresql-doc_8.3.10-0lenny1_all.deb
postgresql-plperl-8.3_8.3.10-0lenny1_amd64.deb
  to main/p/postgresql-8.3/postgresql-plperl-8.3_8.3.10-0lenny1_amd64.deb
postgresql-plpython-8.3_8.3.10-0lenny1_amd64.deb
  to main/p/postgresql-8.3/postgresql-plpython-8.3_8.3.10-0lenny1_amd64.deb
postgresql-pltcl-8.3_8.3.10-0lenny1_amd64.deb
  to main/p/postgresql-8.3/postgresql-pltcl-8.3_8.3.10-0lenny1_amd64.deb
postgresql-server-dev-8.3_8.3.10-0lenny1_amd64.deb
  to main/p/postgresql-8.3/postgresql-server-dev-8.3_8.3.10-0lenny1_amd64.deb
postgresql_8.3.10-0lenny1_all.deb
  to main/p/postgresql-8.3/postgresql_8.3.10-0lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 567058@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Pitt <mpitt@debian.org> (supplier of updated postgresql-8.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 13 Mar 2010 16:33:15 +0100
Source: postgresql-8.3
Binary: libpq-dev libpq5 libecpg6 libecpg-dev libecpg-compat3 libpgtypes3 postgresql-8.3 postgresql-client-8.3 postgresql-server-dev-8.3 postgresql-doc-8.3 postgresql-contrib-8.3 postgresql-plperl-8.3 postgresql-plpython-8.3 postgresql-pltcl-8.3 postgresql postgresql-client postgresql-doc postgresql-contrib
Architecture: source all amd64
Version: 8.3.10-0lenny1
Distribution: stable
Urgency: low
Maintainer: Martin Pitt <mpitt@debian.org>
Changed-By: Martin Pitt <mpitt@debian.org>
Description: 
 libecpg-compat3 - older version of run-time library for ECPG programs
 libecpg-dev - development files for ECPG (Embedded PostgreSQL for C)
 libecpg6   - run-time library for ECPG programs
 libpgtypes3 - shared library libpgtypes for PostgreSQL 8.3
 libpq-dev  - header files for libpq5 (PostgreSQL library)
 libpq5     - PostgreSQL C client library
 postgresql - object-relational SQL database (supported version)
 postgresql-8.3 - object-relational SQL database, version 8.3 server
 postgresql-client - front-end programs for PostgreSQL (supported version)
 postgresql-client-8.3 - front-end programs for PostgreSQL 8.3
 postgresql-contrib - additional facilities for PostgreSQL (supported version)
 postgresql-contrib-8.3 - additional facilities for PostgreSQL
 postgresql-doc - documentation for the PostgreSQL database management system
 postgresql-doc-8.3 - documentation for the PostgreSQL database management system
 postgresql-plperl-8.3 - PL/Perl procedural language for PostgreSQL 8.3
 postgresql-plpython-8.3 - PL/Python procedural language for PostgreSQL 8.3
 postgresql-pltcl-8.3 - PL/Tcl procedural language for PostgreSQL 8.3
 postgresql-server-dev-8.3 - development files for PostgreSQL 8.3 server-side programming
Closes: 411982 567058
Changes: 
 postgresql-8.3 (8.3.10-0lenny1) stable; urgency=low
 .
   * New upstream bug fix release:
     - Add new configuration parameter ssl_renegotiation_limit to control
       how often we do session key renegotiation for an SSL connection.
       This can be set to zero to disable renegotiation completely, which
       may be required if a broken SSL library is used. In particular,
       some vendors are shipping stopgap patches for CVE-2009-3555 that
       cause renegotiation attempts to fail.
     - Fix possible deadlock during backend startup.
     - Fix possible crashes due to not handling errors during relcache
       reload cleanly.
     - Fix possible crash due to use of dangling pointer to a cached plan.
     - Fix possible crashes when trying to recover from a failure in
       subtransaction start.
     - Fix server memory leak associated with use of savepoints and a
       client encoding different from server's encoding.
     - Fix incorrect WAL data emitted during end-of-recovery cleanup of a
       GIST index page split.
       This would result in index corruption, or even more likely an error
       during WAL replay, if we were unlucky enough to crash during
       end-of-recovery cleanup after having completed an incomplete GIST
       insertion.
     - Make substring() for bit types treat any negative length as meaning
       "all the rest of the string".
       The previous coding treated only -1 that way, and would produce an
       invalid result value for other negative values, possibly leading to
       a crash (CVE-2010-0442). (Closes: #567058)
     - Fix integer-to-bit-string conversions to handle the first
       fractional byte correctly when the output bit width is wider than
       the given integer by something other than a multiple of 8 bits.
     - Fix some cases of pathologically slow regular expression matching.
     - Fix assorted crashes in xml processing caused by sloppy memory
       management.
       This is a back-patch of changes first applied in 8.4. The 8.3 code
       was known buggy, but the new code was sufficiently different to not
       want to back-patch it until it had gotten some field testing.
     - Fix bug with trying to update a field of an element of a
       composite-type array column.
     - Fix the STOP WAL LOCATION entry in backup history files to report
       the next WAL segment's name when the end location is exactly at a
       segment boundary.
     - Fix some more cases of temporary-file leakage.
       This corrects a problem introduced in the previous minor release.
       One case that failed is when a plpgsql function returning set is
       called within another function's exception handler.
     - Improve constraint exclusion processing of boolean-variable cases,
       in particular make it possible to exclude a partition that has a
       "bool_column = false" constraint.
     - When reading "pg_hba.conf" and related files, do not treat
       @something as a file inclusion request if the @ appears inside
       quote marks; also, never treat @ by itself as a file inclusion
       request.
       This prevents erratic behavior if a role or database name starts
       with @. If you need to include a file whose path name contains
       spaces, you can still do so, but you must write @"/path to/file"
       rather than putting the quotes around the whole construct.
     - Prevent infinite loop on some platforms if a directory is named as
       an inclusion target in "pg_hba.conf" and related files.
     - Fix possible infinite loop if SSL_read or SSL_write fails without
       setting errno.
       This is reportedly possible with some Windows versions of openssl.
     - Disallow GSSAPI authentication on local connections, since it
       requires a hostname to function correctly.
     - Make ecpg report the proper SQLSTATE if the connection disappears.
     - Fix psql's numericlocale option to not format strings it shouldn't
       in latex and troff output formats.
     - Make psql return the correct exit status (3) when ON_ERROR_STOP and
       --single-transaction are both specified and an error occurs during
       the implied "COMMIT".
     - Fix plpgsql failure in one case where a composite column is set to
       NULL.
     - Fix possible failure when calling PL/Perl functions from PL/PerlU
       or vice versa.
     - Add volatile markings in PL/Python to avoid possible
       compiler-specific misbehavior.
     - Ensure PL/Tcl initializes the Tcl interpreter fully.
       The only known symptom of this oversight is that the Tcl clock
       command misbehaves if using Tcl 8.5 or later.
     - Prevent crash in "contrib/dblink" when too many key columns are
       specified to a dblink_build_sql_- function.
     - Allow zero-dimensional arrays in "contrib/ltree" operations.
       This case was formerly rejected as an error, but it's more
       convenient to treat it the same as a zero-element array. In
       particular this avoids unnecessary failures when an ltree operation
       is applied to the result of ARRAY(SELECT ...) and the sub-select
       returns no rows.
     - Fix assorted crashes in "contrib/xml2" caused by sloppy memory
       management.
   * Add 00cvs-unregister-ssl-callbacks.patch: Properly unregister OpenSSL
     callbacks when libpq is done with it's connection. Thanks Ondřej Surý for
     the backport! (Closes: #411982, LP: #63141)
Checksums-Sha1: 
 e0823589bcf97da32c986358363e5cb59eddf15d 1673 postgresql-8.3_8.3.10-0lenny1.dsc
 d69dc84821208f51b878583d552ed5803926d1f8 13870846 postgresql-8.3_8.3.10.orig.tar.gz
 8b747e4ad1eb713548dd888e4d0dabed276c13a6 49268 postgresql-8.3_8.3.10-0lenny1.diff.gz
 ddfd2c83a34811115e9ec70041e9f215411eed17 2177644 postgresql-doc-8.3_8.3.10-0lenny1_all.deb
 10ad7a98513fe394c44800e7dd73c88cdc4021b8 256110 postgresql_8.3.10-0lenny1_all.deb
 02d88c2afdcb4b3893d633ca18fa349b7c29f568 256076 postgresql-client_8.3.10-0lenny1_all.deb
 1b544c83ae0e3f6bd9e4c6d11e94810c737d0c04 255918 postgresql-doc_8.3.10-0lenny1_all.deb
 65f613306b3291289368d21965715dc509c17b21 255978 postgresql-contrib_8.3.10-0lenny1_all.deb
 ab0a451125674b36c52bde7510eb6cf0d1d1546f 462144 libpq-dev_8.3.10-0lenny1_amd64.deb
 f31646bbfef34a774db2c050d1b6acd0c60f3096 393638 libpq5_8.3.10-0lenny1_amd64.deb
 d80224ce6c1f36442aa1c4c240e4ec3e058a0d38 285438 libecpg6_8.3.10-0lenny1_amd64.deb
 c61419dad75f3017bc501a5fb7fb5d81ad835e10 474648 libecpg-dev_8.3.10-0lenny1_amd64.deb
 e899debaf6bd0779e4f0065a85fd24c5c785edf0 264042 libecpg-compat3_8.3.10-0lenny1_amd64.deb
 db11dca5fa5aee3cc3c055fae67f0b9e5b7b9e81 285602 libpgtypes3_8.3.10-0lenny1_amd64.deb
 04e3c27d8b6105ce6be19e68e3c71c58d43e969e 5375442 postgresql-8.3_8.3.10-0lenny1_amd64.deb
 2da0070c139c45bcfd20c3c218f18e3090d06968 1701826 postgresql-client-8.3_8.3.10-0lenny1_amd64.deb
 58e49895377e104ce8140c93bfdfe1e58726b845 829514 postgresql-server-dev-8.3_8.3.10-0lenny1_amd64.deb
 23d7d07b996503dd23e3d291246162fcab864e06 622318 postgresql-contrib-8.3_8.3.10-0lenny1_amd64.deb
 5ff8db0d8b246e3ed762e1ed53e251c4977668f5 283988 postgresql-plperl-8.3_8.3.10-0lenny1_amd64.deb
 11c06310f6803edc35b4f20c7e5273c2cfbbd42f 277856 postgresql-plpython-8.3_8.3.10-0lenny1_amd64.deb
 52375810a821bc0c59fc24af8238c438cd879afd 275118 postgresql-pltcl-8.3_8.3.10-0lenny1_amd64.deb
Checksums-Sha256: 
 2859b0ea969ec409186b83424ff582deb2eac98eb2dcb07e5f376d58732dcb42 1673 postgresql-8.3_8.3.10-0lenny1.dsc
 6c4e55918df0050cdf71896a8577f6b03c28cf20bd959c77c43165bfcb8abd12 13870846 postgresql-8.3_8.3.10.orig.tar.gz
 97295efa196ea774c2ce162d965054454310ab095826cc9b811b71c53e30a0ba 49268 postgresql-8.3_8.3.10-0lenny1.diff.gz
 da1423819d91e5bb68306e94465925b78534baa1d60d6617e1991d4dd1cec148 2177644 postgresql-doc-8.3_8.3.10-0lenny1_all.deb
 b0c3de7ba9843721d7f08c33cf19672046f62cdf46c4ca0b93822aca59568434 256110 postgresql_8.3.10-0lenny1_all.deb
 64f20f563e273790b4a7aeb3901fbb871849a525e0ebd781ea6eec6d3cf00cff 256076 postgresql-client_8.3.10-0lenny1_all.deb
 d48bdd907753f2ea600e50595f93c4bb4c0715cf249837f13646a19017f8e7f0 255918 postgresql-doc_8.3.10-0lenny1_all.deb
 43849d0dd9dd1d4b5486ba454c88eb05e96df6fa104a92d8184fd31297b6ebbe 255978 postgresql-contrib_8.3.10-0lenny1_all.deb
 666f4835cb6fba8d7cb5f9fb794b93b999d99452d3ca599eee5156ebcc701543 462144 libpq-dev_8.3.10-0lenny1_amd64.deb
 813029466a60f10c5d3d96feeb094ca976f6d5e7be2221e9bc199a0dff1e9198 393638 libpq5_8.3.10-0lenny1_amd64.deb
 bc534cf1f33502e6615803b790b69d83344ac3389032a6fc3dfafe1bba82f983 285438 libecpg6_8.3.10-0lenny1_amd64.deb
 6f234f181cba1201f46cd48f5acecfd182067117bc8d0da191dfc1ddb8b5e675 474648 libecpg-dev_8.3.10-0lenny1_amd64.deb
 1ce003c15ed7babeb868ebc87047dfe3b265bf4e07953ca0b3250e106675ed4c 264042 libecpg-compat3_8.3.10-0lenny1_amd64.deb
 1c4bfaeef7b88e6c9f8f6703a6edd7a5a45a681c57c0b8184f78e27caa09d591 285602 libpgtypes3_8.3.10-0lenny1_amd64.deb
 f20920fe80050c709fec7859d0e17ded9d58d64d9f77a6d7a4f86199eaab2d5a 5375442 postgresql-8.3_8.3.10-0lenny1_amd64.deb
 f252341239237d646a7ea069ff6ae680d451ea91f9b9a0f3e331f391f284de7e 1701826 postgresql-client-8.3_8.3.10-0lenny1_amd64.deb
 0b885bb365443689e96e1c25bd07bcca15b2563043718148d9fb915451b1495a 829514 postgresql-server-dev-8.3_8.3.10-0lenny1_amd64.deb
 e542796f5ff1b989183317555451a55996f12dfebd3c17fb1c3b108577ce52a5 622318 postgresql-contrib-8.3_8.3.10-0lenny1_amd64.deb
 b19fa588c4970142ce4e0c97fc54c182479af0d2cf8d53fe3d5a1903ff455041 283988 postgresql-plperl-8.3_8.3.10-0lenny1_amd64.deb
 cc71b939a351bbf7196e822ee71af93ecaa2870a91f6b90612900d06866bfb61 277856 postgresql-plpython-8.3_8.3.10-0lenny1_amd64.deb
 0d32c667387554d3bc47ad8e442c32d7ba28b83f7cf05b745d6c6ca46c4c60bb 275118 postgresql-pltcl-8.3_8.3.10-0lenny1_amd64.deb
Files: 
 5f8ef828326e77bfde517459212db18a 1673 misc optional postgresql-8.3_8.3.10-0lenny1.dsc
 6c528104faf2808dcbdbd4a644920fe1 13870846 misc optional postgresql-8.3_8.3.10.orig.tar.gz
 84363340a6cbe0cc5ea56e1cb4ddc943 49268 misc optional postgresql-8.3_8.3.10-0lenny1.diff.gz
 c6995c9dc936cad09f7d0b986fede84c 2177644 doc optional postgresql-doc-8.3_8.3.10-0lenny1_all.deb
 63a84a949ceda3fa41202b83d6737815 256110 misc optional postgresql_8.3.10-0lenny1_all.deb
 04830441795a94e493c3b1b6d529769b 256076 misc optional postgresql-client_8.3.10-0lenny1_all.deb
 53c24fe905164b5d95074aba38bb5fd3 255918 doc optional postgresql-doc_8.3.10-0lenny1_all.deb
 82e60633995b339c04d264d0106e6868 255978 misc optional postgresql-contrib_8.3.10-0lenny1_all.deb
 beded097d640da5a0f785643342dc582 462144 libdevel optional libpq-dev_8.3.10-0lenny1_amd64.deb
 56c7151ad7aba49409dc888be5f2b1b3 393638 libs optional libpq5_8.3.10-0lenny1_amd64.deb
 84c16f8204ad60f532e38dec8bae060f 285438 libs optional libecpg6_8.3.10-0lenny1_amd64.deb
 cc16d0303a47efb47ded163ba102bb73 474648 libdevel optional libecpg-dev_8.3.10-0lenny1_amd64.deb
 8cb4c769ade4136a378a52c857a4a228 264042 libs optional libecpg-compat3_8.3.10-0lenny1_amd64.deb
 af3a276c49a0c75fbd03f81bbaf524c1 285602 libs optional libpgtypes3_8.3.10-0lenny1_amd64.deb
 6f3e53f2ffe2157dec9a162c65fb2038 5375442 misc optional postgresql-8.3_8.3.10-0lenny1_amd64.deb
 ad4c263f32b78813a36a61abce222024 1701826 misc optional postgresql-client-8.3_8.3.10-0lenny1_amd64.deb
 00fa84e7f45bdd4681e1eca59b3f5f00 829514 libdevel optional postgresql-server-dev-8.3_8.3.10-0lenny1_amd64.deb
 4c80ec4af52c6f2d1d7c536b8cec01c5 622318 misc optional postgresql-contrib-8.3_8.3.10-0lenny1_amd64.deb
 ccaa0f24a8964c7d58d635cc3d499709 283988 misc optional postgresql-plperl-8.3_8.3.10-0lenny1_amd64.deb
 7e2fb9327a5396978902255a4b20353e 277856 misc optional postgresql-plpython-8.3_8.3.10-0lenny1_amd64.deb
 90e93d7d0b47f08437d627620ed95eb9 275118 misc optional postgresql-pltcl-8.3_8.3.10-0lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAku8nrQACgkQDecnbV4Fd/L7JACgiJWeBkoVadi0N1myRW6hofJV
GHcAoOMZRKXFrdFLH6Sc58uo4alHE7yK
=H5H/
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 24 May 2010 07:36:14 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 14:13:03 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.