|
34 | 34 |
|
35 | 35 | <itemizedlist> |
36 | 36 |
|
| 37 | + <listitem> |
| 38 | + <para> |
| 39 | + Fix buffer overruns in <function>to_char()</> |
| 40 | + (Bruce Momjian) |
| 41 | + </para> |
| 42 | + |
| 43 | + <para> |
| 44 | + When <function>to_char()</> processes a numeric formatting template |
| 45 | + calling for a large number of digits, <productname>PostgreSQL</> |
| 46 | + would read past the end of a buffer. When processing a crafted |
| 47 | + timestamp formatting template, <productname>PostgreSQL</> would write |
| 48 | + past the end of a buffer. Either case could crash the server. |
| 49 | + We have not ruled out the possibility of attacks that lead to |
| 50 | + privilege escalation, though they seem unlikely. |
| 51 | + (CVE-2015-0241) |
| 52 | + </para> |
| 53 | + </listitem> |
| 54 | + |
| 55 | + <listitem> |
| 56 | + <para> |
| 57 | + Fix buffer overrun in replacement <function>*printf()</> functions |
| 58 | + (Tom Lane) |
| 59 | + </para> |
| 60 | + |
| 61 | + <para> |
| 62 | + <productname>PostgreSQL</> includes a replacement implementation |
| 63 | + of <function>printf</> and related functions. This code will overrun |
| 64 | + a stack buffer when formatting a floating point number (conversion |
| 65 | + specifiers <literal>e</>, <literal>E</>, <literal>f</>, <literal>F</>, |
| 66 | + <literal>g</> or <literal>G</>) with requested precision greater than |
| 67 | + about 500. This will crash the server, and we have not ruled out the |
| 68 | + possibility of attacks that lead to privilege escalation. |
| 69 | + A database user can trigger such a buffer overrun through |
| 70 | + the <function>to_char()</> SQL function. While that is the only |
| 71 | + affected core <productname>PostgreSQL</> functionality, extension |
| 72 | + modules that use printf-family functions may be at risk as well. |
| 73 | + </para> |
| 74 | + |
| 75 | + <para> |
| 76 | + This issue primarily affects <productname>PostgreSQL</> on Windows. |
| 77 | + <productname>PostgreSQL</> uses the system implementation of these |
| 78 | + functions where adequate, which it is on other modern platforms. |
| 79 | + (CVE-2015-0242) |
| 80 | + </para> |
| 81 | + </listitem> |
| 82 | + |
| 83 | + <listitem> |
| 84 | + <para> |
| 85 | + Fix buffer overruns in <filename>contrib/pgcrypto</> |
| 86 | + (Marko Tiikkaja, Noah Misch) |
| 87 | + </para> |
| 88 | + |
| 89 | + <para> |
| 90 | + Errors in memory size tracking within the <filename>pgcrypto</> |
| 91 | + module permitted stack buffer overruns and improper dependence on the |
| 92 | + contents of uninitialized memory. The buffer overrun cases can |
| 93 | + crash the server, and we have not ruled out the possibility of |
| 94 | + attacks that lead to privilege escalation. |
| 95 | + (CVE-2015-0243) |
| 96 | + </para> |
| 97 | + </listitem> |
| 98 | + |
| 99 | + <listitem> |
| 100 | + <para> |
| 101 | + Fix possible loss of frontend/backend protocol synchronization after |
| 102 | + an error |
| 103 | + (Heikki Linnakangas) |
| 104 | + </para> |
| 105 | + |
| 106 | + <para> |
| 107 | + If any error occurred while the server was in the middle of reading a |
| 108 | + protocol message from the client, it could lose synchronization and |
| 109 | + incorrectly try to interpret part of the message's data as a new |
| 110 | + protocol message. An attacker able to submit crafted binary data |
| 111 | + within a command parameter might succeed in injecting his own SQL |
| 112 | + commands this way. Statement timeout and query cancellation are the |
| 113 | + most likely sources of errors triggering this scenario. Particularly |
| 114 | + vulnerable are applications that use a timeout and also submit |
| 115 | + arbitrary user-crafted data as binary query parameters. Disabling |
| 116 | + statement timeout will reduce, but not eliminate, the risk of |
| 117 | + exploit. Our thanks to Emil Lenngren for reporting this issue. |
| 118 | + (CVE-2015-0244) |
| 119 | + </para> |
| 120 | + </listitem> |
| 121 | + |
37 | 122 | <listitem> |
38 | 123 | <para> |
39 | 124 | Fix information leak via constraint-violation error messages |
|
0 commit comments