From 3face5a8d9ffbb5d37b5c29949d4363bd64f7446 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Mon, 2 Feb 2015 11:24:02 -0500 Subject: [PATCH] Last-minute updates for release notes. Add entries for security issues. Security: CVE-2015-0241 through CVE-2015-0244 --- doc/src/sgml/release-9.0.sgml | 85 +++++++++++++++++++++ doc/src/sgml/release-9.1.sgml | 85 +++++++++++++++++++++ doc/src/sgml/release-9.2.sgml | 85 +++++++++++++++++++++ doc/src/sgml/release-9.3.sgml | 139 ++++++++++++++++++++++++++++++++++ doc/src/sgml/release-9.4.sgml | 139 ++++++++++++++++++++++++++++++++++ 5 files changed, 533 insertions(+) diff --git a/doc/src/sgml/release-9.0.sgml b/doc/src/sgml/release-9.0.sgml index 3efe91d2d9..90339a5eae 100644 --- a/doc/src/sgml/release-9.0.sgml +++ b/doc/src/sgml/release-9.0.sgml @@ -34,6 +34,91 @@ + + + Fix buffer overruns in to_char() + (Bruce Momjian) + + + + When to_char() processes a numeric formatting template + calling for a large number of digits, PostgreSQL + would read past the end of a buffer. When processing a crafted + timestamp formatting template, PostgreSQL would write + past the end of a buffer. Either case could crash the server. + We have not ruled out the possibility of attacks that lead to + privilege escalation, though they seem unlikely. + (CVE-2015-0241) + + + + + + Fix buffer overrun in replacement *printf() functions + (Tom Lane) + + + + PostgreSQL includes a replacement implementation + of printf and related functions. This code will overrun + a stack buffer when formatting a floating point number (conversion + specifiers e, E, f, F, + g or G) with requested precision greater than + about 500. This will crash the server, and we have not ruled out the + possibility of attacks that lead to privilege escalation. + A database user can trigger such a buffer overrun through + the to_char() SQL function. While that is the only + affected core PostgreSQL functionality, extension + modules that use printf-family functions may be at risk as well. + + + + This issue primarily affects PostgreSQL on Windows. + PostgreSQL uses the system implementation of these + functions where adequate, which it is on other modern platforms. + (CVE-2015-0242) + + + + + + Fix buffer overruns in contrib/pgcrypto + (Marko Tiikkaja, Noah Misch) + + + + Errors in memory size tracking within the pgcrypto + module permitted stack buffer overruns and improper dependence on the + contents of uninitialized memory. The buffer overrun cases can + crash the server, and we have not ruled out the possibility of + attacks that lead to privilege escalation. + (CVE-2015-0243) + + + + + + Fix possible loss of frontend/backend protocol synchronization after + an error + (Heikki Linnakangas) + + + + If any error occurred while the server was in the middle of reading a + protocol message from the client, it could lose synchronization and + incorrectly try to interpret part of the message's data as a new + protocol message. An attacker able to submit crafted binary data + within a command parameter might succeed in injecting his own SQL + commands this way. Statement timeout and query cancellation are the + most likely sources of errors triggering this scenario. Particularly + vulnerable are applications that use a timeout and also submit + arbitrary user-crafted data as binary query parameters. Disabling + statement timeout will reduce, but not eliminate, the risk of + exploit. Our thanks to Emil Lenngren for reporting this issue. + (CVE-2015-0244) + + + Fix information leak via constraint-violation error messages diff --git a/doc/src/sgml/release-9.1.sgml b/doc/src/sgml/release-9.1.sgml index 6a0230b885..eed8a365a1 100644 --- a/doc/src/sgml/release-9.1.sgml +++ b/doc/src/sgml/release-9.1.sgml @@ -34,6 +34,91 @@ + + + Fix buffer overruns in to_char() + (Bruce Momjian) + + + + When to_char() processes a numeric formatting template + calling for a large number of digits, PostgreSQL + would read past the end of a buffer. When processing a crafted + timestamp formatting template, PostgreSQL would write + past the end of a buffer. Either case could crash the server. + We have not ruled out the possibility of attacks that lead to + privilege escalation, though they seem unlikely. + (CVE-2015-0241) + + + + + + Fix buffer overrun in replacement *printf() functions + (Tom Lane) + + + + PostgreSQL includes a replacement implementation + of printf and related functions. This code will overrun + a stack buffer when formatting a floating point number (conversion + specifiers e, E, f, F, + g or G) with requested precision greater than + about 500. This will crash the server, and we have not ruled out the + possibility of attacks that lead to privilege escalation. + A database user can trigger such a buffer overrun through + the to_char() SQL function. While that is the only + affected core PostgreSQL functionality, extension + modules that use printf-family functions may be at risk as well. + + + + This issue primarily affects PostgreSQL on Windows. + PostgreSQL uses the system implementation of these + functions where adequate, which it is on other modern platforms. + (CVE-2015-0242) + + + + + + Fix buffer overruns in contrib/pgcrypto + (Marko Tiikkaja, Noah Misch) + + + + Errors in memory size tracking within the pgcrypto + module permitted stack buffer overruns and improper dependence on the + contents of uninitialized memory. The buffer overrun cases can + crash the server, and we have not ruled out the possibility of + attacks that lead to privilege escalation. + (CVE-2015-0243) + + + + + + Fix possible loss of frontend/backend protocol synchronization after + an error + (Heikki Linnakangas) + + + + If any error occurred while the server was in the middle of reading a + protocol message from the client, it could lose synchronization and + incorrectly try to interpret part of the message's data as a new + protocol message. An attacker able to submit crafted binary data + within a command parameter might succeed in injecting his own SQL + commands this way. Statement timeout and query cancellation are the + most likely sources of errors triggering this scenario. Particularly + vulnerable are applications that use a timeout and also submit + arbitrary user-crafted data as binary query parameters. Disabling + statement timeout will reduce, but not eliminate, the risk of + exploit. Our thanks to Emil Lenngren for reporting this issue. + (CVE-2015-0244) + + + Fix information leak via constraint-violation error messages diff --git a/doc/src/sgml/release-9.2.sgml b/doc/src/sgml/release-9.2.sgml index 132f68712e..7bdbd89ae9 100644 --- a/doc/src/sgml/release-9.2.sgml +++ b/doc/src/sgml/release-9.2.sgml @@ -43,6 +43,91 @@ + + + Fix buffer overruns in to_char() + (Bruce Momjian) + + + + When to_char() processes a numeric formatting template + calling for a large number of digits, PostgreSQL + would read past the end of a buffer. When processing a crafted + timestamp formatting template, PostgreSQL would write + past the end of a buffer. Either case could crash the server. + We have not ruled out the possibility of attacks that lead to + privilege escalation, though they seem unlikely. + (CVE-2015-0241) + + + + + + Fix buffer overrun in replacement *printf() functions + (Tom Lane) + + + + PostgreSQL includes a replacement implementation + of printf and related functions. This code will overrun + a stack buffer when formatting a floating point number (conversion + specifiers e, E, f, F, + g or G) with requested precision greater than + about 500. This will crash the server, and we have not ruled out the + possibility of attacks that lead to privilege escalation. + A database user can trigger such a buffer overrun through + the to_char() SQL function. While that is the only + affected core PostgreSQL functionality, extension + modules that use printf-family functions may be at risk as well. + + + + This issue primarily affects PostgreSQL on Windows. + PostgreSQL uses the system implementation of these + functions where adequate, which it is on other modern platforms. + (CVE-2015-0242) + + + + + + Fix buffer overruns in contrib/pgcrypto + (Marko Tiikkaja, Noah Misch) + + + + Errors in memory size tracking within the pgcrypto + module permitted stack buffer overruns and improper dependence on the + contents of uninitialized memory. The buffer overrun cases can + crash the server, and we have not ruled out the possibility of + attacks that lead to privilege escalation. + (CVE-2015-0243) + + + + + + Fix possible loss of frontend/backend protocol synchronization after + an error + (Heikki Linnakangas) + + + + If any error occurred while the server was in the middle of reading a + protocol message from the client, it could lose synchronization and + incorrectly try to interpret part of the message's data as a new + protocol message. An attacker able to submit crafted binary data + within a command parameter might succeed in injecting his own SQL + commands this way. Statement timeout and query cancellation are the + most likely sources of errors triggering this scenario. Particularly + vulnerable are applications that use a timeout and also submit + arbitrary user-crafted data as binary query parameters. Disabling + statement timeout will reduce, but not eliminate, the risk of + exploit. Our thanks to Emil Lenngren for reporting this issue. + (CVE-2015-0244) + + + Fix information leak via constraint-violation error messages diff --git a/doc/src/sgml/release-9.3.sgml b/doc/src/sgml/release-9.3.sgml index 0f2de7fded..b4fa3845d3 100644 --- a/doc/src/sgml/release-9.3.sgml +++ b/doc/src/sgml/release-9.3.sgml @@ -43,6 +43,145 @@ + + + + + Fix buffer overruns in to_char() + (Bruce Momjian) + + + + When to_char() processes a numeric formatting template + calling for a large number of digits, PostgreSQL + would read past the end of a buffer. When processing a crafted + timestamp formatting template, PostgreSQL would write + past the end of a buffer. Either case could crash the server. + We have not ruled out the possibility of attacks that lead to + privilege escalation, though they seem unlikely. + (CVE-2015-0241) + + + + + + + + Fix buffer overrun in replacement *printf() functions + (Tom Lane) + + + + PostgreSQL includes a replacement implementation + of printf and related functions. This code will overrun + a stack buffer when formatting a floating point number (conversion + specifiers e, E, f, F, + g or G) with requested precision greater than + about 500. This will crash the server, and we have not ruled out the + possibility of attacks that lead to privilege escalation. + A database user can trigger such a buffer overrun through + the to_char() SQL function. While that is the only + affected core PostgreSQL functionality, extension + modules that use printf-family functions may be at risk as well. + + + + This issue primarily affects PostgreSQL on Windows. + PostgreSQL uses the system implementation of these + functions where adequate, which it is on other modern platforms. + (CVE-2015-0242) + + + + + + + + Fix buffer overruns in contrib/pgcrypto + (Marko Tiikkaja, Noah Misch) + + + + Errors in memory size tracking within the pgcrypto + module permitted stack buffer overruns and improper dependence on the + contents of uninitialized memory. The buffer overrun cases can + crash the server, and we have not ruled out the possibility of + attacks that lead to privilege escalation. + (CVE-2015-0243) + + + + + + + + Fix possible loss of frontend/backend protocol synchronization after + an error + (Heikki Linnakangas) + + + + If any error occurred while the server was in the middle of reading a + protocol message from the client, it could lose synchronization and + incorrectly try to interpret part of the message's data as a new + protocol message. An attacker able to submit crafted binary data + within a command parameter might succeed in injecting his own SQL + commands this way. Statement timeout and query cancellation are the + most likely sources of errors triggering this scenario. Particularly + vulnerable are applications that use a timeout and also submit + arbitrary user-crafted data as binary query parameters. Disabling + statement timeout will reduce, but not eliminate, the risk of + exploit. Our thanks to Emil Lenngren for reporting this issue. + (CVE-2015-0244) + + + + + + + Fix buffer overruns in to_char() + (Bruce Momjian) + + + + When to_char() processes a numeric formatting template + calling for a large number of digits, PostgreSQL + would read past the end of a buffer. When processing a crafted + timestamp formatting template, PostgreSQL would write + past the end of a buffer. Either case could crash the server. + We have not ruled out the possibility of attacks that lead to + privilege escalation, though they seem unlikely. + (CVE-2015-0241) + + + + + + + + Fix buffer overrun in replacement *printf() functions + (Tom Lane) + + + + PostgreSQL includes a replacement implementation + of printf and related functions. This code will overrun + a stack buffer when formatting a floating point number (conversion + specifiers e, E, f, F, + g or G) with requested precision greater than + about 500. This will crash the server, and we have not ruled out the + possibility of attacks that lead to privilege escalation. + A database user can trigger such a buffer overrun through + the to_char() SQL function. While that is the only + affected core PostgreSQL functionality, extension + modules that use printf-family functions may be at risk as well. + + + + This issue primarily affects PostgreSQL on Windows. + PostgreSQL uses the system implementation of these + functions where adequate, which it is on other modern platforms. + (CVE-2015-0242) + + + + + + + + Fix buffer overruns in contrib/pgcrypto + (Marko Tiikkaja, Noah Misch) + + + + Errors in memory size tracking within the pgcrypto + module permitted stack buffer overruns and improper dependence on the + contents of uninitialized memory. The buffer overrun cases can + crash the server, and we have not ruled out the possibility of + attacks that lead to privilege escalation. + (CVE-2015-0243) + + + + + + + + Fix possible loss of frontend/backend protocol synchronization after + an error + (Heikki Linnakangas) + + + + If any error occurred while the server was in the middle of reading a + protocol message from the client, it could lose synchronization and + incorrectly try to interpret part of the message's data as a new + protocol message. An attacker able to submit crafted binary data + within a command parameter might succeed in injecting his own SQL + commands this way. Statement timeout and query cancellation are the + most likely sources of errors triggering this scenario. Particularly + vulnerable are applications that use a timeout and also submit + arbitrary user-crafted data as binary query parameters. Disabling + statement timeout will reduce, but not eliminate, the risk of + exploit. Our thanks to Emil Lenngren for reporting this issue. + (CVE-2015-0244) + + +