Vulnerabilities > CVE-2002-1397 - Buffer Overflow vulnerability in PostgreSQL cash_words Function

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
postgresql
nessus

Summary

Vulnerability in the cash_words() function for PostgreSQL 7.2 and earlier allows local users to cause a denial of service and possibly execute arbitrary code via a large negative argument, possibly triggering an integer signedness error or buffer overflow.

Nessus

  • NASL familyDatabases
    NASL idPOSTGRESQL_MULTIPLE_FLAWS.NASL
    descriptionThe remote PostgreSQL server, according to its version number, is vulnerable to various flaws which may allow an attacker who has the rights to query the remote database to obtain a shell on this host.
    last seen2020-06-01
    modified2020-06-02
    plugin id11456
    published2003-03-24
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11456
    titlePostgreSQL < 7.2.3 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(11456);
     script_version("1.23");
     script_cvs_date("Date: 2018/07/25 18:58:03");
    
     script_cve_id(
       "CVE-2002-1397",
       "CVE-2002-1398",
       "CVE-2002-1399",
       "CVE-2002-1400",
       "CVE-2002-1401",
       "CVE-2002-1402"
     );
     script_bugtraq_id(
       5497,
       5527,
       6610,
       6611,
       6612,
       6613,
       6614,
       6615,
       7075
     );
     script_xref(name:"RHSA", value:"2003:0010-10");
    
     script_name(english:"PostgreSQL < 7.2.3 Multiple Vulnerabilities");
     script_summary(english:"Attempts to log into the remote PostgreSQL daemon");
    
     script_set_attribute(attribute:"synopsis", value:"Arbitrary commands may be run on the remote server.");
     script_set_attribute(attribute:"description", value:
    "The remote PostgreSQL server, according to its version number, is
    vulnerable to various flaws which may allow an attacker who has the
    rights to query the remote database to obtain a shell on this host.");
     script_set_attribute(attribute:"solution", value:"Upgrade to postgresql 7.2.3 or later.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
     script_cwe_id(119);
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2002/08/12");
     script_set_attribute(attribute:"patch_publication_date", value:"2002/10/01");
     script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/24");
    
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:postgresql:postgresql");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
     script_family(english:"Databases");
    
     script_dependencie("postgresql_detect.nasl");
     script_require_ports("Services/postgresql", 5432);
     exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    port = get_service(svc:"postgresql", default:5432, exit_on_fail:TRUE);
    
    #
    # Request the database 'template1' as the user 'postgres' or 'pgsql'
    #
    zero = raw_string(0x00);
    
    user[0] = "postgres";
    user[1] = "pgsql";
    
    for(i=0;i<2;i=i+1)
    {
     soc = open_sock_tcp(port);
     if (!soc) audit(AUDIT_PORT_CLOSED, port);
    
     usr = user[i];
     len = 224 - strlen(usr);
    
     req = raw_string(0x00, 0x00, 0x01, 0x28, 0x00, 0x02,
        	         0x00, 0x00, 0x74, 0x65, 0x6D, 0x70, 0x6C, 0x61,
    		 0x74, 0x65, 0x31) + crap(data:zero, length:55) +
            usr +
           crap(data:zero, length:len);
    
     send(socket:soc, data:req);
     r = recv(socket:soc, length:5);
     r2 = recv(socket:soc, length:1024);
     if((r[0]=="R") && (strlen(r2) == 10))
      {
        dbs = "";
        req = raw_string(0x51) + "select version();" +
        	  raw_string(0x00);
        send(socket:soc, data:req);
    
        r = recv(socket:soc, length:65535);
        r = strstr(r, "PostgreSQL");
        if(r != NULL)
         {
          for(i=0;i<strlen(r);i++)
          {
           if(ord(r[i]) == 0)
         	break;
           }
         r = substr(r, 0, i - 1);
         if(ereg(string:r, pattern:"PostgreSQL ([0-6]\.|7\.(2\.[0-2])|([0-1]\..*)).*")){
         	security_warning(port);
    	}
         }
        else if("ERROR: function version()" >< r)security_warning(port);
        exit(0);
       }
    }
    
    soc = open_sock_tcp(port);
    if (!soc) audit(AUDIT_PORT_CLOSED, port);
    
    send(socket:soc, data:string("xx\r\n"));
    r = recv(socket:soc, length:6);
    close(soc);
    if("EFATAL" >< r)
    {
     if ( report_paranoia < 2 ) exit(0);
     security_warning(port:port, extra: "
    Nessus was not able to remotely determine the version of the remote
    PostgreSQL server, so this might be a false positive.
    ");
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2002-062.NASL
    descriptionVulnerabilities were discovered in the Postgresql relational database by Mordred Labs. These vulnerabilities are buffer overflows in the rpad(), lpad(), repeat(), and cash_words() functions. The Postgresql developers also fixed a buffer overflow in functions that deal with time/date and timezone. Finally, more buffer overflows were discovered by Mordred Labs in the 7.2.2 release that are currently only fixed in CVS. These buffer overflows exist in the circle_poly(), path_encode(), and path_addr() functions. In order for these vulnerabilities to be exploited, an attacker must be able to query the server somehow. However, this cannot directly lead to root privilege because the server runs as the postgresql user. Prior to upgrading, users should dump their database and retain it as backup. You can dump the database by using : $ pg_dumpall > db.out If you need to restore from the backup, you can do so by using : $ psql -f db.out template1 Update : The previous update missed a few small fixes, including a buffer overflow in the cash_words() function that allows local users to cause a DoS and possibly execute arbitrary code via a malformed argument in Postgresql 7.2 and earlier. As well, buffer overflows in the TZ and SET TIME ZONE environment variables for Postgresql 7.2.1 and earlier can allow local users to cause a DoS and possibly execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id13963
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13963
    titleMandrake Linux Security Advisory : postgresql (MDKSA-2002:062-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2002:062. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(13963);
      script_version ("1.20");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2002-0972", "CVE-2002-1397", "CVE-2002-1398", "CVE-2002-1400", "CVE-2002-1401", "CVE-2002-1402");
      script_xref(name:"MDKSA", value:"2002:062-1");
    
      script_name(english:"Mandrake Linux Security Advisory : postgresql (MDKSA-2002:062-1)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Vulnerabilities were discovered in the Postgresql relational database
    by Mordred Labs. These vulnerabilities are buffer overflows in the
    rpad(), lpad(), repeat(), and cash_words() functions. The Postgresql
    developers also fixed a buffer overflow in functions that deal with
    time/date and timezone.
    
    Finally, more buffer overflows were discovered by Mordred Labs in the
    7.2.2 release that are currently only fixed in CVS. These buffer
    overflows exist in the circle_poly(), path_encode(), and path_addr()
    functions.
    
    In order for these vulnerabilities to be exploited, an attacker must
    be able to query the server somehow. However, this cannot directly
    lead to root privilege because the server runs as the postgresql user.
    
    Prior to upgrading, users should dump their database and retain it as
    backup. You can dump the database by using :
    
    $ pg_dumpall > db.out
    
    If you need to restore from the backup, you can do so by using :
    
    $ psql -f db.out template1
    
    Update :
    
    The previous update missed a few small fixes, including a buffer
    overflow in the cash_words() function that allows local users to cause
    a DoS and possibly execute arbitrary code via a malformed argument in
    Postgresql 7.2 and earlier. As well, buffer overflows in the TZ and
    SET TIME ZONE environment variables for Postgresql 7.2.1 and earlier
    can allow local users to cause a DoS and possibly execute arbitrary
    code."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://archives.postgresql.org/pgsql-announce/2002-08/msg00004.php"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://online.securityfocus.com/archive/1/288036"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://online.securityfocus.com/archive/1/288305"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://online.securityfocus.com/archive/1/288334"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libecpg3");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpgperl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpgsql2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpgsqlodbc0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpgtcl2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:postgresql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:postgresql-contrib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:postgresql-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:postgresql-docs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:postgresql-jdbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:postgresql-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:postgresql-odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:postgresql-perl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:postgresql-plperl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:postgresql-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:postgresql-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:postgresql-tcl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:postgresql-test");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:postgresql-tk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2003/02/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"postgresql-7.0.2-6.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"postgresql-devel-7.0.2-6.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"postgresql-jdbc-7.0.2-6.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"postgresql-odbc-7.0.2-6.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"postgresql-perl-7.0.2-6.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"postgresql-python-7.0.2-6.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"postgresql-server-7.0.2-6.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"postgresql-tcl-7.0.2-6.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"postgresql-test-7.0.2-6.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"postgresql-tk-7.0.2-6.2mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"postgresql-7.0.3-12.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"postgresql-devel-7.0.3-12.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"postgresql-jdbc-7.0.3-12.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"postgresql-odbc-7.0.3-12.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"postgresql-perl-7.0.3-12.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"postgresql-python-7.0.3-12.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"postgresql-server-7.0.3-12.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"postgresql-tcl-7.0.3-12.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"postgresql-test-7.0.3-12.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"postgresql-tk-7.0.3-12.3mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"postgresql-7.1.2-19.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"postgresql-contrib-7.1.2-19.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"postgresql-devel-7.1.2-19.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"postgresql-docs-7.1.2-19.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"postgresql-jdbc-7.1.2-19.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"postgresql-libs-7.1.2-19.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"postgresql-odbc-7.1.2-19.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"postgresql-perl-7.1.2-19.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"postgresql-plperl-7.1.2-19.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"postgresql-python-7.1.2-19.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"postgresql-server-7.1.2-19.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"postgresql-tcl-7.1.2-19.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"postgresql-test-7.1.2-19.3mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"postgresql-tk-7.1.2-19.3mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libecpg3-7.2-12.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libpgperl-7.2-12.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libpgsql2-7.2-12.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libpgsqlodbc0-7.2-12.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"libpgtcl2-7.2-12.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"postgresql-7.2-12.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"postgresql-contrib-7.2-12.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"postgresql-devel-7.2-12.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"postgresql-docs-7.2-12.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"postgresql-jdbc-7.2-12.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"postgresql-python-7.2-12.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"postgresql-server-7.2-12.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"postgresql-tcl-7.2-12.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"postgresql-test-7.2-12.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"postgresql-tk-7.2-12.2mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"libecpg3-7.2.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"libpgperl-7.2.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"libpgsql2-7.2.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"libpgsqlodbc0-7.2.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"libpgtcl2-7.2.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"postgresql-7.2.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"postgresql-contrib-7.2.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"postgresql-devel-7.2.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"postgresql-docs-7.2.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"postgresql-jdbc-7.2.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"postgresql-python-7.2.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"postgresql-server-7.2.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"postgresql-tcl-7.2.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"postgresql-test-7.2.2-1.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"postgresql-tk-7.2.2-1.2mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2002-301.NASL
    descriptionUpdated PostgreSQL packages are available which correct several minor security vulnerabilities. [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1 PostgreSQL is an advanced Object-Relational database management system (DBMS). Red Hat Linux Advanced Server 2.1 shipped with PostgreSQL version 7.1.3 which has several security vulnerabilities. Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of service and possibly execute arbitrary code via long arguments to the lpad or rpad functions. CVE-2002-0972 Buffer overflow in the cash_words() function for PostgreSQL 7.2 and earlier allows local users to cause a denial of service and possibly execute arbitrary code via a malformed argument. CVE-2002-1397 Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows attackers to cause a denial of service and possibly execute arbitrary code via a long date string, referred to as a vulnerability
    last seen2020-06-01
    modified2020-06-02
    plugin id12343
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12343
    titleRHEL 2.1 : postgresql (RHSA-2002:301)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2002:301. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(12343);
      script_version ("1.26");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2002-0972", "CVE-2002-1397", "CVE-2002-1398", "CVE-2002-1400", "CVE-2002-1401", "CVE-2002-1402");
      script_xref(name:"RHSA", value:"2002:301");
    
      script_name(english:"RHEL 2.1 : postgresql (RHSA-2002:301)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated PostgreSQL packages are available which correct several minor
    security vulnerabilities.
    
    [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation
    2.1
    
    PostgreSQL is an advanced Object-Relational database management system
    (DBMS). Red Hat Linux Advanced Server 2.1 shipped with PostgreSQL
    version 7.1.3 which has several security vulnerabilities.
    
    Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial
    of service and possibly execute arbitrary code via long arguments to
    the lpad or rpad functions. CVE-2002-0972
    
    Buffer overflow in the cash_words() function for PostgreSQL 7.2 and
    earlier allows local users to cause a denial of service and possibly
    execute arbitrary code via a malformed argument. CVE-2002-1397
    
    Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows
    attackers to cause a denial of service and possibly execute arbitrary
    code via a long date string, referred to as a vulnerability 'in
    handling long datetime input.' CVE-2002-1398
    
    Heap-based buffer overflow in the repeat() function for PostgreSQL
    before 7.2.2 allows attackers to execute arbitrary code by causing
    repeat() to generate a large string. CVE-2002-1400
    
    Buffer overflows in circle_poly, path_encode, and path_add allow
    attackers to cause a denial of service and possibly execute arbitrary
    code. Note that these issues have been fixed in our packages and in
    PostgreSQL CVS, but are not included in PostgreSQL version 7.2.2 or
    7.2.3. CVE-2002-1401
    
    Buffer overflows in the TZ and SET TIME ZONE enivronment variables for
    PostgreSQL 7.2.1 and earlier allow local users to cause a denial of
    service and possibly execute arbitrary code. CVE-2002-1402
    
    Note that these vulnerabilities are only critical on open or shared
    systems because connecting to the database is required before the
    vulnerabilities can be exploited.
    
    The PostgreSQL Global Development Team has released versions of
    PostgreSQL that fix these vulnerabilities, and these fixes have been
    isolated and backported into the updated 7.1.3 packages provided with
    this errata. All users of Red Hat Linux Advanced Server 2.1 who use
    PostgreSQL are advised to install these updated packages."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-0972"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-1397"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-1398"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-1400"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-1401"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-1402"
      );
      # http://lwn.net/Articles/8445/
      script_set_attribute(
        attribute:"see_also",
        value:"https://lwn.net/Articles/8445/"
      );
      # http://marc.theaimsgroup.com/?l=postgresql-announce&m=103062536330644
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=postgresql-announce&m=103062536330644"
      );
      # http://marc.theaimsgroup.com/?l=bugtraq&m=102978152712430
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=bugtraq&m=102978152712430"
      );
      # http://marc.theaimsgroup.com/?l=bugtraq&m=102987306029821
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=bugtraq&m=102987306029821"
      );
      # http://marc.theaimsgroup.com/?l=postgresql-general&m=102995302604086
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=postgresql-general&m=102995302604086"
      );
      # http://online.securityfocus.com/archive/1/288334
      script_set_attribute(
        attribute:"see_also",
        value:"https://online.securityfocus.com/archive/1/288334"
      );
      # http://online.securityfocus.com/archive/1/288305
      script_set_attribute(
        attribute:"see_also",
        value:"https://online.securityfocus.com/archive/1/288305"
      );
      # http://online.securityfocus.com/archive/1/288036
      script_set_attribute(
        attribute:"see_also",
        value:"https://online.securityfocus.com/archive/1/288036"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2002:301"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:postgresql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:postgresql-contrib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:postgresql-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:postgresql-docs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:postgresql-jdbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:postgresql-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:postgresql-odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:postgresql-perl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:postgresql-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:postgresql-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:postgresql-tcl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:postgresql-tk");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/09/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2003/02/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2002:301";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"postgresql-7.1.3-4bp.2")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"postgresql-contrib-7.1.3-4bp.2")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"postgresql-devel-7.1.3-4bp.2")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"postgresql-docs-7.1.3-4bp.2")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"postgresql-jdbc-7.1.3-4bp.2")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"postgresql-libs-7.1.3-4bp.2")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"postgresql-odbc-7.1.3-4bp.2")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"postgresql-perl-7.1.3-4bp.2")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"postgresql-python-7.1.3-4bp.2")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"postgresql-server-7.1.3-4bp.2")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"postgresql-tcl-7.1.3-4bp.2")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"postgresql-tk-7.1.3-4bp.2")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "postgresql / postgresql-contrib / postgresql-devel / etc");
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-165.NASL
    descriptionMordred Labs and others found several vulnerabilities in PostgreSQL, an object-relational SQL database. They are inherited from several buffer overflows and integer overflows. Specially crafted long date and time input, currency, repeat data and long timezone names could cause the PostgreSQL server to crash as well as specially crafted input data for lpad() and rpad(). More buffer/integer overflows were found in circle_poly(), path_encode() and path_addr(). Except for the last three, these problems are fixed in the upstream release 7.2.2 of PostgreSQL which is the recommended version to use. Most of these problems do not exist in the version of PostgreSQL that Debian ships in the potato release since the corresponding functionality is not yet implemented. However, PostgreSQL 6.5.3 is quite old and may bear more risks than we are aware of, which may include further buffer overflows, and certainly include bugs that threaten the integrity of your data. You are strongly advised not to use this release but to upgrade your system to Debian 3.0 (stable) including PostgreSQL release 7.2.1 instead, where many bugs have been fixed and new features introduced to increase compatibility with the SQL standards. If you consider an upgrade, please make sure to dump the entire database system using the pg_dumpall utility. Please take into consideration that the newer PostgreSQL is more strict in its input handling. This means that tests like
    last seen2020-06-01
    modified2020-06-02
    plugin id15002
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15002
    titleDebian DSA-165-1 : postgresql - buffer overflows
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-165. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15002);
      script_version("1.19");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2002-0972", "CVE-2002-1397", "CVE-2002-1398", "CVE-2002-1400", "CVE-2002-1401", "CVE-2002-1402");
      script_xref(name:"DSA", value:"165");
    
      script_name(english:"Debian DSA-165-1 : postgresql - buffer overflows");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Mordred Labs and others found several vulnerabilities in PostgreSQL,
    an object-relational SQL database. They are inherited from several
    buffer overflows and integer overflows. Specially crafted long date
    and time input, currency, repeat data and long timezone names could
    cause the PostgreSQL server to crash as well as specially crafted
    input data for lpad() and rpad(). More buffer/integer overflows were
    found in circle_poly(), path_encode() and path_addr().
    
    Except for the last three, these problems are fixed in the upstream
    release 7.2.2 of PostgreSQL which is the recommended version to use.
    
    Most of these problems do not exist in the version of PostgreSQL that
    Debian ships in the potato release since the corresponding
    functionality is not yet implemented. However, PostgreSQL 6.5.3 is
    quite old and may bear more risks than we are aware of, which may
    include further buffer overflows, and certainly include bugs that
    threaten the integrity of your data.
    
    You are strongly advised not to use this release but to upgrade your
    system to Debian 3.0 (stable) including PostgreSQL release 7.2.1
    instead, where many bugs have been fixed and new features introduced
    to increase compatibility with the SQL standards.
    
    If you consider an upgrade, please make sure to dump the entire
    database system using the pg_dumpall utility. Please take into
    consideration that the newer PostgreSQL is more strict in its input
    handling. This means that tests like 'foo = NULL' which are not valid
    won't be accepted anymore. It also means that when using UNICODE
    encoding, ISO 8859-1 and ISO 8859-15 are no longer valid encodings to
    use when inserting data into the relation. In such a case you are
    advised to convert the dump in question usingrecode latin1..utf-16.
    
    These problems have been fixed in version 7.2.1-2woody2 for the
    current stable distribution (woody) and in version 7.2.2-2 for the
    unstable distribution (sid). The old stable distribution (potato) is
    partially affected and we ship a fixed version 6.5.3-27.2 for it."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2002/dsa-165"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the PostgreSQL packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:postgresql");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/09/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/08/19");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"2.2", prefix:"ecpg", reference:"6.5.3-27.2")) flag++;
    if (deb_check(release:"2.2", prefix:"libpgperl", reference:"6.5.3-27.2")) flag++;
    if (deb_check(release:"2.2", prefix:"libpgsql2", reference:"6.5.3-27.2")) flag++;
    if (deb_check(release:"2.2", prefix:"libpgtcl", reference:"6.5.3-27.2")) flag++;
    if (deb_check(release:"2.2", prefix:"odbc-postgresql", reference:"6.5.3-27.2")) flag++;
    if (deb_check(release:"2.2", prefix:"pgaccess", reference:"6.5.3-27.2")) flag++;
    if (deb_check(release:"2.2", prefix:"postgresql", reference:"6.5.3-27.2")) flag++;
    if (deb_check(release:"2.2", prefix:"postgresql-client", reference:"6.5.3-27.2")) flag++;
    if (deb_check(release:"2.2", prefix:"postgresql-contrib", reference:"6.5.3-27.2")) flag++;
    if (deb_check(release:"2.2", prefix:"postgresql-dev", reference:"6.5.3-27.2")) flag++;
    if (deb_check(release:"2.2", prefix:"postgresql-doc", reference:"6.5.3-27.2")) flag++;
    if (deb_check(release:"2.2", prefix:"postgresql-pl", reference:"6.5.3-27.2")) flag++;
    if (deb_check(release:"2.2", prefix:"postgresql-test", reference:"6.5.3-27.2")) flag++;
    if (deb_check(release:"2.2", prefix:"python-pygresql", reference:"6.5.3-27.2")) flag++;
    if (deb_check(release:"3.0", prefix:"courier-authpostgresql", reference:"0.37.3-3.1")) flag++;
    if (deb_check(release:"3.0", prefix:"libecpg3", reference:"7.2.1-2woody2")) flag++;
    if (deb_check(release:"3.0", prefix:"libpgperl", reference:"7.2.1-2woody2")) flag++;
    if (deb_check(release:"3.0", prefix:"libpgsql2", reference:"7.2.1-2woody2")) flag++;
    if (deb_check(release:"3.0", prefix:"libpgtcl", reference:"7.2.1-2woody2")) flag++;
    if (deb_check(release:"3.0", prefix:"odbc-postgresql", reference:"7.2.1-2woody2")) flag++;
    if (deb_check(release:"3.0", prefix:"pgaccess", reference:"7.2.1-2woody2")) flag++;
    if (deb_check(release:"3.0", prefix:"postgresql", reference:"7.2.1-2woody2")) flag++;
    if (deb_check(release:"3.0", prefix:"postgresql-client", reference:"7.2.1-2woody2")) flag++;
    if (deb_check(release:"3.0", prefix:"postgresql-contrib", reference:"7.2.1-2woody2")) flag++;
    if (deb_check(release:"3.0", prefix:"postgresql-dev", reference:"7.2.1-2woody2")) flag++;
    if (deb_check(release:"3.0", prefix:"postgresql-doc", reference:"7.2.1-2woody2")) flag++;
    if (deb_check(release:"3.0", prefix:"python-pygresql", reference:"7.2.1-2woody2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Redhat

advisories
rhsa
idRHSA-2003:001