cvelistv5 - cve-2002-1401

URL	Tags
cve@mitre.org	http://archives.postgresql.org/pgsql-hackers/2002-08/msg02047.php	Vendor Advisory
cve@mitre.org	http://archives.postgresql.org/pgsql-hackers/2002-08/msg02081.php
cve@mitre.org	http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000524
cve@mitre.org	http://secunia.com/advisories/8034
cve@mitre.org	http://www.debian.org/security/2002/dsa-165	Patch, Vendor Advisory
cve@mitre.org	http://www.redhat.com/support/errata/RHSA-2003-001.html
af854a3a-2127-422b-91ae-364da2661108	http://archives.postgresql.org/pgsql-hackers/2002-08/msg02047.php	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://archives.postgresql.org/pgsql-hackers/2002-08/msg02081.php
af854a3a-2127-422b-91ae-364da2661108	http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000524
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/8034
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2002/dsa-165	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2003-001.html

▼	Vendor	Product
	n/a	n/a

rhsa-2002_301

Vulnerability from csaf_redhat

Published

2003-01-22 18:36

Modified

2024-09-12 21:48

Summary

Red Hat Security Advisory: postgresql security update

Notes

Topic

Updated PostgreSQL packages are available which correct several minor security vulnerabilities. [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1

Details

PostgreSQL is an advanced Object-Relational database management system (DBMS). Red Hat Linux Advanced Server 2.1 shipped with PostgreSQL version 7.1.3 which has several security vulnerabilities. Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of service and possibly execute arbitrary code via long arguments to the lpad or rpad functions. CAN-2002-0972 Buffer overflow in the cash_words() function for PostgreSQL 7.2 and earlier allows local users to cause a denial of service and possibly execute arbitrary code via a malformed argument. CAN-2002-1397 Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows attackers to cause a denial of service and possibly execute arbitrary code via a long date string, referred to as a vulnerability "in handling long datetime input." CAN-2002-1398 Heap-based buffer overflow in the repeat() function for PostgreSQL before 7.2.2 allows attackers to execute arbitrary code by causing repeat() to generate a large string. CAN-2002-1400 Buffer overflows in circle_poly, path_encode, and path_add allow attackers to cause a denial of service and possibly execute arbitrary code. Note that these issues have been fixed in our packages and in PostgreSQL CVS, but are not included in PostgreSQL version 7.2.2 or 7.2.3. CAN-2002-1401 Buffer overflows in the TZ and SET TIME ZONE enivronment variables for PostgreSQL 7.2.1 and earlier allow local users to cause a denial of service and possibly execute arbitrary code. CAN-2002-1402 Note that these vulnerabilities are only critical on open or shared systems because connecting to the database is required before the vulnerabilities can be exploited. The PostgreSQL Global Development Team has released versions of PostgreSQL that fix these vulnerabilities, and these fixes have been isolated and backported into the updated 7.1.3 packages provided with this errata. All users of Red Hat Linux Advanced Server 2.1 who use PostgreSQL are advised to install these updated packages.

Terms of Use

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated PostgreSQL packages are available which correct\nseveral minor security vulnerabilities.\n\n[Updated 06 Feb 2003]\nAdded fixed packages for Advanced Workstation 2.1",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "PostgreSQL is an advanced Object-Relational database management system\n(DBMS).  Red Hat Linux Advanced Server 2.1 shipped with PostgreSQL version\n7.1.3 which has several security vulnerabilities.  \n\nBuffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of\nservice and possibly execute arbitrary code via long arguments to the lpad\nor rpad functions. CAN-2002-0972\n\nBuffer overflow in the cash_words() function for PostgreSQL 7.2 and\nearlier allows local users to cause a denial of service and possibly\nexecute arbitrary code via a malformed argument.  CAN-2002-1397\n\nBuffer overflow in the date parser for PostgreSQL before 7.2.2 allows\nattackers to cause a denial of service and possibly execute arbitrary\ncode via a long date string, referred to as a vulnerability \"in handling\nlong datetime input.\"  CAN-2002-1398\n\nHeap-based buffer overflow in the repeat() function for PostgreSQL\nbefore 7.2.2 allows attackers to execute arbitrary code by causing\nrepeat() to generate a large string.  CAN-2002-1400\n\nBuffer overflows in circle_poly, path_encode, and path_add allow attackers\nto cause a denial of service and possibly execute arbitrary code.   Note\nthat these issues have been fixed in our packages and in PostgreSQL CVS,\nbut are not included in PostgreSQL version 7.2.2 or 7.2.3.  CAN-2002-1401\n\nBuffer overflows in the TZ and SET TIME ZONE enivronment variables for\nPostgreSQL 7.2.1 and earlier allow local users to cause a denial of service\nand possibly execute arbitrary code.  CAN-2002-1402\n\nNote that these vulnerabilities are only critical on open or shared systems\nbecause connecting to the database is required before the vulnerabilities\ncan be exploited.\n\nThe PostgreSQL Global Development Team has released versions of PostgreSQL\nthat fix these vulnerabilities, and these fixes have been isolated and\nbackported into the updated 7.1.3 packages provided with this errata.\nAll users of Red Hat Linux Advanced Server 2.1 who use PostgreSQL are\nadvised to install these updated packages.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2002:301",
        "url": "https://access.redhat.com/errata/RHSA-2002:301"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "http://lwn.net/Articles/8445/",
        "url": "http://lwn.net/Articles/8445/"
      },
      {
        "category": "external",
        "summary": "http://marc.theaimsgroup.com/?l=postgresql-announce\u0026m=103062536330644",
        "url": "http://marc.theaimsgroup.com/?l=postgresql-announce\u0026m=103062536330644"
      },
      {
        "category": "external",
        "summary": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=102978152712430",
        "url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=102978152712430"
      },
      {
        "category": "external",
        "summary": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=102987306029821",
        "url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=102987306029821"
      },
      {
        "category": "external",
        "summary": "http://marc.theaimsgroup.com/?l=postgresql-general\u0026m=102995302604086",
        "url": "http://marc.theaimsgroup.com/?l=postgresql-general\u0026m=102995302604086"
      },
      {
        "category": "external",
        "summary": "http://online.securityfocus.com/archive/1/288334",
        "url": "http://online.securityfocus.com/archive/1/288334"
      },
      {
        "category": "external",
        "summary": "http://online.securityfocus.com/archive/1/288305",
        "url": "http://online.securityfocus.com/archive/1/288305"
      },
      {
        "category": "external",
        "summary": "http://online.securityfocus.com/archive/1/288036",
        "url": "http://online.securityfocus.com/archive/1/288036"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2003/rhsa-2002_301.json"
      }
    ],
    "title": "Red Hat Security Advisory: postgresql security update",
    "tracking": {
      "current_release_date": "2024-09-12T21:48:08+00:00",
      "generator": {
        "date": "2024-09-12T21:48:08+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2002:301",
      "initial_release_date": "2003-01-22T18:36:00+00:00",
      "revision_history": [
        {
          "date": "2003-01-22T18:36:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2003-02-07T00:00:00+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-12T21:48:08+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                "product": {
                  "name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                  "product_id": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:2.1::as"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Linux Advanced Workstation 2.1",
                "product": {
                  "name": "Red Hat Linux Advanced Workstation 2.1",
                  "product_id": "Red Hat Linux Advanced Workstation 2.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:2.1::aw"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Advanced Products"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2002-0972",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616832"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of service and possibly execute arbitrary code via long arguments to the functions (1) lpad or (2) rpad.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
          "Red Hat Linux Advanced Workstation 2.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-0972"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616832",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616832"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-0972",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-0972"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0972",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0972"
        }
      ],
      "release_date": "2002-08-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "This update corrects all of the above-mentioned buffer overruns.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network.  To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL 7.1.3 packages.",
          "product_ids": [
            "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
            "Red Hat Linux Advanced Workstation 2.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2002:301"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2002-1397",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616910"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Vulnerability in the cash_words() function for PostgreSQL 7.2 and earlier allows local users to cause a denial of service and possibly execute arbitrary code via a large negative argument, possibly triggering an integer signedness error or buffer overflow.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
          "Red Hat Linux Advanced Workstation 2.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-1397"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616910",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616910"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-1397",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-1397"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1397",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1397"
        }
      ],
      "release_date": "2002-08-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "This update corrects all of the above-mentioned buffer overruns.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network.  To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL 7.1.3 packages.",
          "product_ids": [
            "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
            "Red Hat Linux Advanced Workstation 2.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2002:301"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2002-1398",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616911"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows attackers to cause a denial of service and possibly execute arbitrary code via a long date string, aka a vulnerability \"in handling long datetime input.\"",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
          "Red Hat Linux Advanced Workstation 2.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-1398"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616911",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616911"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-1398",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-1398"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1398",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1398"
        }
      ],
      "release_date": "2002-08-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "This update corrects all of the above-mentioned buffer overruns.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network.  To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL 7.1.3 packages.",
          "product_ids": [
            "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
            "Red Hat Linux Advanced Workstation 2.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2002:301"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2002-1400",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616912"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Heap-based buffer overflow in the repeat() function for PostgreSQL before 7.2.2 allows attackers to execute arbitrary code by causing repeat() to generate a large string.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
          "Red Hat Linux Advanced Workstation 2.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-1400"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616912",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616912"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-1400",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-1400"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1400",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1400"
        }
      ],
      "release_date": "2002-08-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "This update corrects all of the above-mentioned buffer overruns.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network.  To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL 7.1.3 packages.",
          "product_ids": [
            "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
            "Red Hat Linux Advanced Workstation 2.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2002:301"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2002-1401",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616913"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Buffer overflows in (1) circle_poly, (2) path_encode and (3) path_add (also incorrectly identified as path_addr) for PostgreSQL 7.2.3 and earlier allow attackers to cause a denial of service and possibly execute arbitrary code, possibly as a result of an integer overflow.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
          "Red Hat Linux Advanced Workstation 2.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-1401"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616913",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616913"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-1401",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-1401"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1401",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1401"
        }
      ],
      "release_date": "2002-08-28T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "This update corrects all of the above-mentioned buffer overruns.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network.  To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL 7.1.3 packages.",
          "product_ids": [
            "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
            "Red Hat Linux Advanced Workstation 2.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2002:301"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2002-1402",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616914"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Buffer overflows in the (1) TZ and (2) SET TIME ZONE enivronment variables for PostgreSQL 7.2.1 and earlier allow local users to cause a denial of service and possibly execute arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
          "Red Hat Linux Advanced Workstation 2.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-1402"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616914",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616914"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-1402",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-1402"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1402",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1402"
        }
      ],
      "release_date": "2002-08-28T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "This update corrects all of the above-mentioned buffer overruns.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network.  To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL 7.1.3 packages.",
          "product_ids": [
            "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
            "Red Hat Linux Advanced Workstation 2.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2002:301"
        }
      ],
      "title": "security flaw"
    }
  ]
}

rhsa-2003_010

Vulnerability from csaf_redhat

Published

2003-01-14 22:40

Modified

2024-09-12 21:48

Summary

Red Hat Security Advisory: : Updated PostgreSQL packages fix buffer overrun vulnerabilities

Notes

Topic

Updated PostgreSQL packages are available for Red Hat Linux 6.2, 7, 7.1, and 7.2 where we have backported a number of security fixes. A separate advisory deals with updated PostgreSQL packages for Red Hat Linux 7.3 and 8.0.

Details

PostgreSQL is an advanced Object-Relational database management system (DBMS). A number of security issues have been found that affect PostgreSQL versions shipped with Red Hat Linux. Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of service and possibly execute arbitrary code via long arguments to the lpad or rpad functions. CAN-2002-0972 Buffer overflow in the cash_words() function for PostgreSQL 7.2 and earlier allows local users to cause a denial of service and possibly execute arbitrary code via a malformed argument. CAN-2002-1397 Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows attackers to cause a denial of service and possibly execute arbitrary code via a long date string, also known as a vulnerability "in handling long datetime input." CAN-2002-1398 Heap-based buffer overflow in the repeat() function for PostgreSQL before 7.2.2 allows attackers to execute arbitrary code by causing repeat() to generate a large string. CAN-2002-1400 Buffer overflows in circle_poly, path_encode and path_add allow attackers to cause a denial of service and possibly execute arbitrary code. Note that these issues have been fixed in our packages and in PostgreSQL CVS, but are not included in PostgreSQL version 7.2.2 or 7.2.3. CAN-2002-1401 Buffer overflows in the TZ and SET TIME ZONE enivronment variables for PostgreSQL 7.2.1 and earlier allow local users to cause a denial of service and possibly execute arbitrary code. CAN-2002-1402 Note that these vulnerabilities are only critical on open or shared systems because connecting to the database is required before the vulnerabilities can be exploited. The PostgreSQL Global Development Team has released versions of PostgreSQL that fixes these vulnerabilities, and these fixes have been isolated and backported to the various versions of PostgreSQL that originally shipped with each Red Hat Linux distribution. All users of PostgreSQL are advised to install these updated packages.

Terms of Use

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated PostgreSQL packages are available for Red Hat Linux 6.2, 7, 7.1,\nand 7.2 where we have backported a number of security fixes.  A separate\nadvisory  deals with updated PostgreSQL packages for Red Hat Linux 7.3 and 8.0.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "PostgreSQL is an advanced Object-Relational database management system\n(DBMS).  A number of security issues have been found that affect PostgreSQL\nversions shipped with Red Hat Linux.  \n\nBuffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of\nservice and possibly execute arbitrary code via long arguments to the lpad\nor rpad functions. CAN-2002-0972\n\nBuffer overflow in the cash_words() function for PostgreSQL 7.2 and\nearlier allows local users to cause a denial of service and possibly\nexecute arbitrary code via a malformed argument.  CAN-2002-1397\n\nBuffer overflow in the date parser for PostgreSQL before 7.2.2 allows\nattackers to cause a denial of service and possibly execute arbitrary\ncode via a long date string, also known as a vulnerability \"in handling\nlong datetime input.\"  CAN-2002-1398\n\nHeap-based buffer overflow in the repeat() function for PostgreSQL\nbefore 7.2.2 allows attackers to execute arbitrary code by causing\nrepeat() to generate a large string.  CAN-2002-1400\n\nBuffer overflows in circle_poly, path_encode and path_add allow attackers\nto cause a denial of service and possibly execute arbitrary code.   Note\nthat these issues have been fixed in our packages and in PostgreSQL CVS,\nbut are not included in PostgreSQL version 7.2.2 or 7.2.3.  CAN-2002-1401\n\nBuffer overflows in the TZ and SET TIME ZONE enivronment variables for\nPostgreSQL 7.2.1 and earlier allow local users to cause a denial of service\nand possibly execute arbitrary code.  CAN-2002-1402\n\nNote that these vulnerabilities are only critical on open or shared systems\nbecause connecting to the database is required before the vulnerabilities\ncan be exploited.\n\nThe PostgreSQL Global Development Team has released versions of PostgreSQL\nthat fixes these vulnerabilities, and these fixes have been isolated and\nbackported to the various versions of PostgreSQL that originally shipped\nwith each Red Hat Linux distribution.  All users of  PostgreSQL are advised\nto install these updated packages.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2003:010",
        "url": "https://access.redhat.com/errata/RHSA-2003:010"
      },
      {
        "category": "external",
        "summary": "http://lwn.net/Articles/8445/",
        "url": "http://lwn.net/Articles/8445/"
      },
      {
        "category": "external",
        "summary": "http://marc.theaimsgroup.com/?l=postgresql-announce\u0026m=103062536330644",
        "url": "http://marc.theaimsgroup.com/?l=postgresql-announce\u0026m=103062536330644"
      },
      {
        "category": "external",
        "summary": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=102978152712430",
        "url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=102978152712430"
      },
      {
        "category": "external",
        "summary": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=102987306029821",
        "url": "http://marc.theaimsgroup.com/?l=bugtraq\u0026m=102987306029821"
      },
      {
        "category": "external",
        "summary": "http://marc.theaimsgroup.com/?l=postgresql-general\u0026m=102995302604086",
        "url": "http://marc.theaimsgroup.com/?l=postgresql-general\u0026m=102995302604086"
      },
      {
        "category": "external",
        "summary": "http://online.securityfocus.com/archive/1/288334",
        "url": "http://online.securityfocus.com/archive/1/288334"
      },
      {
        "category": "external",
        "summary": "http://online.securityfocus.com/archive/1/288305",
        "url": "http://online.securityfocus.com/archive/1/288305"
      },
      {
        "category": "external",
        "summary": "http://online.securityfocus.com/archive/1/288036",
        "url": "http://online.securityfocus.com/archive/1/288036"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2003/rhsa-2003_010.json"
      }
    ],
    "title": "Red Hat Security Advisory: : Updated PostgreSQL packages fix buffer overrun vulnerabilities",
    "tracking": {
      "current_release_date": "2024-09-12T21:48:11+00:00",
      "generator": {
        "date": "2024-09-12T21:48:11+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2003:010",
      "initial_release_date": "2003-01-14T22:40:00+00:00",
      "revision_history": [
        {
          "date": "2003-01-14T22:40:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2003-01-08T00:00:00+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-12T21:48:11+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Linux 6.2",
                "product": {
                  "name": "Red Hat Linux 6.2",
                  "product_id": "Red Hat Linux 6.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:linux:6.2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Linux 7.0",
                "product": {
                  "name": "Red Hat Linux 7.0",
                  "product_id": "Red Hat Linux 7.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:linux:7.0"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Linux 7.1",
                "product": {
                  "name": "Red Hat Linux 7.1",
                  "product_id": "Red Hat Linux 7.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:linux:7.1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Linux 7.2",
                "product": {
                  "name": "Red Hat Linux 7.2",
                  "product_id": "Red Hat Linux 7.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:linux:7.2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Linux"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2002-0972",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616832"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of service and possibly execute arbitrary code via long arguments to the functions (1) lpad or (2) rpad.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Linux 6.2",
          "Red Hat Linux 7.0",
          "Red Hat Linux 7.1",
          "Red Hat Linux 7.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-0972"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616832",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616832"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-0972",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-0972"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0972",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0972"
        }
      ],
      "release_date": "2002-08-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network.  To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL packages.",
          "product_ids": [
            "Red Hat Linux 6.2",
            "Red Hat Linux 7.0",
            "Red Hat Linux 7.1",
            "Red Hat Linux 7.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:010"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2002-1397",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616910"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Vulnerability in the cash_words() function for PostgreSQL 7.2 and earlier allows local users to cause a denial of service and possibly execute arbitrary code via a large negative argument, possibly triggering an integer signedness error or buffer overflow.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Linux 6.2",
          "Red Hat Linux 7.0",
          "Red Hat Linux 7.1",
          "Red Hat Linux 7.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-1397"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616910",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616910"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-1397",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-1397"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1397",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1397"
        }
      ],
      "release_date": "2002-08-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network.  To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL packages.",
          "product_ids": [
            "Red Hat Linux 6.2",
            "Red Hat Linux 7.0",
            "Red Hat Linux 7.1",
            "Red Hat Linux 7.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:010"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2002-1398",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616911"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows attackers to cause a denial of service and possibly execute arbitrary code via a long date string, aka a vulnerability \"in handling long datetime input.\"",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Linux 6.2",
          "Red Hat Linux 7.0",
          "Red Hat Linux 7.1",
          "Red Hat Linux 7.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-1398"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616911",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616911"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-1398",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-1398"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1398",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1398"
        }
      ],
      "release_date": "2002-08-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network.  To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL packages.",
          "product_ids": [
            "Red Hat Linux 6.2",
            "Red Hat Linux 7.0",
            "Red Hat Linux 7.1",
            "Red Hat Linux 7.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:010"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2002-1400",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616912"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Heap-based buffer overflow in the repeat() function for PostgreSQL before 7.2.2 allows attackers to execute arbitrary code by causing repeat() to generate a large string.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Linux 6.2",
          "Red Hat Linux 7.0",
          "Red Hat Linux 7.1",
          "Red Hat Linux 7.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-1400"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616912",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616912"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-1400",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-1400"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1400",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1400"
        }
      ],
      "release_date": "2002-08-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network.  To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL packages.",
          "product_ids": [
            "Red Hat Linux 6.2",
            "Red Hat Linux 7.0",
            "Red Hat Linux 7.1",
            "Red Hat Linux 7.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:010"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2002-1401",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616913"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Buffer overflows in (1) circle_poly, (2) path_encode and (3) path_add (also incorrectly identified as path_addr) for PostgreSQL 7.2.3 and earlier allow attackers to cause a denial of service and possibly execute arbitrary code, possibly as a result of an integer overflow.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Linux 6.2",
          "Red Hat Linux 7.0",
          "Red Hat Linux 7.1",
          "Red Hat Linux 7.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-1401"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616913",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616913"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-1401",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-1401"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1401",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1401"
        }
      ],
      "release_date": "2002-08-28T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network.  To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL packages.",
          "product_ids": [
            "Red Hat Linux 6.2",
            "Red Hat Linux 7.0",
            "Red Hat Linux 7.1",
            "Red Hat Linux 7.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:010"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2002-1402",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616914"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Buffer overflows in the (1) TZ and (2) SET TIME ZONE enivronment variables for PostgreSQL 7.2.1 and earlier allow local users to cause a denial of service and possibly execute arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Linux 6.2",
          "Red Hat Linux 7.0",
          "Red Hat Linux 7.1",
          "Red Hat Linux 7.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-1402"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616914",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616914"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-1402",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-1402"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1402",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1402"
        }
      ],
      "release_date": "2002-08-28T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network.  To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.\n\nNote that no initdb will be necessary from previous PostgreSQL packages.",
          "product_ids": [
            "Red Hat Linux 6.2",
            "Red Hat Linux 7.0",
            "Red Hat Linux 7.1",
            "Red Hat Linux 7.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:010"
        }
      ],
      "title": "security flaw"
    }
  ]
}

rhsa-2003_001

Vulnerability from csaf_redhat

Published

2003-01-14 22:22

Modified

2024-09-12 21:48

Summary

Red Hat Security Advisory: : Updated PostgreSQL packages fix security issues and bugs

Notes

Topic

Updated PostgreSQL packages are available for Red Hat Linux 7.3 and 8.0. These packages correct several security and other bugs. A separate advisory deals with updated PostgreSQL packages for Red Hat Linux 6.2, 7, 7.1, and 7.2.

Details

PostgreSQL is an advanced Object-Relational database management system. Red Hat Linux 7.3 shipped with PostgreSQL version 7.2.1. Red Hat Linux 8.0 shipped with PostgreSQL version 7.2.2. PostgreSQL versions 7.2.1 and 7.2.2 contain a serious issue with the VACUUM command when it is run by a non-superuser. It is possible for the system to prematurely remove old transaction log data (pg_clog files), which can result in unrecoverable data loss. A number of minor security issues affect the PostgreSQL 7.2.1 packages shipped with Red Hat Linux 7.3 only: 1. Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of service and possibly execute arbitrary code via long arguments to the lpad or rpad functions. CAN-2002-0972 2. Buffer overflow in the cash_words() function allows local users to cause a denial of service and possibly execute arbitrary code via a malformed argument. CAN-2002-1397 3. Buffer overflow in the date parser allows attackers to cause a denial of service and possibly execute arbitrary code via a long date string, also known as a vulnerability "in handling long datetime input." CAN-2002-1398 4. Heap-based buffer overflow in the repeat() function allows attackers to execute arbitrary code by causing repeat() to generate a large string. CAN-2002-1400 5. Buffer overflows in the TZ and SET TIME ZONE enivronment variables allow local users to cause a denial of service and possibly execute arbitrary code. CAN-2002-1402 Additionally, buffer overflows in circle_poly, path_encode and path_add allow attackers to cause a denial of service and possibly execute arbitrary code. Note that these overflows have been fixed in our erratum packages and in PostgreSQL CVS, but are not fixed in the released versions of PostgreSQL version 7.2.3. CAN-2002-1401 The above vulnerabilities are only critical on open or shared systems because connecting to the database is required before the vulnerabilities can be exploited. This update also contains fixes for several other PostgreSQL bugs, including handling of pre-1970 date values in newer versions of glibc, possible server shutdown hangs, spinlock hangs on SMP PPC machines, and pg_dump improperly dumping with the FULL JOIN USING clauses. All users of PostgreSQL should upgrade to these errata packages containing PostgreSQL 7.2.3 with additional patches to correct all these issues. Note that running initdb is not necessary when upgrading from 7.2.1 or 7.2.2 to the packages contained in this errata.

Terms of Use

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated PostgreSQL packages are available for Red Hat Linux 7.3 and 8.0.\nThese packages correct several security and other bugs.  A separate\nadvisory deals with updated PostgreSQL packages for Red Hat Linux 6.2, 7,\n7.1, and 7.2.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "PostgreSQL is an advanced Object-Relational database management system. \nRed Hat Linux 7.3 shipped with PostgreSQL version 7.2.1.  Red Hat Linux 8.0\nshipped with PostgreSQL version 7.2.2.\n\nPostgreSQL versions 7.2.1 and 7.2.2 contain a serious issue with the VACUUM\ncommand when it is run by a non-superuser.  It is possible for the system\nto prematurely remove old transaction log data (pg_clog files), which can\nresult in unrecoverable data loss.\n\nA number of minor security issues affect the PostgreSQL 7.2.1 packages\nshipped with Red Hat Linux 7.3 only:\n\n1. Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of\nservice and possibly execute arbitrary code via long arguments to the lpad\nor rpad functions.   CAN-2002-0972\n \n2. Buffer overflow in the cash_words() function allows local users to cause\na denial of service and possibly execute arbitrary code via a malformed\nargument. CAN-2002-1397\n\n3. Buffer overflow in the date parser allows attackers to cause a denial of\nservice and possibly execute arbitrary code via a long date string, also\nknown as a vulnerability \"in handling long datetime input.\" CAN-2002-1398\n\n4. Heap-based buffer overflow in the repeat() function allows attackers to\nexecute arbitrary code by causing repeat() to generate a large string.\nCAN-2002-1400\n\n5. Buffer overflows in the TZ and SET TIME ZONE enivronment variables allow\nlocal users to cause a denial of service and possibly execute arbitrary\ncode. CAN-2002-1402\n\nAdditionally, buffer overflows in circle_poly, path_encode and path_add\nallow attackers to cause a denial of service and possibly execute arbitrary\ncode. Note that these overflows have been fixed in our erratum packages and\nin PostgreSQL CVS, but are not fixed in the released versions of PostgreSQL\nversion 7.2.3. CAN-2002-1401\n\nThe above vulnerabilities are only critical on open or shared systems\nbecause connecting to the database is required before the vulnerabilities\ncan be exploited. \n\nThis update also contains fixes for several other PostgreSQL bugs,\nincluding handling of pre-1970 date values in newer versions of glibc,\npossible server shutdown hangs, spinlock hangs on SMP PPC machines, and\npg_dump improperly dumping with the FULL JOIN USING clauses.\n\nAll users of PostgreSQL should upgrade to these errata packages containing\nPostgreSQL 7.2.3 with additional patches to correct all these issues. Note\nthat running initdb is not necessary when upgrading from 7.2.1 or 7.2.2 to\nthe packages contained in this errata.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2003:001",
        "url": "https://access.redhat.com/errata/RHSA-2003:001"
      },
      {
        "category": "external",
        "summary": "http://www3.ca.postgresql.org/users-lounge/docs/7.3/postgres/release-7-2-3.html",
        "url": "http://www3.ca.postgresql.org/users-lounge/docs/7.3/postgres/release-7-2-3.html"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2003/rhsa-2003_001.json"
      }
    ],
    "title": "Red Hat Security Advisory: : Updated PostgreSQL packages fix security issues and bugs",
    "tracking": {
      "current_release_date": "2024-09-12T21:48:23+00:00",
      "generator": {
        "date": "2024-09-12T21:48:23+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2003:001",
      "initial_release_date": "2003-01-14T22:22:00+00:00",
      "revision_history": [
        {
          "date": "2003-01-14T22:22:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2003-02-07T00:00:00+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-12T21:48:23+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Linux 7.3",
                "product": {
                  "name": "Red Hat Linux 7.3",
                  "product_id": "Red Hat Linux 7.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:linux:7.3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Linux 8.0",
                "product": {
                  "name": "Red Hat Linux 8.0",
                  "product_id": "Red Hat Linux 8.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:linux:8.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Linux"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2002-0972",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616832"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of service and possibly execute arbitrary code via long arguments to the functions (1) lpad or (2) rpad.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Linux 7.3",
          "Red Hat Linux 8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-0972"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616832",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616832"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-0972",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-0972"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0972",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0972"
        }
      ],
      "release_date": "2002-08-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
          "product_ids": [
            "Red Hat Linux 7.3",
            "Red Hat Linux 8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:001"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2002-1397",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616910"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Vulnerability in the cash_words() function for PostgreSQL 7.2 and earlier allows local users to cause a denial of service and possibly execute arbitrary code via a large negative argument, possibly triggering an integer signedness error or buffer overflow.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Linux 7.3",
          "Red Hat Linux 8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-1397"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616910",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616910"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-1397",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-1397"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1397",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1397"
        }
      ],
      "release_date": "2002-08-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
          "product_ids": [
            "Red Hat Linux 7.3",
            "Red Hat Linux 8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:001"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2002-1398",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616911"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows attackers to cause a denial of service and possibly execute arbitrary code via a long date string, aka a vulnerability \"in handling long datetime input.\"",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Linux 7.3",
          "Red Hat Linux 8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-1398"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616911",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616911"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-1398",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-1398"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1398",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1398"
        }
      ],
      "release_date": "2002-08-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
          "product_ids": [
            "Red Hat Linux 7.3",
            "Red Hat Linux 8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:001"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2002-1400",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616912"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Heap-based buffer overflow in the repeat() function for PostgreSQL before 7.2.2 allows attackers to execute arbitrary code by causing repeat() to generate a large string.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Linux 7.3",
          "Red Hat Linux 8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-1400"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616912",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616912"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-1400",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-1400"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1400",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1400"
        }
      ],
      "release_date": "2002-08-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
          "product_ids": [
            "Red Hat Linux 7.3",
            "Red Hat Linux 8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:001"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2002-1401",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616913"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Buffer overflows in (1) circle_poly, (2) path_encode and (3) path_add (also incorrectly identified as path_addr) for PostgreSQL 7.2.3 and earlier allow attackers to cause a denial of service and possibly execute arbitrary code, possibly as a result of an integer overflow.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Linux 7.3",
          "Red Hat Linux 8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-1401"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616913",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616913"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-1401",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-1401"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1401",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1401"
        }
      ],
      "release_date": "2002-08-28T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
          "product_ids": [
            "Red Hat Linux 7.3",
            "Red Hat Linux 8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:001"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "security flaw"
    },
    {
      "cve": "CVE-2002-1402",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616914"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Buffer overflows in the (1) TZ and (2) SET TIME ZONE enivronment variables for PostgreSQL 7.2.1 and earlier allow local users to cause a denial of service and possibly execute arbitrary code.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Linux 7.3",
          "Red Hat Linux 8.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2002-1402"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616914",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616914"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2002-1402",
          "url": "https://www.cve.org/CVERecord?id=CVE-2002-1402"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-1402",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1402"
        }
      ],
      "release_date": "2002-08-28T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade.  Only those\nRPMs which are currently installed will be updated.  Those RPMs which are\nnot installed but included in the list will not be updated.  Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network.  Many\npeople find this an easier way to apply updates.  To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
          "product_ids": [
            "Red Hat Linux 7.3",
            "Red Hat Linux 8.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:001"
        }
      ],
      "title": "security flaw"
    }
  ]
}

gsd-2002-1401

Vulnerability from gsd

Modified

2023-12-13 01:24

Details

Buffer overflows in (1) circle_poly, (2) path_encode and (3) path_add (also incorrectly identified as path_addr) for PostgreSQL 7.2.3 and earlier allow attackers to cause a denial of service and possibly execute arbitrary code, possibly as a result of an integer overflow.

Aliases

CVE-2002-1401

Aliases

CVE-2002-1401

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2002-1401",
    "description": "Buffer overflows in (1) circle_poly, (2) path_encode and (3) path_add (also incorrectly identified as path_addr) for PostgreSQL 7.2.3 and earlier allow attackers to cause a denial of service and possibly execute arbitrary code, possibly as a result of an integer overflow.",
    "id": "GSD-2002-1401",
    "references": [
      "https://www.debian.org/security/2002/dsa-165",
      "https://access.redhat.com/errata/RHSA-2003:010",
      "https://access.redhat.com/errata/RHSA-2003:001",
      "https://access.redhat.com/errata/RHSA-2002:301"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2002-1401"
      ],
      "details": "Buffer overflows in (1) circle_poly, (2) path_encode and (3) path_add (also incorrectly identified as path_addr) for PostgreSQL 7.2.3 and earlier allow attackers to cause a denial of service and possibly execute arbitrary code, possibly as a result of an integer overflow.",
      "id": "GSD-2002-1401",
      "modified": "2023-12-13T01:24:10.959992Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2002-1401",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Buffer overflows in (1) circle_poly, (2) path_encode and (3) path_add (also incorrectly identified as path_addr) for PostgreSQL 7.2.3 and earlier allow attackers to cause a denial of service and possibly execute arbitrary code, possibly as a result of an integer overflow."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "CLA-2002:524",
            "refsource": "CONECTIVA",
            "url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000524"
          },
          {
            "name": "http://archives.postgresql.org/pgsql-hackers/2002-08/msg02047.php",
            "refsource": "MISC",
            "url": "http://archives.postgresql.org/pgsql-hackers/2002-08/msg02047.php"
          },
          {
            "name": "8034",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/8034"
          },
          {
            "name": "http://archives.postgresql.org/pgsql-hackers/2002-08/msg02081.php",
            "refsource": "MISC",
            "url": "http://archives.postgresql.org/pgsql-hackers/2002-08/msg02081.php"
          },
          {
            "name": "RHSA-2003:001",
            "refsource": "REDHAT",
            "url": "http://www.redhat.com/support/errata/RHSA-2003-001.html"
          },
          {
            "name": "DSA-165",
            "refsource": "DEBIAN",
            "url": "http://www.debian.org/security/2002/dsa-165"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:postgresql:postgresql:7.2.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:postgresql:postgresql:7.1.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:postgresql:postgresql:7.2.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:postgresql:postgresql:6.5.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:postgresql:postgresql:7.0.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:postgresql:postgresql:7.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:postgresql:postgresql:7.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:postgresql:postgresql:7.1.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:postgresql:postgresql:6.3.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:postgresql:postgresql:7.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:postgresql:postgresql:7.2.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2002-1401"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Buffer overflows in (1) circle_poly, (2) path_encode and (3) path_add (also incorrectly identified as path_addr) for PostgreSQL 7.2.3 and earlier allow attackers to cause a denial of service and possibly execute arbitrary code, possibly as a result of an integer overflow."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-119"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://archives.postgresql.org/pgsql-hackers/2002-08/msg02047.php",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://archives.postgresql.org/pgsql-hackers/2002-08/msg02047.php"
            },
            {
              "name": "DSA-165",
              "refsource": "DEBIAN",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://www.debian.org/security/2002/dsa-165"
            },
            {
              "name": "http://archives.postgresql.org/pgsql-hackers/2002-08/msg02081.php",
              "refsource": "MISC",
              "tags": [],
              "url": "http://archives.postgresql.org/pgsql-hackers/2002-08/msg02081.php"
            },
            {
              "name": "CLA-2002:524",
              "refsource": "CONECTIVA",
              "tags": [],
              "url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000524"
            },
            {
              "name": "RHSA-2003:001",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://www.redhat.com/support/errata/RHSA-2003-001.html"
            },
            {
              "name": "8034",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/8034"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": true,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2008-09-10T04:00Z",
      "publishedDate": "2003-01-17T05:00Z"
    }
  }
}

ghsa-xcqr-pm35-6p88

Vulnerability from github

Published

2022-04-30 18:21

Modified

2022-04-30 18:21

Details

Buffer overflows in (1) circle_poly, (2) path_encode and (3) path_add (also incorrectly identified as path_addr) for PostgreSQL 7.2.3 and earlier allow attackers to cause a denial of service and possibly execute arbitrary code, possibly as a result of an integer overflow.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2002-1401"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2003-01-17T05:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Buffer overflows in (1) circle_poly, (2) path_encode and (3) path_add (also incorrectly identified as path_addr) for PostgreSQL 7.2.3 and earlier allow attackers to cause a denial of service and possibly execute arbitrary code, possibly as a result of an integer overflow.",
  "id": "GHSA-xcqr-pm35-6p88",
  "modified": "2022-04-30T18:21:05Z",
  "published": "2022-04-30T18:21:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1401"
    },
    {
      "type": "WEB",
      "url": "http://archives.postgresql.org/pgsql-hackers/2002-08/msg02047.php"
    },
    {
      "type": "WEB",
      "url": "http://archives.postgresql.org/pgsql-hackers/2002-08/msg02081.php"
    },
    {
      "type": "WEB",
      "url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000524"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/8034"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2002/dsa-165"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2003-001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Action not permitted

cve-2002-1401

Vulnerability from cvelistv5

rhsa-2002_301

Vulnerability from csaf_redhat

rhsa-2003_010

Vulnerability from csaf_redhat

rhsa-2003_001

Vulnerability from csaf_redhat

gsd-2002-1401

Vulnerability from gsd

ghsa-xcqr-pm35-6p88

Vulnerability from github

Tags