864850 – (CVE-2014-0063) VUL-0: CVE-2014-0063: postgresql: stack-based buffer overflow in datetime input/output

Bug 864850 (CVE-2014-0063) - VUL-0: CVE-2014-0063: postgresql: stack-based buffer overflow in datetime input/output

Summary: VUL-0: CVE-2014-0063: postgresql: stack-based buffer overflow in datetime inp...

Status:	RESOLVED FIXED

Alias:	CVE-2014-0063

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2014-12-25
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/96413/
Whiteboard:	maint:released:sle10-sp3:60008
Keywords:

Depends on:
Blocks:	864856
	Show dependency tree / graph

Clone This Bug

Reported:	2014-02-20 11:05 UTC by Victor Pereira
Modified:	2018-11-07 16:27 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2014-02-20 11:05:10 UTC

CVE-2014-0063

It was found that the buffers used to hold datetime output were too small. Long output could lead to a stack-based buffer overflow, possibly allowing an authenticated database user to crash the PostgreSQL server or execute arbitrary code.

Acknowledgements:

Thanks to the PostgreSQL project for reporting this issue. Upstream acknowledges Daniel Schüssler as the original reporter.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0063
https://bugzilla.redhat.com/show_bug.cgi?id=1065226

Comment 1 Swamp Workflow Management 2014-02-20 23:01:34 UTC

bugbot adjusting priority

Comment 2 Swamp Workflow Management 2014-02-21 15:08:14 UTC

The SWAMPID for this issue is 56361.
This issue was rated as moderate.
Please submit fixed packages until 2014-03-07.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 3 SMASH SMASH 2014-02-21 15:10:18 UTC

Affected packages:

SLE-11-SP3: postgresql
SLE-10-SP3-TERADATA: postgresql
SLE-11-SP2: postgresql

Comment 6 Swamp Workflow Management 2014-03-08 14:05:30 UTC

openSUSE-SU-2014:0345-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 864845,864846,864847,864850,864851,864852,864853
CVE References: CVE-2014-0060,CVE-2014-0061,CVE-2014-0062,CVE-2014-0063,CVE-2014-0064,CVE-2014-0065,CVE-2014-0066,CVE-2014-0067
Sources used:
openSUSE 13.1 (src):    postgresql92-9.2.7-4.4.1, postgresql92-libs-9.2.7-4.4.1
openSUSE 12.3 (src):    postgresql92-9.2.7-1.12.1, postgresql92-libs-9.2.7-1.12.1

Comment 7 Swamp Workflow Management 2014-03-13 18:05:19 UTC

openSUSE-SU-2014:0368-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 864845,864846,864847,864850,864851,864852,864853
CVE References: CVE-2014-0060,CVE-2014-0061,CVE-2014-0062,CVE-2014-0063,CVE-2014-0064,CVE-2014-0065,CVE-2014-0066,CVE-2014-0067
Sources used:
openSUSE 11.4 (src):    postgresql-9.0.16-43.1, postgresql-libs-9.0.16-43.1

Comment 8 Swamp Workflow Management 2014-03-28 13:04:22 UTC

Update released for: libecpg6, libpq5, postgresql91, postgresql91-contrib, postgresql91-debuginfo, postgresql91-debugsource, postgresql91-devel, postgresql91-docs, postgresql91-libs, postgresql91-libs-debuginfo, postgresql91-libs-debugsource, postgresql91-plperl, postgresql91-plpython, postgresql91-pltcl, postgresql91-server, postgresql91-test
Products:
SLE-DEBUGINFO 11-SP1-TERADATA (x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)

Comment 9 Swamp Workflow Management 2014-03-28 15:48:51 UTC

Update released for: libecpg6, libecpg6-32bit, libecpg6-64bit, libecpg6-x86, libpq5, libpq5-32bit, libpq5-64bit, libpq5-x86, postgresql91, postgresql91-contrib, postgresql91-debuginfo, postgresql91-debugsource, postgresql91-devel, postgresql91-docs, postgresql91-libs, postgresql91-libs-debuginfo, postgresql91-libs-debugsource, postgresql91-plperl, postgresql91-plpython, postgresql91-pltcl, postgresql91-server, postgresql91-test
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)

Comment 10 Swamp Workflow Management 2014-03-28 19:04:51 UTC

SUSE-SU-2014:0461-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 864845,864846,864847,864850,864851,864852,864853
CVE References: CVE-2014-0060,CVE-2014-0061,CVE-2014-0062,CVE-2014-0063,CVE-2014-0064,CVE-2014-0065,CVE-2014-0066
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    postgresql91-libs-9.1.12-0.3.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    postgresql91-9.1.12-0.3.1, postgresql91-libs-9.1.12-0.3.1
SUSE Linux Enterprise Server 11 SP3 (src):    postgresql91-9.1.12-0.3.1, postgresql91-libs-9.1.12-0.3.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    postgresql91-9.1.12-0.3.1, postgresql91-libs-9.1.12-0.3.1

Comment 14 Swamp Workflow Management 2014-12-11 09:30:54 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-12-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60006

Comment 15 Marcus Meissner 2015-01-14 15:39:06 UTC

released