Updated PostgreSQL packages fix buffer overrun vulnerabilities

Updated PostgreSQL packages are available for Red Hat Linux 6.2, 7, 7.1,
and 7.2 where we have backported a number of security fixes. A separate
advisory deals with updated PostgreSQL packages for Red Hat Linux 7.3 and 8.0.

PostgreSQL is an advanced Object-Relational database management system
(DBMS). A number of security issues have been found that affect PostgreSQL
versions shipped with Red Hat Linux.

Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of
service and possibly execute arbitrary code via long arguments to the lpad
or rpad functions. CAN-2002-0972

Buffer overflow in the cash_words() function for PostgreSQL 7.2 and
earlier allows local users to cause a denial of service and possibly
execute arbitrary code via a malformed argument. CAN-2002-1397

Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows
attackers to cause a denial of service and possibly execute arbitrary
code via a long date string, also known as a vulnerability "in handling
long datetime input." CAN-2002-1398

Heap-based buffer overflow in the repeat() function for PostgreSQL
before 7.2.2 allows attackers to execute arbitrary code by causing
repeat() to generate a large string. CAN-2002-1400

Buffer overflows in circle_poly, path_encode and path_add allow attackers
to cause a denial of service and possibly execute arbitrary code. Note
that these issues have been fixed in our packages and in PostgreSQL CVS,
but are not included in PostgreSQL version 7.2.2 or 7.2.3. CAN-2002-1401

Buffer overflows in the TZ and SET TIME ZONE enivronment variables for
PostgreSQL 7.2.1 and earlier allow local users to cause a denial of service
and possibly execute arbitrary code. CAN-2002-1402

Note that these vulnerabilities are only critical on open or shared systems
because connecting to the database is required before the vulnerabilities
can be exploited.

The PostgreSQL Global Development Team has released versions of PostgreSQL
that fixes these vulnerabilities, and these fixes have been isolated and
backported to the various versions of PostgreSQL that originally shipped
with each Red Hat Linux distribution. All users of PostgreSQL are advised
to install these updated packages.

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

Please note that this update is available via Red Hat Network. To use Red
Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Note that no initdb will be necessary from previous PostgreSQL packages.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0972
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1397
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1398
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1402
http://lwn.net/Articles/8445/
http://marc.theaimsgroup.com/?l=postgresql-announce&m=103062536330644
http://marc.theaimsgroup.com/?l=bugtraq&m=102978152712430
http://marc.theaimsgroup.com/?l=bugtraq&m=102987306029821
http://marc.theaimsgroup.com/?l=postgresql-general&m=102995302604086
http://online.securityfocus.com/archive/1/288334
http://online.securityfocus.com/archive/1/288305
http://online.securityfocus.com/archive/1/288036

datetime, lpad, multibyte, PostgreSQL, rpad