postgresql-8.1 8.1.4-0ubuntu1.2 source package in Ubuntu
Changelog
postgresql-8.1 (8.1.4-0ubuntu1.2) dapper-security; urgency=low
* SECURITY UPDATE: Read out arbitrary memory locations from the server,
local DoS.
* Add debian/patches/00upstream-sql-fun-typecheck.patch:
- Repair insufficiently careful type checking for SQL-language functions.
Not only can one trivially crash the backend, but with appropriate
misuse of pass-by-reference datatypes it is possible to read out
arbitrary locations in the server process's memory, which could allow
retrieving database content the user should not be able to see.
- Discovered by Jeff Trout.
- Patch backported from 8.1.7 from CVS:
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/functions.c.diff?r1=1.98.2.2;r2=1.98.2.3
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/optimizer/util/clauses.c.diff?r1=1.201.2.1;r2=1.201.2.2
- CVE-2007-0555
* Add debian/patches/00upstream-table-plan-consistency.patch:
- Check that a table is still compatible with a previously made query
plan. Use of ALTER COLUMN TYPE creates a hazard for cached query plans:
they could contain vars that claim a column has a different type than it
now has. Not only can one trivially crash the backend, but with
appropriate misuse of pass-by-reference datatypes it is possible to read
out arbitrary locations in the server process's memory, which could allow
retrieving database content the user should not be able to see.
- Discovered by Jeff Trout.
- Patch backported from 8.1.7 from CVS:
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/commands/tablecmds.c.diff?r1=1.174.2.3;r2=1.174.2.4
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execQual.c.diff?r1=1.183.2.4;r2=1.183.2.5
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execScan.c.diff?r1=1.37.2.1;r2=1.37.2.2
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execUtils.c.diff?r1=1.126.2.3;r2=1.126.2.4
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeAgg.c.diff?r1=1.135.2.1;r2=1.135.2.2
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeGroup.c.diff?r1=1.62;r2=1.62.2.1
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeHashjoin.c.diff?r1=1.75.2.3;r2=1.75.2.4
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeMergejoin.c.diff?r1=1.75.2.2;r2=1.75.2.3
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeNestloop.c.diff?r1=1.39.2.1;r2=1.39.2.2
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeResult.c.diff?r1=1.32.2.1;r2=1.32.2.2
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/nodeSubplan.c.diff?r1=1.70.2.1;r2=1.70.2.2
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/include/executor/executor.h.diff?r1=1.120.2.2;r2=1.120.2.3
- CVE-2007-0556
* Add debian/patches/00upstream-max-utf8-wchar-len.patch:
- Update various string functions to support the maximum UTF-8 sequence
length for 4-byte character set to prevent buffer overflows.
- Patch backported from 8.1.7 from CVS:
http://developer.postgresql.org/cvsweb.cgi/pgsql/src/backend/utils/mb/wchar.c.diff?r1=1.47.2.4;r2=1.47.2.5
-- Martin Pitt <email address hidden> Mon, 5 Feb 2007 09:31:44 +0100
Upload details
- Uploaded by:
- Martin Pitt
- Uploaded to:
- Dapper
- Original maintainer:
- Martin Pitt
- Architectures:
- any
- Section:
- misc
- Urgency:
- Low Urgency
See full publishing history Publishing
| Series | Published | Component | Section |
|---|
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| postgresql-8.1_8.1.4.orig.tar.gz | 10.8 MiB | 0cfb807f47374d9ad42f0a5198bd8e3607d4c6857ce47141d722998fee1ae961 |
| postgresql-8.1_8.1.4-0ubuntu1.2.diff.gz | 38.4 KiB | 64347e6ee4188dcc572115e94f86bde6c4b71a69cce17e0dfc7b8a1cba5fb5af |
| postgresql-8.1_8.1.4-0ubuntu1.2.dsc | 1.1 KiB | a5e333908a8c247443a986736138c3fd65fba408cbdd3a407c587d840943fb71 |
Binary packages built by this source
- libecpg-compat2: No summary available for libecpg-compat2 in ubuntu dapper.
No description available for libecpg-compat2 in ubuntu dapper.
- libecpg-dev: No summary available for libecpg-dev in ubuntu dapper.
No description available for libecpg-dev in ubuntu dapper.
- libecpg5: No summary available for libecpg5 in ubuntu dapper.
No description available for libecpg5 in ubuntu dapper.
- libpgtypes2: No summary available for libpgtypes2 in ubuntu dapper.
No description available for libpgtypes2 in ubuntu dapper.
- libpq-dev: No summary available for libpq-dev in ubuntu dapper.
No description available for libpq-dev in ubuntu dapper.
- libpq4: No summary available for libpq4 in ubuntu dapper.
No description available for libpq4 in ubuntu dapper.
- postgresql-8.1: No summary available for postgresql-8.1 in ubuntu dapper.
No description available for postgresql-8.1 in ubuntu dapper.
- postgresql-client-8.1: No summary available for postgresql-client-8.1 in ubuntu dapper.
No description available for postgresql-
client- 8.1 in ubuntu dapper.
- postgresql-contrib-8.1: No summary available for postgresql-contrib-8.1 in ubuntu dapper.
No description available for postgresql-
contrib- 8.1 in ubuntu dapper.
- postgresql-doc-8.1: No summary available for postgresql-doc-8.1 in ubuntu dapper.
No description available for postgresql-doc-8.1 in ubuntu dapper.
- postgresql-plperl-8.1: No summary available for postgresql-plperl-8.1 in ubuntu dapper.
No description available for postgresql-
plperl- 8.1 in ubuntu dapper.
- postgresql-plpython-8.1: No summary available for postgresql-plpython-8.1 in ubuntu dapper.
No description available for postgresql-
plpython- 8.1 in ubuntu dapper.
- postgresql-pltcl-8.1: No summary available for postgresql-pltcl-8.1 in ubuntu dapper.
No description available for postgresql-
pltcl-8. 1 in ubuntu dapper.
- postgresql-server-dev-8.1: No summary available for postgresql-server-dev-8.1 in ubuntu dapper.
No description available for postgresql-
server- dev-8.1 in ubuntu dapper.
