CERT-MU :Advisories

Home | Search | FAQ | Site Map | Contact Us

|| Hotline : 800 2378 || To contact CERT-MU send e-mail on --> info[at]cert-mu.gov.mu || To report incident e-mail on --> incident[at]cert-mu.gov.mu || To report Vulnerabilities send e-mail on --> Vulnerability[at]cert-mu.gov.mu ||

Charter & Mission

CERT-MU Services

Constituency

Authority

Incident Reporting

Vulnerability Reporting

Incident Statistics Forms

Vol. 2, Feb 2012

Vol. 1, Oct 2011

World CERTs

Security Sites

Security Tools

Antivirus Resources

Email Abuse

Network Abuse

Anti-Spam Initiative

Cyber Security Portal

Safer Internet Day

Computer Security Day

National Computer Board

Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University

CERT-MU AD-2012-10

Postgre SQL ‘intarray’ Module ‘gettoken( )’ Buffer Overflow Vulnerability

Original issue date: February 01, 2011

Updated: January 31, 2012

Severity Rating: Medium

Overview
A vulnerability has been identified in PostgreSQL. The vulnerability, if successfully exploited, can allow remote attackers to execute arbitrary code on the affected systems. Unsuccessful attempts can cause denial of service outcomes. An update has been released to address this vulnerability.

Description

PostgreSQL is an advanced object-relational database management system. The vulnerability reported in PostgreSQL exists because of a stack-based buffer overflow error residing in the way the system processes certain tokens from an SQL query when the intarray module was enabled on a particular database. A remote attacker can exploit this vulnerability by running a specially crafted SQL query and use this flaw to cause execution of arbitrary code with privileges of the database server or cause a denial of service condition. An update has been released to address this vulnerability.

Affected Systems

Ubuntu Ubuntu Linux 9.10 sparc
Ubuntu Ubuntu Linux 9.10 powerpc
Ubuntu Ubuntu Linux 9.10 lpia
Ubuntu Ubuntu Linux 9.10 i386
Ubuntu Ubuntu Linux 9.10 ARM
Ubuntu Ubuntu Linux 9.10 amd64
Ubuntu Ubuntu Linux 8.04 LTS sparc
Ubuntu Ubuntu Linux 8.04 LTS powerpc
Ubuntu Ubuntu Linux 8.04 LTS lpia
Ubuntu Ubuntu Linux 8.04 LTS i386
Ubuntu Ubuntu Linux 8.04 LTS amd64
Ubuntu Ubuntu Linux 6.06 LTS sparc

List of other affected systems are available on:

http://www.securityfocus.com/bid/46084/info

Solution

Users are advised to apply updates.

More information about the update is available on:

http://www.securityfocus.com/bid/46084/solution

CVE Information

CVE-2010-4015

References

Security Focus
http://www.securityfocus.com/bid/46084/info

Oracle
http://blogs.oracle.com/sunsecurity/entry/cve_2010_4015_buffer_overflow1

Avaya Security Update
http://support.avaya.com/css/P8/documents/100133449

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

E-mail:

Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis