First Last Prev Next    This bug is not in your last search results.
Bug 660479 - VUL-0: PostgreSQL log forging issue
VUL-0: PostgreSQL log forging issue
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-20 08:34 UTC by Ludwig Nussel
Modified: 2011-03-30 14:13 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
proposed patch (901 bytes, patch)
2011-02-15 21:36 UTC, Reinhard Max 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2010-12-20 08:34:03 UTC 
Your friendly security team received the following report via vendor-sec.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.
Note that build.opensuse.org *cannot* be used to prepare embargoed updates.

CVE-ID: CVE-2010-4014

Impact: An attacker who can cause the PostgreSQL server to execute certain commands may insert information in its log.

Description: An input validation issue exists in the PostgreSQL server.  The server does not check for CR characters in log entries, allowing an attacker to forge log entries.  This issue is addressed by improved input validation.  This issue does not affect Mac OS X.  Credit: Apple.
Comment 8 Reinhard Max 2011-02-15 21:36:15 UTC 
Created attachment 414281 [details]
proposed patch

Here's my proposed patch. Please review.

But I tend to agree with the PostgreSQL team that this isn't really a security issue.
Comment 9 Reinhard Max 2011-02-16 17:50:05 UTC 
Patched packages submitted to SLES10-SP3, SLE11-SP1, 11.2, and 11.3.
Comment 10 Thomas Biege 2011-02-17 09:16:10 UTC 
Thanks, patch looks good BTW.
Comment 11 Ludwig Nussel 2011-03-30 14:13:04 UTC 
released
First Last Prev Next    This bug is not in your last search results.