Bug 660479 - VUL-0: PostgreSQL log forging issue
VUL-0: PostgreSQL log forging issue
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-12-20 08:34 UTC by Ludwig Nussel
Modified: 2011-03-30 14:13 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
proposed patch (901 bytes, patch)
2011-02-15 21:36 UTC, Reinhard Max
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2010-12-20 08:34:03 UTC
Your friendly security team received the following report via vendor-sec.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.
Note that build.opensuse.org *cannot* be used to prepare embargoed updates.

CVE-ID: CVE-2010-4014

Impact: An attacker who can cause the PostgreSQL server to execute certain commands may insert information in its log.

Description: An input validation issue exists in the PostgreSQL server.  The server does not check for CR characters in log entries, allowing an attacker to forge log entries.  This issue is addressed by improved input validation.  This issue does not affect Mac OS X.  Credit: Apple.
Comment 8 Reinhard Max 2011-02-15 21:36:15 UTC
Created attachment 414281 [details]
proposed patch

Here's my proposed patch. Please review.

But I tend to agree with the PostgreSQL team that this isn't really a security issue.
Comment 9 Reinhard Max 2011-02-16 17:50:05 UTC
Patched packages submitted to SLES10-SP3, SLE11-SP1, 11.2, and 11.3.
Comment 10 Thomas Biege 2011-02-17 09:16:10 UTC
Thanks, patch looks good BTW.
Comment 11 Ludwig Nussel 2011-03-30 14:13:04 UTC
released