BUG #2052: Federal Agency Tech Hub Refuses to Accept Postgresql on Network because of Security Vulnerabilities - Mailing list pgsql-bugs

The following bug has been logged online:

Bug reference:      2052
Logged by:          Ferindo Middleton
Email address:      fmiddleton@verizon.net
PostgreSQL version: 8.0.4
Operating system:   Windows 2000
Description:        Federal Agency Tech Hub Refuses to Accept Postgresql on
Network because of Security Vulnerabilities
Details:

This bug report involves more than one proposed bug. I work at a federal
government agency. The information technology division at this agency
refuses to allow the database version 8.0.4 on their network because of
several security vulnerabilities they noticed when testing the software
application. The database would run on a Windows 2000 Professional computer
system. The division I work for wants to use the database as a backend to a
set Java Server Pages I developed to be served via Apache Tomcat. My
application works great with PostgreSQL but the problem is getting the IS
team at this agency to accept PostgreSQL db. I know nothing about hacking
PostgreSQL. I am merely know how to install, setup, run the database and
write JSP applications to us the database in the background so these
security vulnerabilities are beyond the scope of my own understanding of the
database from a mere admin/user level.

I am going to paste below the feedback I received concerning the
vulnerabilities of the database in hopes that The PostgreSQL Global
Development Group would consider looking into each stated flaw. I believe
that resolution of these vulnerabilities would be a major achievement of our
database management system and possibly open the software up to more
government acceptance and utilization, which I believe it is lacking.

Here are the vulnerabilities that were stated (each one has a special Common
Vulnerabilities and Exposures (CVE)codes that this IS team had assigned):

CVE-2005-0245  Buffer overflow in gram.y for PostgreSQL 8.0.0 and earlier
may allow attackers to execute arbitrary code via a large number of
arguments to a refcursor function (gram.y), which leads to a
heap-based buffer overflow, a different vulnerability than CVE-2005-0247.

CVE-2005-0244  PostgreSQL 8.0.0 and earlier allows local users to bypass the
EXECUTE permission check for functions by using the CREATE AGGREGATE
command.

CVE-2005-0227  PostgreSQL (pgsql) 7.4.x, 7.2.x, and other versions allows
local users to load arbitrary shared libraries and execute code via the LOAD
extension.

CVE-2005-0246  The intagg contrib module for PostgreSQL 8.0.0 and earlier
allows attackers to cause a denial of service (crash) via crafted arrays.

CVE-2005-0247  Multiple buffer overflows in gram.y for PostgreSQL 8.0.1 and
earlier may allow attackers to execute arbitrary code via (1) a large number
of variables in a SQL statement being handled by the read_sql_construct
function, (2) a large number of INTO variables in a SELECT statement being
handled by the make_select_stmt function, (3) alarge number of arbitrary
variables in a SELECT statement being handled
by the make_select_stmt function, and (4) a large number of INTO variables
in a FETCH statement being handled by the make_fetch_stmt function, a
different set of vulnerabilities than CVE-2005-0245.

CVE-2005-1409  PostgreSQL 7.3.x through 8.0.x gives public EXECUTE access to
certain character conversion functions, which allows unprivileged users to
call those functions with malicious values, with
unknown impact, aka the "Character conversion vulnerability

CVE-2005-1410 - The tsearch2 module in PostgreSQL 7.4 through 8.0.x declares
the (1) dex_init, (2) snb_en_init, (3) snb_ru_init, (4)spell_init, and (5)
syn_init functions as "internal" even when they do
not take an internal argument, which allows attackers to cause a denial of
service (application crash) and possibly have other impacts via SQL commands
that call other functions that accept internal arguments.

Ferindo