Re: Server Crash, possible security exploit, where to send security report?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

while playing with Npgsql I faced an
strange behavior of Postgresql server.

I have all the details of it and I thought it could be a severe security
exploit, so I don't send it in clear to this mailing list directly as, I
think, anybody with this information could Dos postgresql servers.

Please, send me information to where/who I should send the details in
order this can be fixed as soon as possible.

This is the log I get when I receive the problem. I think that as server
is killing all processes, any client which can do that can kill all
client connections to that server. That's why I think it is very dangerous.

DEBUG: server process (PID 2874) was terminated by signal 11
LOG: server process (PID 2874) was terminated by signal 11
LOG: terminating any other active server processes
DEBUG: sending SIGQUIT to process 2111
DEBUG: sending SIGQUIT to process 2112
LOG: all server processes terminated; reinitializing
LOG: database system was interrupted at 2005-12-12 17:54:12 BRST
LOG: checkpoint record is at 0/38E290
LOG: redo record is at 0/38E290; undo record is at 0/0; shutdown TRUE
LOG: next transaction ID: 619; next OID: 24576
LOG: next MultiXactId: 1; next MultiXactOffset: 0
LOG: database system was not properly shut down; automatic recovery in
progress
LOG: record with zero length at 0/38E2D4
LOG: redo is not required
LOG: database system is ready
LOG: transaction ID wrap limit is 2147484148, limited by database
"postgres"

- --
Regards,

Francisco Figueiredo Jr.
Npgsql Lead Developer
http://www.pgfoundry.org/projects/npgsql
MonoBrasil Project Founder Member
http://monobrasil.softwarelivre.org

- -------------
"Science without religion is lame;
religion without science is blind."

~ Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBQ53c8f7iFmsNzeXfAQIIhgf9ENy4JADnkmkTzvegHtLjOxv9Qc7Tc5nr
z3uHOS3cV+I/0x6iu+DFu27uioCZV+/n8kuhNCE7r7q5kfIXu/NFRF2sULacH2bf
qT1oeL9IxB1DH/MStPADZAXNaDqvuKBOacACHjjisOFalOBFuymjpVMI+idsKptK
gmZT3I3qrsTvkGjPCnsSML7vHerJKXSkhew1yPLzg/V0qx+S36q0A6aR0pUNAnLV
Js6k2bmTEZSljt7BXIR9ISrw2CA4UG71C/njGt+RFX8P1d0aXrMG5zClAd42aKsB
Gy4A4CBbNHCiP8BuSd01VIdzyZbbvMI9qkP/4/7Gdaym3MbAN0UMzQ==
=A0iI
-----END PGP SIGNATURE-----

_______________________________________________________
Yahoo! doce lar. Faça do Yahoo! sua homepage.
http://br.yahoo.com/homepageset.html

On Mon, Dec 12, 2005 at 06:26:25PM -0200, Francisco Figueiredo Jr. wrote:
>
>
>
> Hi all,
>
> while playing with Npgsql I faced an
> strange behavior of Postgresql server.
>
>
> I have all the details of it and I thought it could be a severe security
> exploit, so I don't send it in clear to this mailing list directly as, I
> think, anybody with this information could Dos postgresql servers.

Well, you're not giving any details but if you can cause the server to
dump core in a standard installation, we're interested. You didn't
specify your version BTW.

Here has instructions, including for security related stuff:
http://www.postgresql.org/docs/current/static/bug-reporting.html

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martijn van Oosterhout wrote:
> On Mon, Dec 12, 2005 at 06:26:25PM -0200, Francisco Figueiredo Jr. wrote:
>
> Well, you're not giving any details but if you can cause the server to
> dump core in a standard installation, we're interested. You didn't
> specify your version BTW.
>

Hi Martijn. Sorry for giving so little information. I was afraid that
any other info I could say here could be used later. I just sent the
message as specified in bug writing. I should have searched the manual
before posting here :) Thanks for info.

The postgresql version I first saw this problem was 8.0.3. I downloaded
and tested it with 8.1.0 and it also showed the problem.

> Here has instructions, including for security related stuff:
> http://www.postgresql.org/docs/current/static/bug-reporting.html
>
> Have a nice day,

Thank you very much Martijn.

- --
Regards,

Francisco Figueiredo Jr.
Npgsql Lead Developer
http://www.pgfoundry.org/projects/npgsql
MonoBrasil Project Founder Member
http://monobrasil.softwarelivre.org

- -------------
"Science without religion is lame;
religion without science is blind."

~ Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBQ577Mf7iFmsNzeXfAQJoCAgAm0B/ZkQK5ujvMrjdKEThLB7dEaC+39Vi
+edJvz+/czkfEbFnochgSR3p0j2W2A742RBXtRiVwB0zS35lEAjeouEaOIte73JB
j3h/qSOaJEerCKaaKx3DGEhf7iHlQQHQLv+hOoDdZNU9sP/ohwV2x/RU0K+XhDxD
vVpWn4SjDrZzmnV4Kn1FWlxNQ3BqJCjjXSIkNYtTuyJdg8T/wLFp63/RMMl0QfpT
2LYPuAb57MPNht0saPXb2T7zolJNKOQJQ08kTBQ3skdh/dbN2k350LnXbcGfs7hg
itC1wlFhkHAZEbFOqLI+dYa6+vfHFtPS7YJSDp8v4kCpQXmkAZrqjQ==
=xbU7
-----END PGP SIGNATURE-----

_______________________________________________________
Yahoo! doce lar. Faça do Yahoo! sua homepage.
http://br.yahoo.com/homepageset.html

>
> Hi all,
>
> while playing with Npgsql I faced an
> strange behavior of Postgresql server.
>
>
> I have all the details of it and I thought it could be a severe security
> exploit, so I don't send it in clear to this mailing list directly as, I
> think, anybody with this information could Dos postgresql servers.
>
>
> Please, send me information to where/who I should send the details in
> order this can be fixed as soon as possible.
>
>

http://www.postgresql.org/support/security.html

--
regards,
Jaime Casanova
(DBA: DataBase Aniquilator ;)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martijn van Oosterhout wrote:
> On Mon, Dec 12, 2005 at 06:26:25PM -0200, Francisco Figueiredo Jr. wrote:
>>
>>

Hi all,

Yesterday I received a reply from Tom Lane who confirmed the bug and
promptly replied me with a patch!! :)

Thank you very much all for helping me with that.

- --
Regards,

Francisco Figueiredo Jr.
Npgsql Lead Developer
http://www.pgfoundry.org/projects/npgsql
MonoBrasil Project Founder Member
http://monobrasil.softwarelivre.org

- -------------
"Science without religion is lame;
religion without science is blind."

~ Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEUAwUBQ6BKlv7iFmsNzeXfAQLDbQf2O3pVPbVSCLVVBBKn2rOpx5hhDBVcqC3B
LhuPJ5hIPAoxT4MPWfunOCIWYWw3NkK8eXDY55SI8xTIh84KSealcJVQpdDUAte0
tx6u4k/DqgODO/oXKxM73L90PBZdv7Z9rk+kz40CesATs2hngrPjgMFL7Msga7G8
uTjQNVXMMmONw9xkTnw38RKvJRtcHlZGtCH2WyE1OU/IzFLNPpJdd5TUcd1E3NMy
ZRw/CQLtsXYnOplY1ueIyFCC1iWmQa2jHe65nAP564YPQjvUIpIfkNZzx6Lqu3MW
FSxkF4hIaXHHdrzBJjiTsfpSIhGeTVNkoTYNEM1B1pOFTPrL1QoZ
=/lxZ
-----END PGP SIGNATURE-----

_______________________________________________________
Yahoo! doce lar. Faça do Yahoo! sua homepage.
http://br.yahoo.com/homepageset.html