[3.7] postgresql: Stack-based buffer overflow via setting a password (CVE-2019-10164)
PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are
vulnerable to a stack-based buffer overflow. Any authenticated user can
overflow a stack-based buffer
by changing the user’s own password to a purpose-crafted value. This
often suffices to execute arbitrary code as the PostgreSQL operating
system account.
References:
https://www.postgresql.org/support/security/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10164
Patches:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=90adc16ea13750a6b6f704c6cf65dc0f1bdb845c
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=d72a7e4da1001b29a661a4b1a52cb5c4d708bab0
(from redmine: issue id 10641, created on 2019-07-02, closed on 2019-07-04)
- Relations:
- relates #10640 (closed)
- Changesets:
- Revision 16dcb2a2 by Milan P. Stanić on 2019-07-04T07:26:29Z:
main/postgresql: security upgrade to 10.9
CVE-2019-10164
other upstream bugfixes
fixes #10641