pgbouncer 1.5.3-1 Denial of Service

2012.11.03
Credit: Christoph
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

pgbouncer 1.5.3-1 in experimental fixes a DoS situation where large database names can lead to server shutdown. http://git.postgresql.org/gitweb/?p=pgbouncer.git;a=commitdiff;h=4b92112b820830b30cd7bc91bef3dd8f35305525 add_database: fail gracefully if too long db name author Marko Kreen <markokr@gmail.com> Mon, 10 Sep 2012 10:07:43 +0000 (13:07 +0300) Truncating & adding can lead to fatal() later. It was not an issue before, but with audodb (* in [databases] section) the database name can some from network, thus allowing remote shutdown.. src/objects.c diff --git a/src/objects.c b/src/objects.c index 3aeb36e..b61387f 100644 (file) --- a/src/objects.c +++ b/src/objects.c @@ -303,7 +303,11 @@ PgDatabase *add_database(const char *name) return NULL; list_init(&db->head); - safe_strcpy(db->name, name, sizeof(db->name)); + if (strlcpy(db->name, name, sizeof(db->name)) >= sizeof(db->name)) { + log_warning("Too long db name: %s", name); + slab_free(db_cache, db); + return NULL; + } put_in_order(&db->head, &database_list, cmp_database); } Thanks to Markus Wanner for helping investigating the issue. Christoph

References:

https://bugzilla.redhat.com/show_bug.cgi?id=872527
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692103


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top