Re: [SECURITY] [DSA-2157-1] PostgreSQL security update
Hi!
After upgrading postgresql 9.0 it is started to appear error
'ERROR: XX000: cannot extract system attribute from virtual tuple'
in executing request in a trigger:
2011-02-03 21:41:49 UTC bc bc LOG: 00000: execute pdo_stmt_0000000b: INSERT INTO "offers" ("pair_id", "order_type", "quantity_sell", "rate", "ask", "ttl") VALUES ($1, $2, $3, $4, $5, $6)
2011-02-03 21:41:49 UTC bc bc DETAIL: parameters: $1 = '10000', $2 = 'Limit', $3 = '1', $4 = '1', $5 = 't', $6 = '14 days'
2011-02-03 21:41:49 UTC bc bc LOCATION: exec_execute_message, postgres.c:1978
2011-02-03 21:41:49 UTC bc bc ERROR: XX000: cannot extract system attribute from virtual tuple
2011-02-03 21:41:49 UTC bc bc CONTEXT: SQL statement "SELECT
case when NEW.ask then currency_id1 else currency_id2 end as sell,
case when not NEW.ask then currency_id1 else currency_id2 end as buy
FROM currency_pairs p
WHERE pair_id = NEW.pair_id
FOR SHARE"
PL/pgSQL function "clearing_new" line 28 at SQL statement
2011-02-03 21:41:49 UTC bc bc LOCATION: slot_getattr, heaptuple.c:1145
2011-02-03 21:41:49 UTC bc bc STATEMENT: INSERT INTO "offers" ("pair_id", "order_type", "quantity_sell", "rate", "ask", "ttl") VALUES ($1, $2, $3, $4, $5, $6)
2011-02-03 21:41:49 UTC bc bc LOG: 00000: execute pdo_stmt_0000000b:
INSERT INTO "offers" ("pair_id", "order_type", "quantity_sell", "rate",
"ask", "ttl") VALUES ($1, $2, $3, $4, $5, $6)
2011-02-03 21:41:49 UTC bc bc DETAIL: parameters: $1 = '10000', $2 =
'Limit', $3 = '1', $4 = '1', $5 = 't', $6 = '14 days'
2011-02-03 21:41:49 UTC bc bc LOCATION: exec_execute_message,
postgres.c:1978
2011-02-03 21:41:49 UTC bc bc ERROR: XX000: cannot extract system
attribute from virtual tuple
2011-02-03 21:41:49 UTC bc bc CONTEXT: SQL statement "SELECT
case when NEW.ask then currency_id1 else currency_id2 end as
sell,
case when not NEW.ask then currency_id1 else currency_id2 end as
buy
FROM currency_pairs p
WHERE pair_id = NEW.pair_id
FOR SHARE"
PL/pgSQL function "clearing_new" line 28 at SQL statement
2011-02-03 21:41:49 UTC bc bc LOCATION: slot_getattr, heaptuple.c:1145
2011-02-03 21:41:49 UTC bc bc STATEMENT: INSERT INTO
"offers" ("pair_id", "order_type", "quantity_sell", "rate", "ask",
"ttl") VALUES ($1, $2, $3, $4, $5, $6)
В Чтв, 03/02/2011 в 21:11 +0100, Florian Weimer пишет:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-2157-1 security@debian.org
> http://www.debian.org/security/ Florian Weimer
> February 03, 2011 http://www.debian.org/security/faq
> - -------------------------------------------------------------------------
>
> Package : postgresql-8.3, postgresql-8.4, postgresql-9.0
> Vulnerability : buffer overflow
> Problem type : remote
> Debian-specific: no
> CVE ID : CVE-2010-4015
>
> It was discovered that PostgreSQL's intarray contrib module does not
> properly handle integers with a large number of digits, leading to a
> server crash and potentially arbitary code execution.
>
> For the stable distribution (lenny), this problem has been fixed in
> version 8.3.14-0lenny1 of the postgresql-8.3 package.
>
> For the testing distribution (squeeze), this problem has been fixed in
> version 8.4.7-0squeeze1 of the postgresql-8.4 package.
>
> For the unstable distribution (sid), this problem has been fixed in
> version 8.4.7-1 of the postgresql-8.4 package and version 9.0.3-1 of
> the postgresql-9.0 package.
>
> The updates also include reliability improvements; for details see the
> respective changelogs.
>
> We recommend that you upgrade your PostgreSQL packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: http://www.debian.org/security/
>
> Mailing list: debian-security-announce@lists.debian.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iQEcBAEBAgAGBQJNSw3VAAoJEL97/wQC1SS+ZBsIAJEctLwJipTJyHTHyrDpRbnM
> hs/NTe+rgQiGbBxe/A//5IL2N5GS3zIHwHpfsQh+8uy4ToKoJLKuw0X6p0VQVV1h
> ru/K6b6JQZJoMLYgWiY7hno5PMTciL5lC03v4P65jhbZt9Q27iIsZJm+t5+GhxPo
> bT+SP9BINrUUPSqP4lmrIJgF98tgnB/cjaOHfTK0xQwe95QsTJjTZvVvCrbXkWt7
> regvyKpp/4RuJAMB4tDP3ukgiYmoGGU3f3aF3Yyw6mtjn/T+LR5Bh1mf+0VgjqvF
> GxMROgpcEjPjZNrT27MZZOmSU5DE77y7x66GZWhURd9SPoZ4ofRltqXbXuX2l9g=
> =shXA
> -----END PGP SIGNATURE-----
>
>
Reply to: