Re: [SECURITY] [DSA-2157-1] PostgreSQL security update

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA-2157-1] PostgreSQL security update
From: Denis Feklushkin <denis.feklushkin@gmail.com>
Date: Fri, 04 Feb 2011 04:47:51 +0700
Message-id: <[🔎] 1296769671.14927.23.camel@localhost.localdomain>
In-reply-to: <87pqr8g9pm.fsf@mid.deneb.enyo.de>
References: <87pqr8g9pm.fsf@mid.deneb.enyo.de>

Hi!

After upgrading postgresql 9.0 it is started to appear error
'ERROR:  XX000: cannot extract system attribute from virtual tuple'
in executing request in a trigger:

2011-02-03 21:41:49 UTC bc bc LOG:  00000: execute pdo_stmt_0000000b: INSERT INTO "offers" ("pair_id", "order_type", "quantity_sell", "rate", "ask", "ttl") VALUES ($1, $2, $3, $4, $5, $6)
2011-02-03 21:41:49 UTC bc bc DETAIL:  parameters: $1 = '10000', $2 = 'Limit', $3 = '1', $4 = '1', $5 = 't', $6 = '14 days'
2011-02-03 21:41:49 UTC bc bc LOCATION:  exec_execute_message, postgres.c:1978
2011-02-03 21:41:49 UTC bc bc ERROR:  XX000: cannot extract system attribute from virtual tuple
2011-02-03 21:41:49 UTC bc bc CONTEXT:  SQL statement "SELECT
        case when     NEW.ask then currency_id1 else currency_id2 end as sell,
        case when not NEW.ask then currency_id1 else currency_id2 end as buy
                                        FROM currency_pairs p
        WHERE pair_id = NEW.pair_id
        FOR SHARE"
        PL/pgSQL function "clearing_new" line 28 at SQL statement
2011-02-03 21:41:49 UTC bc bc LOCATION:  slot_getattr, heaptuple.c:1145
2011-02-03 21:41:49 UTC bc bc STATEMENT:  INSERT INTO "offers" ("pair_id", "order_type", "quantity_sell", "rate", "ask", "ttl") VALUES ($1, $2, $3, $4, $5, $6)

2011-02-03 21:41:49 UTC bc bc LOG:  00000: execute pdo_stmt_0000000b:
INSERT INTO "offers" ("pair_id", "order_type", "quantity_sell", "rate",
"ask", "ttl") VALUES ($1, $2, $3, $4, $5, $6)
2011-02-03 21:41:49 UTC bc bc DETAIL:  parameters: $1 = '10000', $2 =
'Limit', $3 = '1', $4 = '1', $5 = 't', $6 = '14 days'
2011-02-03 21:41:49 UTC bc bc LOCATION:  exec_execute_message,
postgres.c:1978
2011-02-03 21:41:49 UTC bc bc ERROR:  XX000: cannot extract system
attribute from virtual tuple
2011-02-03 21:41:49 UTC bc bc CONTEXT:  SQL statement "SELECT
        case when     NEW.ask then currency_id1 else currency_id2 end as
sell,
        case when not NEW.ask then currency_id1 else currency_id2 end as
buy
                                        FROM currency_pairs p
        WHERE pair_id = NEW.pair_id
        FOR SHARE"
        PL/pgSQL function "clearing_new" line 28 at SQL statement
2011-02-03 21:41:49 UTC bc bc LOCATION:  slot_getattr, heaptuple.c:1145
2011-02-03 21:41:49 UTC bc bc STATEMENT:  INSERT INTO
"offers" ("pair_id", "order_type", "quantity_sell", "rate", "ask",
"ttl") VALUES ($1, $2, $3, $4, $5, $6)



В Чтв, 03/02/2011 в 21:11 +0100, Florian Weimer пишет:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-2157-1                   security@debian.org
> http://www.debian.org/security/                            Florian Weimer
> February 03, 2011                      http://www.debian.org/security/faq
> - -------------------------------------------------------------------------
> 
> Package        : postgresql-8.3, postgresql-8.4, postgresql-9.0
> Vulnerability  : buffer overflow
> Problem type   : remote
> Debian-specific: no
> CVE ID         : CVE-2010-4015
> 
> It was discovered that PostgreSQL's intarray contrib module does not
> properly handle integers with a large number of digits, leading to a
> server crash and potentially arbitary code execution.
> 
> For the stable distribution (lenny), this problem has been fixed in
> version 8.3.14-0lenny1 of the postgresql-8.3 package.
> 
> For the testing distribution (squeeze), this problem has been fixed in
> version 8.4.7-0squeeze1 of the postgresql-8.4 package.
> 
> For the unstable distribution (sid), this problem has been fixed in
> version 8.4.7-1 of the postgresql-8.4 package and version 9.0.3-1 of
> the postgresql-9.0 package.
> 
> The updates also include reliability improvements; for details see the
> respective changelogs.
> 
> We recommend that you upgrade your PostgreSQL packages.
> 
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: http://www.debian.org/security/
> 
> Mailing list: debian-security-announce@lists.debian.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> 
> iQEcBAEBAgAGBQJNSw3VAAoJEL97/wQC1SS+ZBsIAJEctLwJipTJyHTHyrDpRbnM
> hs/NTe+rgQiGbBxe/A//5IL2N5GS3zIHwHpfsQh+8uy4ToKoJLKuw0X6p0VQVV1h
> ru/K6b6JQZJoMLYgWiY7hno5PMTciL5lC03v4P65jhbZt9Q27iIsZJm+t5+GhxPo
> bT+SP9BINrUUPSqP4lmrIJgF98tgnB/cjaOHfTK0xQwe95QsTJjTZvVvCrbXkWt7
> regvyKpp/4RuJAMB4tDP3ukgiYmoGGU3f3aF3Yyw6mtjn/T+LR5Bh1mf+0VgjqvF
> GxMROgpcEjPjZNrT27MZZOmSU5DE77y7x66GZWhURd9SPoZ4ofRltqXbXuX2l9g=
> =shXA
> -----END PGP SIGNATURE-----
> 
>

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA-2157-1] PostgreSQL security update
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: integrity checks and inodes
Next by Date: Re: [SECURITY] [DSA-2157-1] PostgreSQL security update
Previous by thread: Re: integrity checks and inodes
Next by thread: Re: [SECURITY] [DSA-2157-1] PostgreSQL security update
Index(es):
- Date
- Thread