Navigation Bar Top Applications Support Documentation Vendors Search Index Top Top

postgresql -- character conversion and tsearch2 vulnerabilities


The postgresql development team reports:

The more severe of the two errors is that the functions that support client-to-server character set conversion can be called from SQL commands by unprivileged users, but these functions are not designed to be safe against malicious choices of argument values. This problem exists in PostgreSQL 7.3.* through 8.0.*. The recommended fix is to disable public EXECUTE access for these functions. This does not affect normal usage of the functions for character set conversion, but it will prevent misuse.

The other error is that the contrib/tsearch2 module misdeclares several functions as returning type "internal" when they do not have any "internal" argument. This breaks the type safety of "internal" by allowing users to construct SQL commands that invoke other functions accepting "internal" arguments. The consequences of this have not been investigated in detail, but it is certainly at least possible to crash the backend.



portaudit: postgresql -- character conversion and tsearch2 vulnerabilities

Disclaimer: The data contained on this page is derived from the VuXML document, please refer to the the original document for copyright information. The author of portaudit makes no claim of authorship or ownership of any of the information contained herein.

If you have found a vulnerability in a FreeBSD port not listed in the database, please contact the FreeBSD Security Officer. Refer to "FreeBSD Security Information" for more information.

Oliver Eikemeier <>