Debian DSA-1780-1 : libdbd-pg-perl - several vulnerabilities

high Nessus Plugin ID 38202

Synopsis

The remote Debian host is missing a security-related update.

Description

Two vulnerabilities have been discovered in libdbd-pg-perl, the DBI driver module for PostgreSQL database access (DBD::Pg).

- CVE-2009-0663 A heap-based buffer overflow may allow attackers to execute arbitrary code through applications which read rows from the database using the pg_getline and getline functions. (More common retrieval methods, such as selectall_arrayref and fetchrow_array, are not affected.)

- CVE-2009-1341 A memory leak in the routine which unquotes BYTEA values returned from the database allows attackers to cause a denial of service.

Solution

Upgrade the libdbd-pg-perl package.

For the old stable distribution (etch), these problems have been fixed in version 1.49-2+etch1.

For the stable distribution (lenny) and the unstable distribution (sid), these problems have been fixed in version 2.1.3-1 before the release of lenny.

See Also

https://security-tracker.debian.org/tracker/CVE-2009-0663

https://security-tracker.debian.org/tracker/CVE-2009-1341

https://www.debian.org/security/2009/dsa-1780

Plugin Details

Severity: High

ID: 38202

File Name: debian_DSA-1780.nasl

Version: 1.15

Type: local

Agent: unix

Published: 4/29/2009

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libdbd-pg-perl, cpe:/o:debian:debian_linux:4.0, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 4/28/2009

Reference Information

CVE: CVE-2009-0663, CVE-2009-1341

CWE: 119, 200

DSA: 1780