CVE-2014-0066

Name of the Vulnerable Software and Affected Versions PostgreSQL versions prior to 8.4.20 PostgreSQL versions 9.0.x prior to 9.0.16 PostgreSQL versions 9.1.x prior to 9.1.12 PostgreSQL versions 9.2.x prior to 9.2.7 PostgreSQL versions 9.3.x prior to 9.3.3

Description The issue is related to the improper handling of input data by one of the functions associated with data encryption in PostgreSQL. This allows a remote authenticated user to cause a denial of service, resulting in a crash due to a null pointer dereference. The problem is specifically linked to the chkpass extension not properly checking the return value of the crypt library function.

Recommendations For PostgreSQL versions prior to 8.4.20, update to version 8.4.20 or later. For PostgreSQL versions 9.0.x prior to 9.0.16, update to version 9.0.16 or later. For PostgreSQL versions 9.1.x prior to 9.1.12, update to version 9.1.12 or later. For PostgreSQL versions 9.2.x prior to 9.2.7, update to version 9.2.7 or later. For PostgreSQL versions 9.3.x prior to 9.3.3, update to version 9.3.3 or later. As a temporary workaround, consider restricting access to the chkpass extension until a patch is applied.