#VU111772 Input validation error in PostgreSQL - CVE-2010-0442

Cybersecurity Help s.r.o.

Published: 2023-02-24 | Updated: 2025-06-23

Vulnerability identifier: #VU111772

Vulnerability risk: Medium

CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2010-0442

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description

The vulnerability allows a remote user to read and manipulate data.

The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow."

Mitigation
Install update from vendor's website.

Vulnerable software versions

PostgreSQL: 8.0.23

External links
https://intevydis.blogspot.com/2010/01/postgresql-8023-bitsubstr-overflow.html
https://www.securityfocus.com/bid/37973
https://bugzilla.redhat.com/show_bug.cgi?id=559194
https://archives.postgresql.org/pgsql-hackers/2010-01/msg00634.php
https://bugzilla.redhat.com/show_bug.cgi?id=559259
https://securitytracker.com/id?1023510
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567058
https://archives.postgresql.org/pgsql-committers/2010-01/msg00125.php
https://www.openwall.com/lists/oss-security/2010/01/27/5
https://secunia.com/advisories/39566
https://www.vupen.com/english/advisories/2010/1022
https://ubuntu.com/usn/usn-933-1
https://www.redhat.com/support/errata/RHSA-2010-0429.html
https://www.redhat.com/support/errata/RHSA-2010-0427.html
https://www.redhat.com/support/errata/RHSA-2010-0428.html
https://www.vupen.com/english/advisories/2010/1207
https://www.mandriva.com/security/advisories?name=MDVSA-2010:103
https://www.vupen.com/english/advisories/2010/1197
https://secunia.com/advisories/39820
https://secunia.com/advisories/39939
https://www.debian.org/security/2010/dsa-2051
https://www.vupen.com/english/advisories/2010/1221
https://exchange.xforce.ibmcloud.com/vulnerabilities/55902
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9720
https://git.postgresql.org/gitweb?p=postgresql.git%3Ba=commit%3Bh=75dea10196c31d98d98c0bafeeb576ae99c09b12
https://git.postgresql.org/gitweb?p=postgresql.git%3Ba=commit%3Bh=b15087cb39ca9e4bde3c8920fcee3741045d2b83

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Input validation error in PostgreSQL

Gentoo update for PostgreSQL