CVE-2010-0442
published 2010-02-02CVE-2010-0442: The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service…
PriorityP338medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
13.36%
95.9th percentile
The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow."
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| postgresql | postgresql | >= 7.4 < 7.4.28 | 7.4.28 |
| postgresql | postgresql | >= 8.0 < 8.0.24 | 8.0.24 |
| postgresql | postgresql | >= 8.1 < 8.1.20 | 8.1.20 |
| postgresql | postgresql | >= 8.2 < 8.2.16 | 8.2.16 |
| postgresql | postgresql | >= 8.3 < 8.3.10 | 8.3.10 |
| postgresql | postgresql | >= 8.4 < 8.4.3 | 8.4.3 |
CVSS provenance
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PostgreSQL vulnerability
vendor_ubuntu·2010-04-28
CVE-2010-0442 PostgreSQL vulnerability
Title: PostgreSQL vulnerability
Summary: PostgreSQL vulnerability
It was discovered that PostgreSQL did not properly sanitize its input when
using substring() with a SELECT statement. A remote authenticated attacker
could exploit this to cause a denial of service via application crash.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
postgresql: substring() negative length argument buffer overflow
vendor_redhat·2010-01-27·CVSS 6.5
CVE-2010-0442 [MEDIUM] postgresql: substring() negative length argument buffer overflow
postgresql: substring() negative length argument buffer overflow
The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow."
VulDB
PostgreSQL 8.0.23/8.1.11/8.3.8 substring third numeric error (Bug 559259 / EDB-33571)
vuldb·2026-04-30·CVSS 6.5
CVE-2010-0442 [MEDIUM] PostgreSQL 8.0.23/8.1.11/8.3.8 substring third numeric error (Bug 559259 / EDB-33571)
A vulnerability was found in PostgreSQL 8.0.23/8.1.11/8.3.8. It has been declared as problematic. Affected by this vulnerability is the function substring. Such manipulation of the argument third leads to numeric error.
This vulnerability is uniquely identified as CVE-2010-0442. The attack can be launched remotely. Moreover, an exploit is present.
GHSA
GHSA-gv9m-x3m7-x4g8: The bitsubstr function in backend/utils/adt/varbit
ghsa_unreviewed·2022-05-02
CVE-2010-0442 [MEDIUM] GHSA-gv9m-x3m7-x4g8: The bitsubstr function in backend/utils/adt/varbit
The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow."
No detection rules found.
Bugzilla
CVE-2010-0442 postgresql: substring() negative length argument buffer overflow
bugzilla·2010-01-27·CVSS 6.5
CVE-2010-0442 [MEDIUM] CVE-2010-0442 postgresql: substring() negative length argument buffer overflow
CVE-2010-0442 postgresql: substring() negative length argument buffer overflow
Intevydis reported a buffer overflow in PostgreSQL's implementation of substring() function when called with negative length argument:
http://intevydis.blogspot.com/2010/01/postgresql-8023-bitsubstr-overflow.html
Following query triggers overflow / crash:
select substring(B'10101010101010101010101010101010101010101010101',33,-15);
Discussion:
Looks like Tom patched this upstream few days ago:
http://git.postgresql.org/gitweb?p=postgresql.git;a=commitdiff;h=75dea10196c31d98d98c0bafeeb576ae99c09b12
http://git.postgresql.org/gitweb?p=postgresql.git;a=commitdiff;h=b15087cb39ca9e4bde3c8920fcee3741045d2b83
---
Tom noted this in bug #559194#c1:
"We didn't consider this especially serious upstream, since AFAICS
arXiv
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response
arxiv_fulltext·2017-11-02
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response
Zhen Huang0.25in
Mariana D'Angelo0.25in
Dhaval Miyani0.25in
David Lie
University of Toronto
\z.huang,mariana.dangelo,dhaval.miyani\@mail.utoronto.ca,[email protected]
## Abstract
There is often a considerable delay between the discovery of a vulnerability and the issue of a patch. One way to mitigate this window of vulnerability is to use a configuration workaround, which prevents the vulnerable code from being executed at the cost of some lost functionality -- but only if one is available. Since application configurations are not specifically designed to mitigate software vulnerabilities, we find that they only cover 25.2% of vulnerabilities.
To minimize patch delay vulnerabilities and address the lim
http://archives.postgresql.org/pgsql-committers/2010-01/msg00125.phphttp://archives.postgresql.org/pgsql-hackers/2010-01/msg00634.phphttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567058http://git.postgresql.org/gitweb?p=postgresql.git%3Ba=commit%3Bh=75dea10196c31d98d98c0bafeeb576ae99c09b12http://git.postgresql.org/gitweb?p=postgresql.git%3Ba=commit%3Bh=b15087cb39ca9e4bde3c8920fcee3741045d2b83http://intevydis.blogspot.com/2010/01/postgresql-8023-bitsubstr-overflow.htmlhttp://secunia.com/advisories/39566http://secunia.com/advisories/39820http://secunia.com/advisories/39939http://securitytracker.com/id?1023510http://ubuntu.com/usn/usn-933-1http://www.debian.org/security/2010/dsa-2051http://www.mandriva.com/security/advisories?name=MDVSA-2010:103http://www.openwall.com/lists/oss-security/2010/01/27/5http://www.redhat.com/support/errata/RHSA-2010-0427.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0428.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0429.htmlhttp://www.securityfocus.com/bid/37973http://www.vupen.com/english/advisories/2010/1022http://www.vupen.com/english/advisories/2010/1197http://www.vupen.com/english/advisories/2010/1207http://www.vupen.com/english/advisories/2010/1221https://bugzilla.redhat.com/show_bug.cgi?id=559194https://bugzilla.redhat.com/show_bug.cgi?id=559259https://exchange.xforce.ibmcloud.com/vulnerabilities/55902https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9720http://archives.postgresql.org/pgsql-committers/2010-01/msg00125.phphttp://archives.postgresql.org/pgsql-hackers/2010-01/msg00634.phphttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567058http://git.postgresql.org/gitweb?p=postgresql.git%3Ba=commit%3Bh=75dea10196c31d98d98c0bafeeb576ae99c09b12http://git.postgresql.org/gitweb?p=postgresql.git%3Ba=commit%3Bh=b15087cb39ca9e4bde3c8920fcee3741045d2b83http://intevydis.blogspot.com/2010/01/postgresql-8023-bitsubstr-overflow.htmlhttp://secunia.com/advisories/39566http://secunia.com/advisories/39820http://secunia.com/advisories/39939http://securitytracker.com/id?1023510http://ubuntu.com/usn/usn-933-1http://www.debian.org/security/2010/dsa-2051http://www.mandriva.com/security/advisories?name=MDVSA-2010:103http://www.openwall.com/lists/oss-security/2010/01/27/5http://www.redhat.com/support/errata/RHSA-2010-0427.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0428.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0429.htmlhttp://www.securityfocus.com/bid/37973http://www.vupen.com/english/advisories/2010/1022http://www.vupen.com/english/advisories/2010/1197http://www.vupen.com/english/advisories/2010/1207http://www.vupen.com/english/advisories/2010/1221https://bugzilla.redhat.com/show_bug.cgi?id=559194https://bugzilla.redhat.com/show_bug.cgi?id=559259https://exchange.xforce.ibmcloud.com/vulnerabilities/55902https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9720
2010-02-02
Published