Problem description: Trustix Security Engineers identified that all these packages had one or more script(s) that handled temporary files in an insecure manner. While it is not believed that any of these holes could lead to privilege escalation, it would be possible to trick the scripts to overwrite data writable by the user that invokes the script. These problems can only be exploited by local users, and they would have to wait for someone else, preferably root, to run the vulnerable scripts.
Created attachment 41113 [details, diff] postgresql-7.4.5-tempfile.patch Trustix patch to fix insecure tempfile handling.
postgresql herd, please verify and apply patch. thanks!
in cvs (7.4.5-r2).
Thanks for the bump Matsuu. Archs, please mark 7.4.5-r2 stable.
done on ppc
stable on sparc.
Hi, Today couldn't compile the new postgresql-7.4.5-r2. Have 7.4.5-r1 working. In the emerge log there are messages suggesting the ebuild wants to use libgettextlib-0.14.1.so (from gettext-0.14.1) - nothing bad but a day or two ago downgraded gettext-0.14.1 down to ver.0.12.1-r2 (also due to security reasons - by memory). Here's my error log: ...BEGIN... configure: creating ./config.status config.status: creating GNUmakefile config.status: creating src/Makefile.global config.status: creating src/include/pg_config.h config.status: linking ./src/backend/port/tas/dummy.s to src/backend/port/tas.s config.status: linking ./src/backend/port/dynloader/linux.c to src/backend/port/dynloader.c config.status: linking ./src/backend/port/sysv_sema.c to src/backend/port/pg_sema.c config.status: linking ./src/backend/port/sysv_shmem.c to src/backend/port/pg_shmem.c config.status: linking ./src/backend/port/dynloader/linux.h to src/include/dynloader.h config.status: linking ./src/include/port/linux.h to src/include/pg_config_os.h config.status: linking ./src/makefiles/Makefile.linux to src/Makefile.port make -C doc all make[1]: Entering directory `/var/tmp/portage/postgresql-7.4.5-r2/work/postgresql-7.4.5/doc' gzip -d -c man.tar.gz | /bin/tar xf - for file in man1/*.1; do \ mv $file $file.bak && \ sed -e 's/\\fR(l)/\\fR(7)/' $file.bak >$file && \ rm -f $file.bak || exit; \ done /bin/sh ../config/mkinstalldirs man7 mkdir man7 for file in manl/*.l; do \ sed -e '/^\.TH/s/"l"/"7"/' \ -e 's/\\fR(l)/\\fR(7)/' \ $file >man7/`basename $file | sed 's/.l$/.7/'` || exit; \ done make[1]: Leaving directory `/var/tmp/portage/postgresql-7.4.5-r2/work/postgresql-7.4.5/doc' make -C src all make[1]: Entering directory `/var/tmp/portage/postgresql-7.4.5-r2/work/postgresql-7.4.5/src' make -C port all make[2]: Entering directory `/var/tmp/portage/postgresql-7.4.5-r2/work/postgresql-7.4.5/src/port' gcc -march=i686 -O2 -pipe -fomit-frame-pointer -fno-strict-aliasing -Wall -Wmissing-prototypes -Wmissing-declarations -I../../src/include -D_GNU_SOURCE -c -o path.o path.c -MMD gcc -march=i686 -O2 -pipe -fomit-frame-pointer -fno-strict-aliasing -Wall -Wmissing-prototypes -Wmissing-declarations -I../../src/include -D_GNU_SOURCE -c -o sprompt.o sprompt.c -MMD gcc -march=i686 -O2 -pipe -fomit-frame-pointer -fno-strict-aliasing -Wall -Wmissing-prototypes -Wmissing-declarations -I../../src/include -D_GNU_SOURCE -c thread.c ar crs libpgport.a path.o sprompt.o thread.o make[2]: Leaving directory `/var/tmp/portage/postgresql-7.4.5-r2/work/postgresql-7.4.5/src/port' make -C backend all make[2]: Entering directory `/var/tmp/portage/postgresql-7.4.5-r2/work/postgresql-7.4.5/src/backend' msgfmt -o po/cs.mo po/cs.po msgfmt: error while loading shared libraries: libgettextlib-0.14.1.so: cannot open shared object file: No such file or directory make[2]: *** [po/cs.mo] Error 127 make[2]: Leaving directory `/var/tmp/portage/postgresql-7.4.5-r2/work/postgresql-7.4.5/src/backend' make[1]: *** [all] Error 2 make[1]: Leaving directory `/var/tmp/portage/postgresql-7.4.5-r2/work/postgresql-7.4.5/src' make: *** [all] Error 2 !!! ERROR: dev-db/postgresql-7.4.5-r2 failed. !!! Function src_compile, Line 131, Exitcode 2 !!! (no error message) !!! If you need support, post the topmost build error, NOT this status message. ...END... Thanks Rumen
Stable on alpha. Rumen, your problem is unrelated to postgresql. Emerge sync and emerge gettext twice to fix it. See bug 66449 for more information.
stable on ppc64, thanks!
Matsuu, Thank you. But I think we should also fix 7.3.7. It's also stable version and in different SLOT. Can you fix it too?
All ebuilds of postgresql are in same SLOT for now. It's my misunderstanding. Anyway, we should fix 7.3.7 as well.
The GLSA will ask people to upgrade to the latest version, so a fix for previous version is not necessary, strictly security-speaking. Still waiting for x86 and amd64 to mark postgresql-7.4.5-r2 stable to issue GLSA.
yes. but we can't delete 7.3.7 beacuse data format of 7.3.* and 7.4.* are not compatibility. Many people will continue using 7.3.* So, I think we need to fix it too.
They should even be on different SLOTs :) Yes, fix it in the other version too, we'll handle it on the GLSA one way or another.
yes. I want to put them in different SLOT. But there are some problems.. I'm going to do it when I have a time. Anyway, I've also fixed 7.3.* as 7.3.7-r2.ebuild. Archs, please mark 7.3.7-r2 stable as well.
stable on ppc (both versions)
Done on hppa.
Alpha stable.
7.3.7-r2 now stable on sparc
7.3.7-r2 and 7.4.5-r2 stable on amd64.
7.3.7-r2 and 7.4.5-r2 stable on ia64.
GLSA 200410-16 mips, s390, arm : please mark stable to benefit from GLSA
*** Bug 68865 has been marked as a duplicate of this bug. ***
Later versions marked stable on mips.