Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 80342
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 80342 depends on: Show dependency tree
Bug 80342 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-02-01 07:14 0000 
In order to address a potential security hole recently identified with the
"LOAD" option, the PostgreSQL Global Development Group is announcing the
release of new versions of PostgreSQL going back to the 7.2.x version.

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-02-01 07:16:17 0000 ------- 
postgresql please bump.

------- Comment #2 From Sune Kloppenborg Jeppesen 2005-02-01 07:18:22 0000 ------- 
More details from USN-71-1

Details follow:

John Heasman discovered a local privilege escalation in the PostgreSQL
server. Any user could use the LOAD extension to load any shared
library into the PostgreSQL server; the library's initialisation
function was then executed with the permissions of the server.

Now the use of LOAD is restricted to the database superuser (usually
'postgres').

Note: Since there is no way for normal database users to create
arbitrary files, this vulnerability is not exploitable remotely, e. g.
by uploading a shared library in the form of a Binary Large Object
(BLOB) to a public web server.

------- Comment #3 From Masatomo Nakano (RETIRED) 2005-02-01 08:18:12 0000 ------- 
ok. i'll do that in next few hours.

------- Comment #4 From Masatomo Nakano (RETIRED) 2005-02-01 11:55:59 0000 ------- 
i've added these ebuilds to portage tree.
  postgresql-7.3.9.ebuild
  postgresql-7.4.7.ebuild
  postgresql-8.0.1.ebuild

------- Comment #5 From Matthias Geerdsen 2005-02-01 12:58:34 0000 ------- 
arches, pls test and mark stable...

7.4.x appears to be the latest version that is marked all stable, so 7.4.7 should be the minimum to be stable.
Pls consider also to test the other updated versions. (7.3.9 and 8.0.1)

postgresql-7.4.7.ebuild:
current KEYWORDS="x86 ~ppc sparc ~mips alpha ~arm hppa amd64 ~ia64 ~s390 ~ppc64"
target KEYWORDS="x86 ppc sparc mips alpha arm hppa amd64 ia64 s390 ppc64"

postgresql-8.0.1.ebuild:
current KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~s390 ~ppc64"

postgresql-7.3.9.ebuild:
current KEYWORDS="x86 ~ppc ~sparc ~alpha ~amd64 ~hppa ~ia64 ~mips"

------- Comment #6 From Markus Rothe 2005-02-02 12:52:46 0000 ------- 
stable on ppc64

------- Comment #7 From Gustavo Zacarias (RETIRED) 2005-02-03 06:55:53 0000 ------- 
7.3.9 to sparc stable.

------- Comment #8 From Marcus D. Hanwell 2005-02-03 07:49:14 0000 ------- 
postgresql-7.4.7 already stable on amd64. Tested and verified to work fine.

------- Comment #9 From Bryan Østergaard (RETIRED) 2005-02-04 14:20:03 0000 ------- 
7.4.7 stable on alpha.

------- Comment #10 From Michael Hanselmann (hansmi) (RETIRED) 2005-02-04 14:31:06 0000 ------- 
Stable on ppc. Sorry for the delay.

------- Comment #11 From SpanKY 2005-02-06 03:01:08 0000 ------- 
arm/ia64/s390 stable

------- Comment #12 From Joshua Kinard 2005-02-06 18:37:46 0000 ------- 
mips stable.

------- Comment #13 From Luke Macken (RETIRED) 2005-02-07 11:33:10 0000 ------- 
GLSA 200502-08
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug