Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 339935 (CVE-2010-3433) - <dev-db/postgresql-base-{8.1.22,8.2.18,8.3.12,8.4.5}: privilege escalation (CVE-2010-3433)
Summary: <dev-db/postgresql-base-{8.1.22,8.2.18,8.3.12,8.4.5}: privilege escalation (C...
Status: RESOLVED FIXED
Alias: CVE-2010-3433
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.mandriva.com/en/security/a...
Whiteboard: B3 [glsa]
Keywords:
: 340805 (view as bug list)
Depends on: 347223
Blocks:
  Show dependency tree
 
Reported: 2010-10-06 12:55 UTC by Bernd Marienfeldt
Modified: 2011-10-25 07:51 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bernd Marienfeldt 2010-10-06 12:55:28 UTC
Multiple vulnerabilities was discovered and corrected in postgresql:
 
An authenticated database user can manipulate modules and tied variables in some external procedural languages to execute code with enhanced privileges (CVE-2010-3433).


Reproducible: Always
Comment 1 Aaron W. Swenson gentoo-dev 2010-10-07 23:18:46 UTC
The security issues lie in dev-db/postgresql-server.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2010-11-26 23:15:00 UTC
*** Bug 340805 has been marked as a duplicate of this bug. ***
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2010-11-26 23:23:22 UTC
From http://www.postgresql.org/about/news.1244:

The PostgreSQL Global Development Group today released security updates for all active branches of the PostgreSQL object-relational database system, including versions 9.0.1, 8.4.5, 8.3.12, 8.2.18, 8.1.22, 8.0.26 and 7.4.30. This is the final update for PostgreSQL versions 7.4 and 8.0.

[...]

The security vulnerability allows any ordinary SQL users with "trusted" procedural language usage rights to modify the contents of procedural language functions at runtime. As detailed in CVE-2010-3433, an authenticated user can accomplish privilege escalation by hijacking a SECURITY DEFINER function (or some other existing authentication-change operation). The mere presence of the procedural languages does not make your database application vulnerable.

Fixed versions are already in the tree. 

Postgresql herd, are these the right targets for stabilization?

dev-db/postgresql-docs-{8.1.22,8.2.18,8.3.12,8.4.5}
dev-db/postgresql-base-{8.1.22,8.2.18,8.3.12,8.4.5}
dev-db/postgresql-server-{8.1.22,8.2.18,8.3.12,8.4.5}

Thank you.
Comment 4 Aaron W. Swenson gentoo-dev 2010-11-27 04:13:05 UTC
Yes.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2010-11-27 04:41:58 UTC
(In reply to comment #4)
> Yes.
> 

Thanks, Aaron.

Arches, please test and mark the following stable.

=dev-db/postgresql-docs-{8.1.22,8.2.18,8.3.12,8.4.5}
=dev-db/postgresql-base-{8.1.22,8.2.18,8.3.12,8.4.5}
=dev-db/postgresql-server-{8.1.22,8.2.18,8.3.12,8.4.5}
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

ppc does not have 8.1.x keyworded, and ppc64 does not have 8.1.x or 8.2.x keyworded, so those do not need to be stabilized here.

Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2010-11-27 13:06:38 UTC
I get some test failures on the server packages.  Can we go on?  Has anyone tested functionality of those packages?
Comment 7 Aaron W. Swenson gentoo-dev 2010-11-27 18:37:21 UTC
(In reply to comment #6)
> I get some test failures on the server packages.  Can we go on?  Has anyone
> tested functionality of those packages?
> 

What are the failures?
Comment 8 Agostino Sarubbo gentoo-dev 2010-11-27 18:57:57 UTC
(In reply to comment #7)
> What are the failures?
> 

============== initializing database system           ==============

pg_regress: initdb failed
Examine ./log/initdb.log for the reason.

make[2]: *** [check] Error 2

Cristian, your error is same?
Comment 9 Agostino Sarubbo gentoo-dev 2010-11-27 19:57:22 UTC
On amd64:

=dev-db/postgresql-docs-{8.1.22,8.2.18,8.3.12,8.4.5}: OK

=dev-db/postgresql-base-{8.1.22,8.2.18,8.3.12,8.4.5}: OK

=dev-db/postgresql-server-{8.1.22,8.2.18,8.3.12,8.4.5}: Alls Fail test
8.2.18 does not respect LDFLAGS
8.3.12 does not respect LDFLAGS
8.4.5 does not respect LDFLAGS

it is obvious that it is more important security, than respect ldflags, anyway, I'll open new bug for this.
Comment 10 Brent Baude (RETIRED) gentoo-dev 2010-11-28 14:03:40 UTC
I get the same error on ppc64 64UL.  proceed in stabilizing or what?
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-29 23:58:14 UTC
Why do arch devs keep complaining on stabilisation/security bugs - file a new bug report and make it block the stabilisation/security bug, like bug #347223 does...
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2010-12-02 13:19:26 UTC
x86 stable nonetheless.
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2010-12-18 17:12:37 UTC
Stable for HPPA PPC.
Comment 14 Tobias Klausmann (RETIRED) gentoo-dev 2010-12-20 15:56:51 UTC
I've tried having a go at this on alpha, to no avail. Details similar as for hppa (but I got several futile steps further), see bug 347223.
Comment 15 Markos Chandras (RETIRED) gentoo-dev 2010-12-31 15:37:22 UTC
amd64 done. Thanks Agostino
Comment 16 Tobias Klausmann (RETIRED) gentoo-dev 2011-01-02 15:35:31 UTC
Stable on alpha.

Note: I normally would not commit this since a failing test suite in the case of a DB is a show stopper for me personally.

However, I can see that postgres is basically unmaintained on alpha and this is a security bug. 

Hence, I reluctantly stabilized on alpha.
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2011-01-08 12:55:55 UTC
arm/ia64/s390/sh/sparc stable
Comment 18 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-01-10 16:15:00 UTC
ppc64 stable, last arch done
Comment 19 Tim Sammut (RETIRED) gentoo-dev 2011-01-10 18:43:00 UTC
Thanks, folks.

GLSA Vote: No.
Comment 20 Aaron W. Swenson gentoo-dev 2011-01-24 12:52:43 UTC
I believe there should be a GLSA. It has been a bit more than three years since the last GLSA regarding PostgreSQL had been published.

There are still folks running the antiquated dev-db/{libpq,postgresql} ebuilds. We need something to encourage them to move on to dev-db/postgresql-{docs,base,server}, and a GLSA that exposes the risks they're facing might just do it.

Furthermore, there are six other security bugs open against dev-db/postgresql-server that have yet to be closed. (308063, 313335, 297383, 261223, 284274, 320967) Some of these bugs are against versions that are no longer in the tree.

The oldest bug is nearly two years old. A GLSA request has been filed on another, apparently, more than five months ago, yet nothing has been released.

In short, some of the security bugs are fairly serious and we have yet to make an announcement about them. A GLSA that wraps all of them up would certainly be a good thing.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:18:22 UTC
CVE-2010-3433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3433):
  The PL/perl and PL/Tcl implementations in PostgreSQL 7.4 before 7.4.30, 8.0
  before 8.0.26, 8.1 before 8.1.22, 8.2 before 8.2.18, 8.3 before 8.3.12, 8.4
  before 8.4.5, and 9.0 before 9.0.1 do not properly protect script execution
  by a different SQL user identity within the same session, which allows
  remote authenticated users to gain privileges via crafted script code in a
  SECURITY DEFINER function, as demonstrated by (1) redefining standard
  functions or (2) redefining operators, a different vulnerability than
  CVE-2010-1168, CVE-2010-1169, CVE-2010-1170, and CVE-2010-1447.
Comment 22 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-10-08 14:45:05 UTC
GLSA with the other pgsql bugs
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2011-10-25 07:51:37 UTC
This issue was resolved and addressed in
 GLSA 201110-22 at http://security.gentoo.org/glsa/glsa-201110-22.xml
by GLSA coordinator Alex Legler (a3li).