We are unaffected by CVE-2017-12172. CVE-2017-15098 is missing a summary. At this time, the most I understand it to be is potentially exposing server memory contents through a server crash triggered by json{b}_populate_recordset() mismatching on the rowtype. Snippet of the security portion of linked announcement: CVE-2017-12172: Start scripts permit database administrator to modify root-owned files ================================================================================ Prior to this release, the startup log file for the postmaster (in newer releases, "postgres") process was opened while the process was still owned by root. With this setup, the database owner could specify a file that they did not have access to and cause the file to be corrupted with logged data. This fix ensures that the startup log file is opened as the user specified to run the PostgreSQL server. Any users who have made use of the start scripts will need to ensure the startup log files are owned by the user specified to run the PostgreSQL server. CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges ================================================================================ Prior to this release, the "INSERT ... ON CONFLICT DO UPDATE" would not check to see if the executing user had permission to perform a "SELECT" on the index performing the conflicting check. Additionally, in a table with row-level security enabled, the "INSERT ... ON CONFLICT DO UPDATE" would not check the SELECT policies for that table before performing the update. This fix ensures that "INSERT ... ON CONFLICT DO UPDATE" checks against table permissions and RLS policies before executing.
Committed: commit b7f8856d754e8ddeecde825cb4275bd48e645496 (HEAD -> master, origin/master, origin/HEAD) Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Thu Nov 9 11:30:20 2017 -0500 dev-db/postgresql: Security Bump (Bug 636978) Security-related version bump to: * 10.1 * 9.6.6 * 9.5.10 * 9.4.15 * 9.3.20 * 9.2.24 Headlines from the release announcement[1]: * CVE-2017-12172: Start scripts permit database administrator to modify root-owned files (Gentoo is unaffected) * CVE-2017-15098: Memory disclosure in JSON functions * CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges [1]: https://www.postgresql.org/about/news/1801/ Gentoo-Bug: https://bugs.gentoo.org/636978 Package-Manager: Portage-2.3.8, Repoman-2.3.3 Stabilization targets: =dev-db/postgresql-9.6.6 ~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.5.10 ~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.4.15 ~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.3.20 ~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.2.24 ~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86
ppc/ppc64 stable
x86 stable
amd64 stable
Stable on alpha.
arm stable
@Maintainer any particular reason why hppa was not CCed in stabilization request? HPPA and Sparc both have stable versions affected on almost every SLOT available. Thank you,
(In reply to Christopher Díaz Riveros from comment #7) > @Maintainer any particular reason why hppa was not CCed in stabilization > request? > > HPPA and Sparc both have stable versions affected on almost every SLOT > available. > > Thank you, HPPA is pretty far behind the rest of the arches, and there was supposed to be some discussion about whether or not HPPA should be downgraded to an unstable arch right around when this was released. Looks like nothing came of it. Just waiting on HPPA and IA64 now. =dev-db/postgresql-9.6.6 ~hppa ~ia64 =dev-db/postgresql-9.5.10 ~hppa ~ia64 =dev-db/postgresql-9.4.15 ~hppa ~ia64 =dev-db/postgresql-9.3.20 ~hppa ~ia64 =dev-db/postgresql-9.2.24 ~hppa ~ia64
An automated check of this bug failed - repoman reported dependency errors (35 lines truncated): > dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.3.20.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.3.20.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.3.20.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.3.20.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.3.20.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
An automated check of this bug succeeded - the previous repoman errors are now resolved.
sparc stable (thanks to Rolf Eike Beer)
ia64 stable
@security, Adjusting Severity to agree with Whiteboard. Gentoo Security Padawan (Jmbailey/mbailey_j)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=850efe2a5700c2ba30f9e9860dd83143cf15da34 commit 850efe2a5700c2ba30f9e9860dd83143cf15da34 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2018-02-11 15:54:10 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2018-02-11 15:54:38 +0000 dev-db/postgresql: Cleanup Old and Insecure Files Bug: https://bugs.gentoo.org/627462 Bug: https://bugs.gentoo.org/636978 Bug: https://bugs.gentoo.org/630824 Bug: https://bugs.gentoo.org/603720 Bug: https://bugs.gentoo.org/603716 Package-Manager: Portage-2.3.19, Repoman-2.3.6 dev-db/postgresql/Manifest | 6 - .../files/postgresql-9.2-9.4-tz-dir-overflow.patch | 16 - dev-db/postgresql/files/postgresql.confd | 58 --- dev-db/postgresql/files/postgresql.init | 137 ------- dev-db/postgresql/files/postgresql.init-9.3 | 142 ------- dev-db/postgresql/files/postgresql.service | 55 --- dev-db/postgresql/files/postgresql.service-9.6 | 56 --- dev-db/postgresql/postgresql-9.2.19.ebuild | 390 ------------------ dev-db/postgresql/postgresql-9.2.22.ebuild | 441 -------------------- dev-db/postgresql/postgresql-9.2.23-r1.ebuild | 445 --------------------- dev-db/postgresql/postgresql-9.2.23.ebuild | 441 -------------------- dev-db/postgresql/postgresql-9.3.15.ebuild | 395 ------------------ dev-db/postgresql/postgresql-9.4.10.ebuild | 427 -------------------- dev-db/postgresql/postgresql-9.5.5.ebuild | 438 -------------------- 14 files changed, 3447 deletions(-)}
commit 3b3ec30d0b02920ec76eeef4db2a968c3a907d23 Author: Jeroen Roovers <jer@gentoo.org> Date: Sun Feb 11 13:09:46 2018 +0100 dev-db/postgresql: Stable for HPPA too.
All affected versions removed.
GLSA Vote: No Tree is clean
