Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 670724 (CVE-2018-16850) - <dev-db/postgresql-{11.1,10.6,9.6.11,9.5.15,9.4.20,9.3.25}: SQL injection in pg_upgrade and pg_dump, via CREATE TRIGGER ... REFERENCING (CVE-2018-16850)
Summary: <dev-db/postgresql-{11.1,10.6,9.6.11,9.5.15,9.4.20,9.3.25}: SQL injection in ...
Status: RESOLVED FIXED
Alias: CVE-2018-16850
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.postgresql.org/about/news...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-09 01:41 UTC by GLSAMaker/CVETool Bot
Modified: 2018-11-30 17:20 UTC (History)
2 users (show)

See Also:
Package list:
dev-db/postgresql-10.6 dev-db/postgresql-9.3.25 dev-db/postgresql-9.4.20 dev-db/postgresql-9.5.15 dev-db/postgresql-9.6.11
Runtime testing required: No
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-11-09 01:41:24 UTC 
CVE-2018-16850 (https://nvd.nist.gov/vuln/detail/CVE-2018-16850):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-11-09 01:42:44 UTC 
CVE-2018-16850: SQL injection in pg_upgrade and pg_dump, via CREATE TRIGGER ... REFERENCING.

Using a purpose-crafted trigger definition, an attacker can run arbitrary SQL statements with superuser privileges when a superuser runs pg_upgrade on the database or during a pg_dump dump/restore cycle. This attack requires a CREATE privilege on some non-temporary schema or a TRIGGER privilege on a table. This is exploitable in the default PostgreSQL configuration, where all users have CREATE privilege on public schema.
Comment 2 Larry the Git Cow gentoo-dev 2018-11-09 11:58:00 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c88956757e88ad0a804abc7dad45c666f1c32fd8

commit c88956757e88ad0a804abc7dad45c666f1c32fd8
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2018-11-09 11:56:39 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2018-11-09 11:57:34 +0000

    dev-db/postgresql: Security Bump
    
    Bump to:
     - 11.1
     - 10.6
     - 9.6.11
     - 9.5.15
     - 9.4.20
     - 9.3.25
    
    One security vulnerability has been closed by this release:
    
     * CVE-2018-16850: SQL injection in ‘pg_upgrade‘ and ‘pg_dump‘, via
    ‘CREATE TRIGGER … REFERENCING‘.
    
    Bug: https://bugs.gentoo.org/670724
    Package-Manager: Portage-2.3.51, Repoman-2.3.11
    Signed-off-by: Aaron Swenson <titanofold@gentoo.org>

 dev-db/postgresql/Manifest                 |   6 +
 dev-db/postgresql/metadata.xml             |  41 +--
 dev-db/postgresql/postgresql-10.6.ebuild   | 460 +++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-11.1.ebuild   | 460 +++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-9.3.25.ebuild | 443 ++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-9.4.20.ebuild | 475 ++++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-9.5.15.ebuild | 481 ++++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-9.6.11.ebuild | 486 +++++++++++++++++++++++++++++
 8 files changed, 2832 insertions(+), 20 deletions(-)
Comment 3 Aaron W. Swenson gentoo-dev 2018-11-09 12:04:26 UTC 
Please stabilize the following targets:
=dev-db/postgresql-10.6   ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-11.1   ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.3.25 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.4.20 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.5.15 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.6.11 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
Comment 4 Aaron W. Swenson gentoo-dev 2018-11-09 12:05:57 UTC 
Oops! Not 11.1 as it the 11 series has not yet been stabled.

Please stabilize the following targets:
=dev-db/postgresql-10.6   ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.3.25 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.4.20 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.5.15 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.6.11 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
Comment 5 Agostino Sarubbo gentoo-dev 2018-11-09 13:46:22 UTC 
amd64 stable
Comment 6 Rolf Eike Beer archtester 2018-11-10 15:55:45 UTC 
sparc stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2018-11-12 01:15:51 UTC 
x86 stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-11-17 15:05:42 UTC 
arm stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2018-11-18 16:30:09 UTC 
ppc stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2018-11-18 16:33:23 UTC 
ppc64 stable
Comment 11 Larry the Git Cow gentoo-dev 2018-11-28 16:04:51 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b2218eadc498631149065a107994e8e663dc44ba

commit b2218eadc498631149065a107994e8e663dc44ba
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2018-11-28 16:04:30 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2018-11-28 16:04:44 +0000

    dev-db/postgresql-10.6-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/670724
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-db/postgresql/postgresql-10.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 12 Larry the Git Cow gentoo-dev 2018-11-28 16:06:40 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4026859f3a49d9729d9869495964c30f50848b01

commit 4026859f3a49d9729d9869495964c30f50848b01
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2018-11-28 16:06:25 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2018-11-28 16:06:25 +0000

    dev-db/postgresql-9.3.25-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/670724
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-db/postgresql/postgresql-9.3.25.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 13 Larry the Git Cow gentoo-dev 2018-11-28 16:07:47 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bc43284d15a3138e50e3dc83641d8179164a73fa

commit bc43284d15a3138e50e3dc83641d8179164a73fa
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2018-11-28 16:07:35 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2018-11-28 16:07:35 +0000

    dev-db/postgresql-9.4.20-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/670724
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-db/postgresql/postgresql-9.4.20.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 14 Larry the Git Cow gentoo-dev 2018-11-28 16:09:42 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=70434811ba8feb41a3ca7c0fb04bcbc7eb052aa0

commit 70434811ba8feb41a3ca7c0fb04bcbc7eb052aa0
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2018-11-28 16:09:30 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2018-11-28 16:09:30 +0000

    dev-db/postgresql-9.5.15-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/670724
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-db/postgresql/postgresql-9.5.15.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 15 Larry the Git Cow gentoo-dev 2018-11-28 16:10:37 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=037930ffa0771c486ebb5de235e9925c4948a1bf

commit 037930ffa0771c486ebb5de235e9925c4948a1bf
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2018-11-28 16:10:25 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2018-11-28 16:10:25 +0000

    dev-db/postgresql-9.6.11-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/670724
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-db/postgresql/postgresql-9.6.11.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 16 Tobias Klausmann (RETIRED) gentoo-dev 2018-11-28 16:11:15 UTC 
Stable on alpha.
Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev 2018-11-28 23:18:24 UTC 
ia64 stable
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2018-11-29 21:20:52 UTC 
@maintainers, please clean vulnerable.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2018-11-30 08:57:29 UTC 
This issue was resolved and addressed in
 GLSA 201811-24 at https://security.gentoo.org/glsa/201811-24
by GLSA coordinator Aaron Bauman (b-man).
Comment 20 Aaron Bauman (RETIRED) gentoo-dev 2018-11-30 08:58:35 UTC 
re-opened for cleanup
Comment 21 Larry the Git Cow gentoo-dev 2018-11-30 15:29:32 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e42579e730d703a740179545cf12e3cacdf4726

commit 6e42579e730d703a740179545cf12e3cacdf4726
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2018-11-30 15:28:36 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2018-11-30 15:29:21 +0000

    dev-db/postgresql: Cleanup old, insecure
    
    Bug: https://bugs.gentoo.org/670724
    Package-Manager: Portage-2.3.51, Repoman-2.3.11
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 dev-db/postgresql/Manifest                 |   5 -
 dev-db/postgresql/postgresql-10.5.ebuild   | 460 ---------------------------
 dev-db/postgresql/postgresql-9.3.24.ebuild | 450 --------------------------
 dev-db/postgresql/postgresql-9.4.19.ebuild | 482 ----------------------------
 dev-db/postgresql/postgresql-9.5.14.ebuild | 488 ----------------------------
 dev-db/postgresql/postgresql-9.6.10.ebuild | 493 -----------------------------
 6 files changed, 2378 deletions(-)
Comment 22 Aaron Bauman (RETIRED) gentoo-dev 2018-11-30 17:20:24 UTC 
(In reply to Larry the Git Cow from comment #21)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=6e42579e730d703a740179545cf12e3cacdf4726
> 
> commit 6e42579e730d703a740179545cf12e3cacdf4726
> Author:     Aaron W. Swenson <titanofold@gentoo.org>
> AuthorDate: 2018-11-30 15:28:36 +0000
> Commit:     Aaron W. Swenson <titanofold@gentoo.org>
> CommitDate: 2018-11-30 15:29:21 +0000
> 
>     dev-db/postgresql: Cleanup old, insecure
>     
>     Bug: https://bugs.gentoo.org/670724
>     Package-Manager: Portage-2.3.51, Repoman-2.3.11
>     Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>
> 
>  dev-db/postgresql/Manifest                 |   5 -
>  dev-db/postgresql/postgresql-10.5.ebuild   | 460 ---------------------------
>  dev-db/postgresql/postgresql-9.3.24.ebuild | 450 --------------------------
>  dev-db/postgresql/postgresql-9.4.19.ebuild | 482
> ----------------------------
>  dev-db/postgresql/postgresql-9.5.14.ebuild | 488
> ----------------------------
>  dev-db/postgresql/postgresql-9.6.10.ebuild | 493
> -----------------------------
>  6 files changed, 2378 deletions(-)

Thanks, Aaron!