Comment 1 Thomas Deutschmann (RETIRED) 2019-05-13 15:01:24 UTC

CVE-2019-10129: Memory disclosure in partition routing

Prior to this release, a user running PostgreSQL 11 can read arbitrary bytes of server memory by executing a purpose-crafted INSERT statement to a partitioned table.


CVE-2019-10130: Selectivity estimators bypass row security policies

PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user able to execute SQL queries with permissions to read a given column could craft a leaky operator that could read whatever data had been sampled from that column. If this happened to include values from rows that the user is forbidden to see by a row security policy, the user could effectively bypass the policy. This is fixed by only allowing a non-leakproof operator to use this data if there are no relevant row security policies for the table.

Comment 2 Mikle Kolyada (RETIRED) 2019-05-15 14:55:49 UTC

amd64 stable

Comment 3 Rolf Eike Beer 2019-05-16 08:11:02 UTC

sparc stable

Comment 4 Thomas Deutschmann (RETIRED) 2019-05-16 23:58:02 UTC

x86 stable

Comment 5 Rolf Eike Beer 2019-05-18 19:23:40 UTC

hppa stable

Comment 6 Mikle Kolyada (RETIRED) 2019-05-23 13:18:19 UTC

arm stable

Comment 7 Sergei Trofimovich (RETIRED) 2019-05-25 07:58:20 UTC

ppc stable

Comment 8 Sergei Trofimovich (RETIRED) 2019-05-25 08:03:20 UTC

ppc64 stable

Comment 9 Agostino Sarubbo 2019-06-05 09:13:00 UTC

ia64 stable

Comment 10 Agostino Sarubbo 2019-06-06 06:49:24 UTC

alpha stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 11 Larry the Git Cow 2019-06-15 10:58:27 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=87cf3bd99d04619a664a6ef898edecba1125126a

commit 87cf3bd99d04619a664a6ef898edecba1125126a
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2019-06-15 10:56:02 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2019-06-15 10:56:09 +0000

    dev-db/postgresql: Cleanup old/insecure
    
    Bug: https://bugs.gentoo.org/685846
    Package-Manager: Portage-2.3.62, Repoman-2.3.11
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 dev-db/postgresql/Manifest                         |  11 -
 .../files/postgresql-9.3-no-server.patch           | 144 ------
 dev-db/postgresql/postgresql-10.6.ebuild           | 460 -------------------
 dev-db/postgresql/postgresql-10.7.ebuild           | 460 -------------------
 dev-db/postgresql/postgresql-11.1.ebuild           | 460 -------------------
 dev-db/postgresql/postgresql-11.2.ebuild           | 460 -------------------
 dev-db/postgresql/postgresql-12_beta1.ebuild       | 460 -------------------
 dev-db/postgresql/postgresql-9.3.25.ebuild         | 443 -------------------
 dev-db/postgresql/postgresql-9.4.20.ebuild         | 475 --------------------
 dev-db/postgresql/postgresql-9.4.21.ebuild         | 475 --------------------
 dev-db/postgresql/postgresql-9.5.15.ebuild         | 481 --------------------
 dev-db/postgresql/postgresql-9.5.16.ebuild         | 481 --------------------
 dev-db/postgresql/postgresql-9.6.11.ebuild         | 486 ---------------------
 dev-db/postgresql/postgresql-9.6.12.ebuild         | 486 ---------------------
 14 files changed, 5782 deletions(-)

Comment 12 Thomas Deutschmann (RETIRED) 2019-10-26 23:59:06 UTC

Added to an existing GLSA.

Comment 13 GLSAMaker/CVETool Bot 2020-03-12 20:23:28 UTC

This issue was resolved and addressed in
 GLSA 202003-03 at https://security.gentoo.org/glsa/202003-03
by GLSA coordinator Thomas Deutschmann (whissi).