688420 – (CVE-2019-10164) <dev-db/postgresql-{11.4,10.9}: Stack-based buffer overflow via setting a password (CVE-2019-10164)

Bug 688420 (CVE-2019-10164) - <dev-db/postgresql-{11.4,10.9}: Stack-based buffer overflow via setting a password (CVE-2019-10164)

Summary: <dev-db/postgresql-{11.4,10.9}: Stack-based buffer overflow via setting a pas...

Status:	RESOLVED FIXED

Alias:	CVE-2019-10164

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major
Assignee:	Gentoo Security

URL:	https://www.postgresql.org/about/news...
Whiteboard:	B1 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2019-06-21 00:18 UTC by Aaron W. Swenson
Modified:	2020-03-12 20:23 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	dev-db/postgresql-11.4 alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86 dev-db/postgresql-10.9 alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Runtime testing required:	No

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aaron W. Swenson gentoo-dev

2019-06-21 00:18:29 UTC

Major versions prior to 10 are unaffected.

Stabilization targets:
=dev-db/postgresql-11.4 ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-10.9 ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86

Note: arm64 stabilization was introduced with 11.3.

==============================================


CVE-2019-10164: Stack-based buffer overflow via setting a password

Versions affected: 10, 11, 12 beta.

An authenticated user could create a stack-based buffer overflow by changing their own password to a purpose-crafted value. In addition to the ability to crash the PostgreSQL server, this could be further exploited to execute arbitrary code as the PostgreSQL operating system account.

Additionally, a rogue server could send a specifically crafted message during the SCRAM authentication process and cause a libpq-enabled client to either crash or execute arbitrary code as the client's operating system account.

This issue is fixed by upgrading and restarting your PostgreSQL server as well as your libpq installations. All users running PostgreSQL 10, 11, and 12 beta are encouraged to upgrade as soon as possible.

The PostgreSQL Project thanks Alexander Lakhin for reporting this problem.

Comment 1 Sergei Trofimovich (RETIRED) gentoo-dev

2019-06-22 10:31:14 UTC

ia64 stable

Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev

2019-06-22 10:33:18 UTC

ppc stable

Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev

2019-06-22 10:35:06 UTC

ppc64 stable

Comment 4 Rolf Eike Beer archtester

2019-06-23 10:31:04 UTC

sparc stable

Comment 5 Mikle Kolyada (RETIRED) archtester

2019-06-23 12:23:29 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2019-06-26 06:51:01 UTC

x86 stable

Comment 7 Agostino Sarubbo gentoo-dev

2019-06-27 13:29:55 UTC

alpha stable

Comment 8 Aaron Bauman (RETIRED) gentoo-dev

2019-07-22 16:08:34 UTC

arm64 stable

Comment 9 Mikle Kolyada (RETIRED) archtester

2019-07-28 20:12:54 UTC

arm stable

Comment 10 Larry the Git Cow gentoo-dev

2019-07-29 10:31:58 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4fa4501da1e923eaac0bb9af33e5ea979f539263

commit 4fa4501da1e923eaac0bb9af33e5ea979f539263
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2019-07-29 10:31:28 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2019-07-29 10:31:45 +0000

    dev-db/postgresql: Cleanup insecure
    
    Bug: https://bugs.gentoo.org/688420
    Package-Manager: Portage-2.3.66, Repoman-2.3.11
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 dev-db/postgresql/Manifest                  |   2 -
 dev-db/postgresql/postgresql-10.8-r1.ebuild | 466 ---------------------------
 dev-db/postgresql/postgresql-10.8.ebuild    | 460 ---------------------------
 dev-db/postgresql/postgresql-11.3-r1.ebuild | 468 ----------------------------
 dev-db/postgresql/postgresql-11.3.ebuild    | 460 ---------------------------
 5 files changed, 1856 deletions(-)

Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev

2019-10-26 23:57:34 UTC

New GLSA request filed.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2020-03-12 20:23:36 UTC

This issue was resolved and addressed in
 GLSA 202003-03 at https://security.gentoo.org/glsa/202003-03
by GLSA coordinator Thomas Deutschmann (whissi).