Bug 320967 (CVE-2010-1169)

Comment 1 Stefan Behte (RETIRED) 2010-05-21 22:54:15 UTC

CVE-2010-1447 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1447):
  PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21,
  8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta
  before 9.0 Beta 2 does not properly restrict PL/perl procedures,
  which might allow remote attackers to execute arbitrary Perl code via
  a crafted script, related to the Safe module (aka Safe.pm) for Perl.

CVE-2010-1975 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1975):
  PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21,
  8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not
  properly check privileges during certain RESET ALL operations, which
  allows remote authenticated users to remove arbitrary parameter
  settings via a (1) ALTER USER or (2) ALTER DATABASE statement.

Comment 2 Patrick Lauer 2010-06-09 17:35:06 UTC

All visible ebuilds have been committed, 9.0 is masked and 9.0_beta2 getting committed really soon now

Comment 3 Matthias Geerdsen (RETIRED) 2010-06-13 16:20:51 UTC

arches, please test and mark the following ebuilds stable if possible

=dev-db/postgresql-server-7.4.29
TARGET KEYWORDS="alpha amd64 arm hppa ia64 ppc s390 sh sparc x86"

=dev-db/postgresql-server-8.0.25
TARGET KEYWORDS="alpha amd64 arm hppa ia64 ppc s390 sh sparc x86"

=dev-db/postgresql-server-8.1.21
TARGET KEYWORDS="alpha amd64 arm hppa ia64 s390 sh sparc x86"

=dev-db/postgresql-server-8.2.17
TARGET KEYWORDS="alpha amd64 arm hppa ia64 ppc s390 sh sparc x86"

=dev-db/postgresql-server-8.3.11
TARGET KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ~ppc64 s390 sh sparc x86 ~x86-fbsd"

=dev-db/postgresql-server-8.4.4
TARGET KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~x86-fbsd"

Comment 4 Aaron W. Swenson 2010-06-13 20:20:19 UTC

No, please don't mark those stable. These are the ones that should be marked stable given enough time:

  dev-db/postgresql-docs-{7.4.29,8.0.25,8.1.21,8.2.17,8.3.11,8.4.4}
  dev-db/postgresql-base-{7.4.29-r1,8.0.25-r1,8.1.21-r1,8.2.17-r1,8.3.11-r1,8.4.4-r2}
  dev-db/postgresql-server-{7.4.29-r1,8.0.25-r1,8.1.21-r1,8.2.17-r1,8.3.11-r1,8.4.4-r1}

Maybe let them sit as ~arch for another week or two. Additionally, the 7.4 branch is no longer supported upstream, so the effort to stabilize them is entirely up to you testers.

Comment 5 Paweł Hajdan, Jr. (RETIRED) 2010-06-13 20:37:10 UTC

(In reply to comment #3)
> =dev-db/postgresql-server-7.4.29
> =dev-db/postgresql-server-8.0.25
> =dev-db/postgresql-server-8.1.21
> =dev-db/postgresql-server-8.2.17
> =dev-db/postgresql-server-8.3.11
> =dev-db/postgresql-server-8.4.4

x86 stable, done before Aaron's comment

Comment 6 Matthias Geerdsen (RETIRED) 2010-06-13 20:58:55 UTC

I obviously forgot the split of postgresql into the three packages, so of course the corresponding -base and -docs ebuilds should also be tested.

posgresql/Aaron/security:
I would not like to wait a week or even longer when marking stable for security bugs. So should we do the -r1 ebuilds or the ones I mentioned?

Comment 7 Aaron W. Swenson 2010-06-13 21:17:22 UTC

(In reply to comment #6)
> I obviously forgot the split of postgresql into the three packages, so of
> course the corresponding -base and -docs ebuilds should also be tested.
> 
> posgresql/Aaron/security:
> I would not like to wait a week or even longer when marking stable for security
> bugs. So should we do the -r1 ebuilds or the ones I mentioned?
> 

If we must stabilize now, I would prefer the ebuilds I've mentioned. They contain many fixes. I would appreciate a short hold for Mr. Lauer to commit the -base-8.4.4-r2 ebuild as the Heimdal patch as applied in 8.4.4-r1 causes the package to fail when it is applied against MIT Kerberos. The -r2 ebuild contains the appropriate conditional.

Comment 8 Aaron W. Swenson 2010-06-15 22:23:10 UTC

The fixed ebuilds are in the tree now.

To confirm, these are the packages that should be stabilized, with 7.4 being optional:

dev-db/postgresql-docs-{7.4.29,8.0.25,8.1.21,8.2.17,8.3.11,8.4.4}
 
dev-db/postgresql-base-{7.4.29-r1,8.0.25-r1,8.1.21-r1,8.2.17-r1,8.3.11-r1,8.4.4-r2}
 
dev-db/postgresql-server-{7.4.29-r1,8.0.25-r1,8.1.21-r1,8.2.17-r1,8.3.11-r1,8.4.4-r1}

Comment 9 Jeroen Roovers (RETIRED) 2010-06-21 18:25:06 UTC

All stable for HPPA.

Comment 10 Christoph Mende (RETIRED) 2010-06-23 20:34:24 UTC

amd64 stable

Comment 11 Raúl Porcel (RETIRED) 2010-07-10 19:26:28 UTC

alpha/arm/ia64/s390/sh/sparc stable

Readding x86 for comment #8

Comment 12 Aaron W. Swenson 2010-07-11 13:11:07 UTC

The 7.4 and 8.0 packages have been masked for removal.

Obviously, they don't need to be stabilized now.

Comment 13 Christian Faulhammer (RETIRED) 2010-07-12 20:28:53 UTC

As a reminder: For x86 it is left:

dev-db/postgresql-base-{8.1.21-r1,8.2.17-r1,8.3.11-r1,8.4.4-r2}

dev-db/postgresql-server-{8.1.21-r1,8.2.17-r1,8.3.11-r1,8.4.4-r1}

Comment 14 Christian Faulhammer (RETIRED) 2010-07-13 14:29:48 UTC

stable x86

Comment 15 Stefan Behte (RETIRED) 2010-08-01 12:22:02 UTC

*ping*

Comment 16 Aaron W. Swenson 2010-08-07 19:28:20 UTC

Given that there are packages that have been masked, I'm updating the list, which is much shorter now.

dev-db/postgresql-docs-{8.1.21,8.2.17,8.3.11,8.4.4}

dev-db/postgresql-base-{8.1.21-r1,8.2.17-r1,8.3.11-r1,8.4.4-r2}

dev-db/postgresql-server-{8.1.21-r1,8.2.17-r1,8.3.11-r1,8.4.4-r1}

Once PPC(64)? AT stabilizes these packages we can remove a few more ebuilds from the tree.

Comment 17 Joe Jezak (RETIRED) 2010-08-11 19:32:21 UTC

Marked ppc/ppc64 stable.

Comment 18 Tim Sammut (RETIRED) 2010-11-20 23:11:02 UTC

GLSA with #297383.

Comment 19 GLSAMaker/CVETool Bot 2011-10-25 07:51:23 UTC

This issue was resolved and addressed in
 GLSA 201110-22 at http://security.gentoo.org/glsa/glsa-201110-22.xml
by GLSA coordinator Alex Legler (a3li).