Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 384539 (CVE-2011-2483)

Summary: <dev-db/postgresql-server-{8.2.22,8.3.16,8.4.9,9.0.5,9.1.1} Blowfish Signed-Character Bug (CVE-2011-2483)
Product: Gentoo Security Reporter: Aaron W. Swenson <titanofold>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mike, pgsql-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.postgresql.org/about/news.1355
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Aaron W. Swenson gentoo-dev 2011-09-26 15:38:01 UTC 
Upstream applied the further upstream fix in contrib/pg_crypto for blowfish signed-character bug (CVE-2011-2483), where encryption code could give wrong results on platforms where char is signed (which is most), leading to encrypted passwords being weaker than they should be.

This only affects <dev-db/postgresql-server-{8.2.22,8.3.16,8.4.9,9.0.5,9.1.1}. dev-db/postgresql-{base,docs} are unaffected.
Comment 1 Patrick Lauer gentoo-dev 2011-09-26 18:09:33 UTC 
All needed ebuilds in tree, stabilization requested
Comment 2 Agostino Sarubbo gentoo-dev 2011-09-26 20:45:32 UTC 
Thanks Aaron and Patrick.

Arches, please test and mark stable:

=dev-db/postgresql-server-8.2.22
=dev-db/postgresql-server-8.3.16
=dev-db/postgresql-server-8.4.9
=dev-db/postgresql-server-9.0.5

target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"


=dev-db/postgresql-server-9.1.1 not needs stabilization.
Comment 3 Aaron W. Swenson gentoo-dev 2011-09-26 23:17:02 UTC 
(In reply to comment #2)
> Thanks Aaron and Patrick.
> 
> Arches, please test and mark stable:
> 
> =dev-db/postgresql-server-8.2.22
> =dev-db/postgresql-server-8.3.16
> =dev-db/postgresql-server-8.4.9
> =dev-db/postgresql-server-9.0.5
> 
> target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
> 
> 
> =dev-db/postgresql-server-9.1.1 not needs stabilization.

-docs and -base of the same versions and revisions will be required as well, of course excluding 9.1.1.
Comment 4 Agostino Sarubbo gentoo-dev 2011-09-27 08:50:44 UTC 
bug 384631 is not a blocker.

amd64 ok
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2011-09-27 20:49:01 UTC 
Stable for HPPA.
Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-28 04:24:18 UTC 
ppc/ppc64 stable
Comment 7 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-09-29 16:05:03 UTC 
amd64: pass
Comment 8 Thomas Kahle (RETIRED) gentoo-dev 2011-09-30 22:35:13 UTC 
x86 done. Thanks.
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-10-01 18:31:26 UTC 
alpha/arm/ia64/s390/sh/sparc stable
Comment 10 Markos Chandras (RETIRED) gentoo-dev 2011-10-01 20:17:52 UTC 
amd64 done. Thanks Elijah and Agostino
Comment 11 Agostino Sarubbo gentoo-dev 2011-10-01 20:31:56 UTC 
Thanks all, adding glsa vote request.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-10-02 00:08:10 UTC 
Thanks, everyone. GLSA Vote: yes.
Comment 13 Aaron W. Swenson gentoo-dev 2011-10-02 13:37:54 UTC 
Affected versions removed from tree.
Comment 14 Mike Williams 2011-10-03 14:30:44 UTC 
FYI guys 8.3.16 isn't stable on x86.
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2011-10-03 17:41:49 UTC 
(In reply to comment #14)
> FYI guys 8.3.16 isn't stable on x86.

Indeed, thanks, Mike.

@x86, ping.
Comment 16 Aaron W. Swenson gentoo-dev 2011-10-03 23:10:09 UTC 
Marked 8.3.16 x86 stable.

It works for me on x86 as well on the workstation and the Hardened Server. (Both stable except for PostgreSQL.)
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2011-10-03 23:16:48 UTC 
(In reply to comment #16)
> Marked 8.3.16 x86 stable.
> 
> It works for me on x86 as well on the workstation and the Hardened Server.
> (Both stable except for PostgreSQL.)

Cool, tnx.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:37:37 UTC 
CVE-2011-2483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2483):
  crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms,
  does not properly handle 8-bit characters, which makes it easier for
  context-dependent attackers to determine a cleartext password by leveraging
  knowledge of a password hash.
Comment 19 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-10-08 14:44:26 UTC 
GLSA with the other pgsql bugs
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2011-10-25 07:51:50 UTC 
This issue was resolved and addressed in
 GLSA 201110-22 at http://security.gentoo.org/glsa/glsa-201110-22.xml
by GLSA coordinator Alex Legler (a3li).