Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 419727 (CVE-2012-2143)

Summary: <dev-db/postgresql-{base,server,docs}-{8.3.19,8.4.12,9.0.8,9.1.4}: Multiple Vulnerabilities (CVE-2012-{2143,2655})
Product: Gentoo Security Reporter: Patrick Lauer <patrick>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: esigra, pgsql-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.postgresql.org/about/news/1398/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 431766    
Bug Blocks:    

Description Patrick Lauer gentoo-dev 2012-06-05 08:38:53 UTC
CVE-2012-2143: Fix incorrect password transformation in contrib/pgcrypto’s DES crypt() function

This vulnerability affects PostgreSQL users who use the crypt(text, text) function (in the optional pgcrypto module) with DES encryption and non-ASCII passwords. Passwords affected are those that contain the byte value 0x80. Characters after such a byte were ignored, making the effective password shorter and easier to crack than it should be. After the upgrade, any passwords containing such bytes will need to be regenerated.

    CVE-2012-2655: Ignore SECURITY DEFINER and SET attributes for a procedural language’s call handler

Applying such attributes to a call handler could crash the server.

Ebuilds for the new versions are WIP.
Comment 1 Patrick Lauer gentoo-dev 2012-06-05 09:17:45 UTC
+
+  05 Jun 2012; Patrick Lauer <patrick@gentoo.org>
+  +postgresql-server-8.3.19.ebuild, +postgresql-server-8.4.12.ebuild,
+  +postgresql-server-9.0.8.ebuild, +postgresql-server-9.1.4.ebuild:
+  Bump for #419727

ebuilds are there, suggest the usual stabling.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-06-05 13:21:52 UTC
Thanks, Patrick.

Arches, please test and mark stable:
=dev-db/postgresql-base-8.3.19
=dev-db/postgresql-server-8.3.19
=dev-db/postgresql-docs-8.3.19

=dev-db/postgresql-base-8.4.12
=dev-db/postgresql-server-8.4.12
=dev-db/postgresql-docs-8.4.12

=dev-db/postgresql-base-9.0.7
=dev-db/postgresql-server-9.0.7
=dev-db/postgresql-docs-9.0.7

=dev-db/postgresql-base-9.1.3
=dev-db/postgresql-server-9.1.3
=dev-db/postgresql-docs-9.1.3

Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2012-06-05 15:36:28 UTC
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2012-06-06 04:19:28 UTC
Stable for HPPA.
Comment 5 Brent Baude (RETIRED) gentoo-dev 2012-06-06 18:28:15 UTC
ppc64 done
Comment 6 Andreas Schürch gentoo-dev 2012-06-13 10:14:29 UTC
x86 stable (9.0.8 and 9.1.4 instead of 9.0.7 and 9.1.3 from comment #2), thanks.
Comment 7 Markus Meier gentoo-dev 2012-06-17 20:42:30 UTC
arm stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2012-07-01 16:26:49 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-07-13 21:22:51 UTC
CVE-2012-2143 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2143):
  The crypt_des (aka DES-based crypt) function in FreeBSD before
  9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not
  process the complete cleartext password if this password contains a 0x80
  character, which makes it easier for context-dependent attackers to obtain
  access via an authentication attempt with an initial substring of the
  intended password, as demonstrated by a Unicode password.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-07-19 16:33:01 UTC
CVE-2012-2655 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2655):
  PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and
  9.1.x before 9.1.4 allows remote authenticated users to cause a denial of
  service (server crash) by adding the (1) SECURITY DEFINER or (2) SET
  attributes to a procedural language's call handler.
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2012-08-19 15:12:18 UTC
Moving to [glsa]. PPC, please stabilize the newer versions from bug 431766 instead.
Comment 12 Aaron W. Swenson gentoo-dev 2012-09-25 18:18:25 UTC
Affected versions no longer in tree.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-09-28 12:03:20 UTC
This issue was resolved and addressed in
 GLSA 201209-24 at http://security.gentoo.org/glsa/glsa-201209-24.xml
by GLSA coordinator Sean Amoss (ackle).