Bug 501944 (CVE-2014-0067)

Summary:	<dev-db/postgresql-server-{9.0.18,9.1.14,9.2.9,9.3.5}: Vulnerability during "make check" (CVE-2014-0067)
Product:	Gentoo Security	Reporter:	Aaron W. Swenson <titanofold>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	pgsql-bugs
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0067
Whiteboard:	B4 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:	522184
Bug Blocks:

Description Aaron W. Swenson gentoo-dev

2014-02-21 01:57:50 UTC

The PostgreSQL Global Development Group security team has discovered a vulnerability in the scripts that orchestrate PostgreSQL test suites that validate the functionality of the PostgreSQL binaries. While a test suite is running, a user with interactive access to the system can hijack the operating system user account running the suite. Only users who run "make check" on a system they share with untrusted users are at risk. A future set of update releases will fix this vulnerability, though there will be no need to reinstall existing deployments. In the meantime, users are advised to run the test suites only on non-shared systems or under operating system user accounts dedicated to the task of running test suites.

This vulnerability arises from the test scripts' use of "initdb" to create a PostgreSQL database cluster permitting local "trust" authentication. User-crafted workflows doing the same will exhibit the same vulnerability. We recommend studying automated usage of initdb in your own software. If a procedure in question could run on a system shared with untrusted users, follow the same precautions around that procedure as for the PostgreSQL test suites. The fix for PostgreSQL itself will establish a secure pattern for automating initdb, which you can later adopt.

On Unix-like platforms the attacker needs to be able to reach the server's socket file, so the risk depends on where the platform places the socket file and whether there are filesystem permissions protections in place. On Windows, the server opens a locally-accessible TCP socket, so there is no possibility of ameliorating the risk through filesystem permissions.

The changes required to make this situation safer are expected to be somewhat invasive and might break user-crafted testing workflows. Therefore, the PostgreSQL project will not actually be supplying a fix on 20-Feb, merely announcing that there is a problem and recommending that users not use "make check" on machines shared with untrusted users. Suitable changes to the regression testing setup will subsequently be debated publicly and can be expected to be incorporated in future releases.

Comment 1 Yury German Gentoo Infrastructure

2014-02-21 02:17:24 UTC

http://www.postgresql.org/support/security/

Comment 2 Agostino Sarubbo gentoo-dev

2014-09-19 10:44:16 UTC

cleanup done, please vote.

Comment 3 Aaron W. Swenson gentoo-dev

2014-09-19 14:51:14 UTC

(In reply to Agostino Sarubbo from comment #2)
> cleanup done, please vote.

Just my 2 cents: Given the temporary nature of the test installation, which should be wiped after a successful emerge, and that it only affects those users who invoke 'FEATURES="test" emerge dev-db/postgresql-server', I don't really think this needs a GLSA as the "affected" portion has already been deleted.

Comment 4 Yury German Gentoo Infrastructure

2014-09-20 00:29:35 UTC

Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2014-09-20 00:33:24 UTC

CVE-2014-0067 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0067):
  The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier
  does not properly invoke initdb to specify the authentication requirements
  for a database cluster to be used for the tests, which allows local users to
  gain privileges by leveraging access to this cluster.

Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-09-20 09:15:23 UTC

GLSA Vote: No

Closing noglsa