Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 501946 (CVE-2014-0060)

Summary: <dev-db/postgresql-server-{9.3.3,9.2.7,9.1.12,9.0.16,8.4.20}: Multiple Vulnerabilities (CVE-2014-{0060,0061,0062,0063,0064,0065,0066,2669})
Product: Gentoo Security Reporter: Aaron W. Swenson <titanofold>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: pgsql-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://wiki.postgresql.org/wiki/20140220securityrelease
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Aaron W. Swenson gentoo-dev 2014-02-21 02:13:15 UTC 
The 2014-02-20 update contains fixes for multiple security issues. Most of these are "Class C" security issues, meaning that they require prior valid login for privilege escalation. Some also require additional database conditions to be true in order to be exploited. One fix below breaks backwards compatibility in a way that complies with our documentation but not with past behavior.


================================================================================
CVE-2014-0060 PostgreSQL: SET ROLE bypasses lack of ADMIN OPTION
================================================================================
*This change will break backwards compatibility for users who were expecting the prior, broken behavior. The new behavior is in compliance with the documentation.*

Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role. Issuing SET ROLE before the GRANT bypassed that, because the role itself had an implicit right to add or remove members. This issue was fixed by recognizing that implicit right only when the session user matches the current role. Additionally, do not recognize it during a security-restricted operation or during execution of a SECURITY DEFINER function. The restriction on SECURITY DEFINER is not security-critical. However, it seems best for a user testing his or her own SECURITY DEFINER function to see the same behavior others will see. Affects all supported versions back to 8.4.

The SQL standards do not conflate roles and users as PostgreSQL does; only SQL roles have members, and only SQL users initiate sessions. An application using PostgreSQL users and roles as SQL users and roles will never attempt to grant membership in the role that is the session user, so the implicit right to add or remove members will never arise.

The security impact was mostly that a role member could revoke access from others, contrary to the wishes of the role member's grantor. Unapproved role member additions are less notable, because the member can still largely achieve that by creating a view or a SECURITY DEFINER function.


================================================================================
CVE-2014-0061 PostgreSQL: Privilege escalation via explicit calls to validator functions
================================================================================
PostgreSQL procedural languages (PLs) normally provide a "validator" function that performs creation-time checking of syntax etc. for functions written in that language. These validator functions can be called directly from SQL, too, which is intended to allow post-facto checking of existing function definitions. However, unexpected and possibly insecure results could be obtained by feeding the text of a function defined in one language to the validator for another language. Moreover, in many languages the validator might perform some limited amount of code execution, opening the possibility of an attacker executing code without permission. The security impact is thus that an authenticated database user might be able to escalate his or her privileges.

The fix will cause validator functions to throw an error when used against a function defined in another language, or against a function the current user doesn't have permissions to call.

While the PostgreSQL project will fix the validator functions in PLs distributed with PostgreSQL, the same two-line fix will be needed in validator functions of PLs developed externally. There are many such extensions and we cannot be certain that all of their developers will respond promptly.


================================================================================
CVE-2014-0062 PostgreSQL: Race condition in CREATE INDEX allows for privilege escalation
================================================================================
CREATE INDEX, and some ALTER TABLE statements, did multiple independent lookups of the table the index is supposed to be created on. Concurrent creation or deletion of another table of the same name (but in a different schema) might cause some of these lookups to find one table and some the other table. This allows effects such as creating an index on a table one doesn't own, thus exposing data to the calling user that should not be able to access. This vulnerability exists in all affected versions, but is more easily exploited in 9.2 and 9.3.


================================================================================
CVE-2014-0063 PostgreSQL: Potential buffer overruns in datetime input/output 
================================================================================
Many functions use the MAXDATELEN constant to size a buffer for parsing or displaying a datetime value. However, the buffer was much too small for the longest possible interval output and slightly too small for certain valid timestamp inputs, particularly input with a long timezone name. Inputs that were too long would be rejected needlessly, while outputs that were too long would result in stack corruption, which could crash the server and could be exploitable for arbitrary code execution.


================================================================================
CVE-2014-0064 PostgreSQL: Potential buffer overruns due to integer overflow in size calculations 
================================================================================
Several functions, mostly type input functions, calculated an allocation size such that the calculation wrapped to a small positive value when arguments implied a sufficiently-large requirement. Writes past the end of the inadvertent small allocation followed shortly thereafter. Coverity Scan identified the path_in() vulnerability; code inspection led to the rest. In passing, add check_stack_depth() to prevent stack overflow in related functions.

Affects all supported versions back to 8.4. The non-comment hstore changes touch code that did not exist in 8.4, so that part stops at 9.0.


================================================================================
CVE-2014-0065 PostgreSQL: Potential buffer overruns of fixed-size buffers
================================================================================
Coverity Scan identified a number of places in which it could not prove that a string being copied into a fixed-size buffer would fit. We believe that most, perhaps all of these, are in fact safe or are copying data that is coming from a trusted source so that any overrun is not really a security issue. Nonetheless it seems prudent to forestall any risk by using strlcpy() and similar functions.


================================================================================
CVE-2014-0066 PostgreSQL: Potential null pointer dereference crash when crypt(3) returns NULL
================================================================================
The chkpass extension uses the standard crypt() library function, which is defined to return NULL on failure, but it was not checking for NULL before using the result. The main practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms ("FIPS mode").
Comment 1 Patrick Lauer gentoo-dev 2014-02-21 07:13:19 UTC 
+  21 Feb 2014; Patrick Lauer <patrick@gentoo.org>
+  +postgresql-server-8.4.20.ebuild, +postgresql-server-9.0.16.ebuild,
+  +postgresql-server-9.1.12.ebuild, +postgresql-server-9.2.7.ebuild,
+  +postgresql-server-9.3.3.ebuild:
+  Bump for #501946

All ebuilds in place.
Comment 2 Aaron W. Swenson gentoo-dev 2014-02-21 23:51:24 UTC 
Full list of files to stable:

=dev-db/postgresql-docs-8.4.20
=dev-db/postgresql-docs-9.0.16
=dev-db/postgresql-docs-9.1.12
=dev-db/postgresql-docs-9.2.7
=dev-db/postgresql-docs-9.3.3

=dev-db/postgresql-base-8.4.20
=dev-db/postgresql-base-9.0.16
=dev-db/postgresql-base-9.1.12
=dev-db/postgresql-base-9.2.7
=dev-db/postgresql-base-9.3.3

=dev-db/postgresql-server-8.4.20
=dev-db/postgresql-server-9.0.16
=dev-db/postgresql-server-9.1.12
=dev-db/postgresql-server-9.2.7
=dev-db/postgresql-server-9.3.3
Comment 3 Agostino Sarubbo gentoo-dev 2014-02-22 07:22:00 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-02-22 07:22:45 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-02-22 07:23:22 UTC 
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-02-22 07:23:54 UTC 
ppc64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-02-22 16:26:47 UTC 
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2014-02-23 08:25:45 UTC 
alpha stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-02-23 08:26:41 UTC 
> CVE-2014-0061 PostgreSQL: Privilege escalation via explicit calls to validator > functions

I'd say to set it to B1, why it has been set to C3??
Comment 10 Agostino Sarubbo gentoo-dev 2014-02-23 08:28:12 UTC 
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-02-23 08:28:59 UTC 
ia64 stable
Comment 12 Aaron W. Swenson gentoo-dev 2014-02-24 11:58:53 UTC 
(In reply to Agostino Sarubbo from comment #9)
> > CVE-2014-0061 PostgreSQL: Privilege escalation via explicit calls to validator > functions
> 
> I'd say to set it to B1, why it has been set to C3??

Because no one has been successful in escalating their privileges just yet (at least, from what I've been able to discover), and if they were, they'd only be escalated within the database.
Comment 13 Agostino Sarubbo gentoo-dev 2014-03-12 10:24:45 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 14 Agostino Sarubbo gentoo-dev 2014-03-12 10:29:45 UTC 
(In reply to Aaron W. Swenson from comment #12)
> Because no one has been successful in escalating their privileges just yet
> (at least, from what I've been able to discover), and if they were, they'd
> only be escalated within the database.

I don't guess this is the right interpretation.

It is described to be a privilege escalation. I don't care if someone ha produced a real POC or not.
Comment 15 Agostino Sarubbo gentoo-dev 2014-03-31 09:49:10 UTC 
From https://bugzilla.redhat.com/show_bug.cgi?id=1082154 :

Common Vulnerabilities and Exposures assigned an identifier CVE-2014-2669 to
the following vulnerability:

Name: CVE-2014-2669
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2669
Assigned: 20140328
Reference: http://wiki.postgresql.org/wiki/20140220securityrelease
Reference: http://www.postgresql.org/about/news/1506/
Reference: http://www.postgresql.org/support/security/
Reference: https://github.com/postgres/postgres/commit/31400a673325147e1205326008e32135a78b4d8a
Reference: DEBIAN:DSA-2864
Reference: http://www.debian.org/security/2014/dsa-2864
Reference: DEBIAN:DSA-2865
Reference: http://www.debian.org/security/2014/dsa-2865

Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL
9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and
9.3.x before 9.3.3 allow remote authenticated users to have
unspecified impact via vectors related to the (1) hstore_recv, (2)
hstore_from_arrays, and (3) hstore_from_array functions in
contrib/hstore/hstore_io.c; and the (4) hstoreArrayToPairs function in
contrib/hstore/hstore_op.c, which triggers a buffer overflow.  NOTE:
this issue was SPLIT from CVE-2014-0064 because it has a different set
of affected versions.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-04-10 21:41:11 UTC 
CVE-2014-2669 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2669):
  Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL 9.0.x
  before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before
  9.3.3 allow remote authenticated users to have unspecified impact via
  vectors related to the (1) hstore_recv, (2) hstore_from_arrays, and (3)
  hstore_from_array functions in contrib/hstore/hstore_io.c; and the (4)
  hstoreArrayToPairs function in contrib/hstore/hstore_op.c, which triggers a
  buffer overflow.  NOTE: this issue was SPLIT from CVE-2014-0064 because it
  has a different set of affected versions.

CVE-2014-0066 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0066):
  The chkpass extension in PostgreSQL before 8.4.20, 9.0.x before 9.0.16,
  9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not
  properly check the return value of the crypt library function, which allows
  remote authenticated users to cause a denial of service (NULL pointer
  dereference and crash) via unspecified vectors.

CVE-2014-0065 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0065):
  Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16,
  9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote
  authenticated users to have unspecified impact and attack vectors, a
  different vulnerability than CVE-2014-0063.

CVE-2014-0064 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0064):
  Multiple integer overflows in the path_in and other unspecified functions in
  PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x
  before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to
  have unspecified impact and attack vectors, which trigger a buffer overflow.
  NOTE: this identifier has been SPLIT due to different affected versions; use
  CVE-2014-2669 for the hstore vector.

CVE-2014-0063 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0063):
  Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x
  before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before
  9.3.3 allow remote authenticated users to cause a denial of service (crash)
  or possibly execute arbitrary code via vectors related to an incorrect
  MAXDATELEN constant and datetime values involving (1) intervals, (2)
  timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065.

CVE-2014-0062 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0062):
  Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE
  commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before
  9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote
  authenticated users to create an unauthorized index or read portions of
  unauthorized tables by creating or deleting a table with the same name
  during the timing window.

CVE-2014-0061 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0061):
  The validator functions for the procedural languages (PLs) in PostgreSQL
  before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7,
  and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges
  via a function that is (1) defined in another language or (2) not allowed to
  be directly called by the user due to permissions.

CVE-2014-0060 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0060):
  PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x
  before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN
  OPTION restriction, which allows remote authenticated members of a role to
  add or remove arbitrary users to that role by calling the SET ROLE command
  before the associated GRANT command.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2014-06-19 00:06:19 UTC 
Arches and Mainter(s), Thank you for your work.

Added to an existing GLSA request.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:30:20 UTC 
This issue was resolved and addressed in
 GLSA 201408-15 at http://security.gentoo.org/glsa/glsa-201408-15.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).