Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 574456 (CVE-2016-0766, CVE-2016-0773)

Summary: <dev-db/postgresql-{9.1.20,9.2.15,9.3.11,9.4.6,9.5.1} - multiple vulnerabilities (CVE-2016-{0766,0773})
Product: Gentoo Security Reporter: Aaron W. Swenson <titanofold>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: pgsql-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.postgresql.org/about/news/1644/
See Also: https://bugs.gentoo.org/show_bug.cgi?id=574122
https://bugs.gentoo.org/show_bug.cgi?id=572656
Whiteboard: B1 [glsa cve]
Package list:
Runtime testing required: ---

Description Aaron W. Swenson gentoo-dev 2016-02-11 17:01:46 UTC 
Security Fixes for Regular Expressions, PL/Java

This release closes security hole CVE-2016-0773, an issue with regular expression (regex) parsing. Prior code allowed users to pass in expressions which included out-of-range Unicode characters, triggering a backend crash. This issue is critical for PostgreSQL systems with untrusted users or which generate regexes based on user input.

The update also fixes CVE-2016-0766, a privilege escalation issue for users of PL/Java. Certain custom configuration settings (GUCS) for PL/Java will now be modifiable only by the database superuser.

============================================================================

Stabilization targets:
=dev-db/postgresql-9.1.20 ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.2.15 ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.3.11 ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.4.6 ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
Comment 1 Agostino Sarubbo gentoo-dev 2016-02-12 09:44:45 UTC 
amd64 stable
Comment 2 Agostino Sarubbo gentoo-dev 2016-02-12 09:45:19 UTC 
x86 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-14 13:34:46 UTC 
Stable for PPC64.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-15 05:01:01 UTC 
Stable for HPPA.
Comment 5 Markus Meier gentoo-dev 2016-02-20 14:30:29 UTC 
arm stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2016-03-16 09:22:11 UTC 
Stable on alpha.
Comment 7 Agostino Sarubbo gentoo-dev 2016-03-16 14:10:39 UTC 
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-03-19 12:29:13 UTC 
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-03-20 12:25:20 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2016-11-27 11:24:06 UTC 
CVE-2016-0773 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0773):
  PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x
  before 9.4.6, and 9.5.x before 9.5.1 allows remote attackers to cause a
  denial of service (infinite loop or buffer overflow and crash) via a large
  Unicode character range in a regular expression.

CVE-2016-0766 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0766):
  PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x
  before 9.4.6, and 9.5.x before 9.5.1 does not properly restrict access to
  unspecified custom configuration settings (GUCS) for PL/Java, which allows
  attackers to gain privileges via unspecified vectors.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2017-01-12 16:10:32 UTC 
This issue was resolved and addressed in
 GLSA 201701-33 at https://security.gentoo.org/glsa/201701-33
by GLSA coordinator Aaron Bauman (b-man).