Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 664332 (CVE-2018-10915, CVE-2018-10925, CVE-2018-1115)

Summary: <dev-db/postgresql-{9.3.24,9.4.19,9.5.14,9.6.10,10.5}: multiple vulnerabilities (CVE-2018-{1115,10915,10925})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: pgsql-bugs
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.postgresql.org/about/news/1878/
Whiteboard: B2 [glsa+ cve]
Package list:
dev-db/postgresql-9.3.24 dev-db/postgresql-9.4.19 dev-db/postgresql-9.5.14 dev-db/postgresql-9.6.10 dev-db/postgresql-10.5
 Runtime testing required: No

Description GLSAMaker/CVETool Bot gentoo-dev 2018-08-22 23:31:07 UTC 
CVE-2018-10915 (https://nvd.nist.gov/vuln/detail/CVE-2018-10915):
  A vulnerability was found in libpq, the default PostgreSQL client library
  where libpq failed to properly reset its internal state between connections.
  If an affected version of libpq was used with "host" or "hostaddr"
  connection parameters from untrusted input, attackers could bypass
  client-side connection security features, obtain access to higher privileged
  connections or potentially cause other impact through SQL injection, by
  causing the PQescape() functions to malfunction. Postgresql versions before
  10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-22 23:33:43 UTC 
@ Maintainer(s): Can we start stabilization?
Comment 2 Aaron W. Swenson gentoo-dev 2018-08-23 13:17:15 UTC 
Please stabilize:
=dev-db/postgresql-9.3.24 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.4.19 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.5.14 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.6.10 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-10.5   ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-24 01:41:38 UTC 
x86 stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-08-24 02:07:22 UTC 
amd64 stable
Comment 5 Rolf Eike Beer archtester 2018-08-24 21:48:30 UTC 
sparc done.
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-08-26 18:55:21 UTC 
ppc stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-08-26 18:57:25 UTC 
ppc64 stable
Comment 8 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-08-26 21:38:24 UTC 
CVE ID: CVE-2018-10925

Summary: It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table.
 Published: 2018-08-09T21:29:00.000Z

Adding CVE-2018-10925 just for tracking purposes, no need to restart stabilization.
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-01 23:44:20 UTC 
ia64 stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2018-09-14 10:21:05 UTC 
Stable on alpha.
Comment 11 Markus Meier gentoo-dev 2018-09-19 17:41:05 UTC 
arm stable, all arches done.
Comment 12 Michael Boyle 2018-09-20 23:03:11 UTC 
GLSA filed.

Please clean vulnerable.Thank you

Michael Boyle
Security Padawan
Comment 13 Larry the Git Cow gentoo-dev 2018-09-21 16:28:41 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5e36758fa019653c390058097c6b09bf54158bc

commit b5e36758fa019653c390058097c6b09bf54158bc
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2018-09-21 16:14:07 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2018-09-21 16:27:30 +0000

    dev-db/postgresql: Cleanup old and insecure
    
    Bug: https://bugs.gentoo.org/664332
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-db/postgresql/Manifest                   |  11 -
 dev-db/postgresql/postgresql-10.3.ebuild     | 460 -------------------------
 dev-db/postgresql/postgresql-10.4.ebuild     | 460 -------------------------
 dev-db/postgresql/postgresql-11_beta1.ebuild | 449 ------------------------
 dev-db/postgresql/postgresql-9.3.22.ebuild   | 450 ------------------------
 dev-db/postgresql/postgresql-9.3.23.ebuild   | 450 ------------------------
 dev-db/postgresql/postgresql-9.4.17.ebuild   | 482 --------------------------
 dev-db/postgresql/postgresql-9.4.18.ebuild   | 482 --------------------------
 dev-db/postgresql/postgresql-9.5.12.ebuild   | 488 --------------------------
 dev-db/postgresql/postgresql-9.5.13.ebuild   | 488 --------------------------
 dev-db/postgresql/postgresql-9.6.8.ebuild    | 493 ---------------------------
 dev-db/postgresql/postgresql-9.6.9.ebuild    | 493 ---------------------------
 12 files changed, 5206 deletions(-)
Comment 14 Aaron W. Swenson gentoo-dev 2018-09-23 13:24:36 UTC 
@alpha: You missed 9.6.10.
Comment 15 Tobias Klausmann (RETIRED) gentoo-dev 2018-09-23 16:48:56 UTC 
Whissi has since fixed the alpha commit oversight.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2018-10-30 21:08:49 UTC 
This issue was resolved and addressed in
 GLSA 201810-08 at https://security.gentoo.org/glsa/201810-08
by GLSA coordinator Thomas Deutschmann (whissi).