Bug 670724 (CVE-2018-16850)

Summary:	<dev-db/postgresql-{11.1,10.6,9.6.11,9.5.15,9.4.20,9.3.25}: SQL injection in pg_upgrade and pg_dump, via CREATE TRIGGER ... REFERENCING (CVE-2018-16850)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	jasmin+gentoo, pgsql-bugs
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.postgresql.org/about/news/1905/
Whiteboard:	B2 [glsa+ cve]
Package list:	dev-db/postgresql-10.6 dev-db/postgresql-9.3.25 dev-db/postgresql-9.4.20 dev-db/postgresql-9.5.15 dev-db/postgresql-9.6.11	Runtime testing required:	No

Description GLSAMaker/CVETool Bot gentoo-dev

2018-11-09 01:41:24 UTC

CVE-2018-16850 (https://nvd.nist.gov/vuln/detail/CVE-2018-16850):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2018-11-09 01:42:44 UTC

CVE-2018-16850: SQL injection in pg_upgrade and pg_dump, via CREATE TRIGGER ... REFERENCING.

Using a purpose-crafted trigger definition, an attacker can run arbitrary SQL statements with superuser privileges when a superuser runs pg_upgrade on the database or during a pg_dump dump/restore cycle. This attack requires a CREATE privilege on some non-temporary schema or a TRIGGER privilege on a table. This is exploitable in the default PostgreSQL configuration, where all users have CREATE privilege on public schema.

Comment 2 Larry the Git Cow gentoo-dev

2018-11-09 11:58:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c88956757e88ad0a804abc7dad45c666f1c32fd8

commit c88956757e88ad0a804abc7dad45c666f1c32fd8
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2018-11-09 11:56:39 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2018-11-09 11:57:34 +0000

    dev-db/postgresql: Security Bump
    
    Bump to:
     - 11.1
     - 10.6
     - 9.6.11
     - 9.5.15
     - 9.4.20
     - 9.3.25
    
    One security vulnerability has been closed by this release:
    
     * CVE-2018-16850: SQL injection in ‘pg_upgrade‘ and ‘pg_dump‘, via
    ‘CREATE TRIGGER … REFERENCING‘.
    
    Bug: https://bugs.gentoo.org/670724
    Package-Manager: Portage-2.3.51, Repoman-2.3.11
    Signed-off-by: Aaron Swenson <titanofold@gentoo.org>

 dev-db/postgresql/Manifest                 |   6 +
 dev-db/postgresql/metadata.xml             |  41 +--
 dev-db/postgresql/postgresql-10.6.ebuild   | 460 +++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-11.1.ebuild   | 460 +++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-9.3.25.ebuild | 443 ++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-9.4.20.ebuild | 475 ++++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-9.5.15.ebuild | 481 ++++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-9.6.11.ebuild | 486 +++++++++++++++++++++++++++++
 8 files changed, 2832 insertions(+), 20 deletions(-)

Comment 3 Aaron W. Swenson gentoo-dev

2018-11-09 12:04:26 UTC

Please stabilize the following targets:
=dev-db/postgresql-10.6   ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-11.1   ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.3.25 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.4.20 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.5.15 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.6.11 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86

Comment 4 Aaron W. Swenson gentoo-dev

2018-11-09 12:05:57 UTC

Oops! Not 11.1 as it the 11 series has not yet been stabled.

Please stabilize the following targets:
=dev-db/postgresql-10.6   ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.3.25 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.4.20 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.5.15 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.6.11 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86

Comment 5 Agostino Sarubbo gentoo-dev

2018-11-09 13:46:22 UTC

amd64 stable

Comment 6 Rolf Eike Beer archtester

2018-11-10 15:55:45 UTC

sparc stable

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2018-11-12 01:15:51 UTC

x86 stable

Comment 8 Mikle Kolyada (RETIRED) archtester

2018-11-17 15:05:42 UTC

arm stable

Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev

2018-11-18 16:30:09 UTC

ppc stable

Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev

2018-11-18 16:33:23 UTC

ppc64 stable

Comment 11 Larry the Git Cow gentoo-dev

2018-11-28 16:04:51 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b2218eadc498631149065a107994e8e663dc44ba

commit b2218eadc498631149065a107994e8e663dc44ba
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2018-11-28 16:04:30 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2018-11-28 16:04:44 +0000

    dev-db/postgresql-10.6-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/670724
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-db/postgresql/postgresql-10.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 12 Larry the Git Cow gentoo-dev

2018-11-28 16:06:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4026859f3a49d9729d9869495964c30f50848b01

commit 4026859f3a49d9729d9869495964c30f50848b01
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2018-11-28 16:06:25 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2018-11-28 16:06:25 +0000

    dev-db/postgresql-9.3.25-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/670724
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-db/postgresql/postgresql-9.3.25.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 13 Larry the Git Cow gentoo-dev

2018-11-28 16:07:47 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bc43284d15a3138e50e3dc83641d8179164a73fa

commit bc43284d15a3138e50e3dc83641d8179164a73fa
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2018-11-28 16:07:35 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2018-11-28 16:07:35 +0000

    dev-db/postgresql-9.4.20-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/670724
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-db/postgresql/postgresql-9.4.20.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 14 Larry the Git Cow gentoo-dev

2018-11-28 16:09:42 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=70434811ba8feb41a3ca7c0fb04bcbc7eb052aa0

commit 70434811ba8feb41a3ca7c0fb04bcbc7eb052aa0
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2018-11-28 16:09:30 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2018-11-28 16:09:30 +0000

    dev-db/postgresql-9.5.15-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/670724
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-db/postgresql/postgresql-9.5.15.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 15 Larry the Git Cow gentoo-dev

2018-11-28 16:10:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=037930ffa0771c486ebb5de235e9925c4948a1bf

commit 037930ffa0771c486ebb5de235e9925c4948a1bf
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2018-11-28 16:10:25 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2018-11-28 16:10:25 +0000

    dev-db/postgresql-9.6.11-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/670724
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-db/postgresql/postgresql-9.6.11.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 16 Tobias Klausmann (RETIRED) gentoo-dev

2018-11-28 16:11:15 UTC

Stable on alpha.

Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev

2018-11-28 23:18:24 UTC

ia64 stable

Comment 18 Aaron Bauman (RETIRED) gentoo-dev

2018-11-29 21:20:52 UTC

@maintainers, please clean vulnerable.

Comment 19 GLSAMaker/CVETool Bot gentoo-dev

2018-11-30 08:57:29 UTC

This issue was resolved and addressed in
 GLSA 201811-24 at https://security.gentoo.org/glsa/201811-24
by GLSA coordinator Aaron Bauman (b-man).

Comment 20 Aaron Bauman (RETIRED) gentoo-dev

2018-11-30 08:58:35 UTC

re-opened for cleanup

Comment 21 Larry the Git Cow gentoo-dev

2018-11-30 15:29:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e42579e730d703a740179545cf12e3cacdf4726

commit 6e42579e730d703a740179545cf12e3cacdf4726
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2018-11-30 15:28:36 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2018-11-30 15:29:21 +0000

    dev-db/postgresql: Cleanup old, insecure
    
    Bug: https://bugs.gentoo.org/670724
    Package-Manager: Portage-2.3.51, Repoman-2.3.11
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 dev-db/postgresql/Manifest                 |   5 -
 dev-db/postgresql/postgresql-10.5.ebuild   | 460 ---------------------------
 dev-db/postgresql/postgresql-9.3.24.ebuild | 450 --------------------------
 dev-db/postgresql/postgresql-9.4.19.ebuild | 482 ----------------------------
 dev-db/postgresql/postgresql-9.5.14.ebuild | 488 ----------------------------
 dev-db/postgresql/postgresql-9.6.10.ebuild | 493 -----------------------------
 6 files changed, 2378 deletions(-)

Comment 22 Aaron Bauman (RETIRED) gentoo-dev

2018-11-30 17:20:24 UTC

(In reply to Larry the Git Cow from comment #21)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=6e42579e730d703a740179545cf12e3cacdf4726
> 
> commit 6e42579e730d703a740179545cf12e3cacdf4726
> Author:     Aaron W. Swenson <titanofold@gentoo.org>
> AuthorDate: 2018-11-30 15:28:36 +0000
> Commit:     Aaron W. Swenson <titanofold@gentoo.org>
> CommitDate: 2018-11-30 15:29:21 +0000
> 
>     dev-db/postgresql: Cleanup old, insecure
>     
>     Bug: https://bugs.gentoo.org/670724
>     Package-Manager: Portage-2.3.51, Repoman-2.3.11
>     Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>
> 
>  dev-db/postgresql/Manifest                 |   5 -
>  dev-db/postgresql/postgresql-10.5.ebuild   | 460 ---------------------------
>  dev-db/postgresql/postgresql-9.3.24.ebuild | 450 --------------------------
>  dev-db/postgresql/postgresql-9.4.19.ebuild | 482
> ----------------------------
>  dev-db/postgresql/postgresql-9.5.14.ebuild | 488
> ----------------------------
>  dev-db/postgresql/postgresql-9.6.10.ebuild | 493
> -----------------------------
>  6 files changed, 2378 deletions(-)

Thanks, Aaron!