Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 709708 (CVE-2020-1720)

Summary: <dev-db/postgresql-{9.6.17,10.12,11.7,12.2}: the ALTER ... DEPENDS ON EXTENSION sub-commands do not perform authorization checks (CVE-2020-1720)
Product: Gentoo Security Reporter: filip ambroz <filip.ambroz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: jaco, leio, mgorny, pgsql-bugs
Priority: Normal Keywords: CC-ARCHES
Version: unspecifiedFlags: nattka: sanity-check-
Hardware: All   
OS: Linux   
URL: https://www.postgresql.org/about/news/2011/
See Also: https://bugs.gentoo.org/show_bug.cgi?id=737032
Whiteboard: B2 [glsa+ cve]
Package list:
=dev-db/postgresql-9.5.21 amd64 arm arm64 hppa ppc ppc64 sparc x86 =dev-db/postgresql-9.4.26 amd64 arm arm64 hppa ppc ppc64 sparc x86
Runtime testing required: No

Description filip ambroz 2020-02-15 10:04:50 UTC
from URL:
The ALTER ... DEPENDS ON EXTENSION sub-commands do not perform authorization checks, which can allow an unprivileged user to drop any function, procedure, materialized view, index, or trigger under certain conditions. This attack is possible if an administrator has installed an extension and an unprivileged user can CREATE, or an extension owner either executes DROP EXTENSION predictably or can be convinced to execute DROP EXTENSION. The PostgreSQL project thanks Tom Lane for reporting this problem.

Versions Affected: 9.6 - 12

Solution: upgrade postrgresql packages

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1720
https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1720.html
https://security-tracker.debian.org/tracker/CVE-2020-1720
https://www.tenable.com/plugins/nessus/133700
Comment 2 Larry the Git Cow gentoo-dev 2020-02-19 12:49:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=366e303e11e473c985f5ec470ab50cb0cc0adefe

commit 366e303e11e473c985f5ec470ab50cb0cc0adefe
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2020-02-19 12:48:39 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2020-02-19 12:48:55 +0000

    dev-db/postgresql: Version Bump
    
    Versions:
      - 9.4.26
      - 9.5.21
      - 9.6.17
      - 10.12
      - 11.7
      - 12.2
    
    Bug: https://bugs.gentoo.org/709708
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 dev-db/postgresql/Manifest                 |   6 +
 dev-db/postgresql/postgresql-10.12.ebuild  | 466 +++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-11.7.ebuild   | 468 +++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-12.2.ebuild   | 468 +++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-9.4.26.ebuild | 480 ++++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-9.5.21.ebuild | 486 ++++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-9.6.17.ebuild | 491 +++++++++++++++++++++++++++++
 7 files changed, 2865 insertions(+)
Comment 3 Aaron W. Swenson gentoo-dev 2020-02-21 19:21:24 UTC
Please stabilize the following targets:
=dev-db/postgresql-12.2   ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-11.7   ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-10.12  ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.6.17 ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-02-23 12:15:09 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-02-24 10:20:16 UTC
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-02-24 12:54:46 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-02-24 12:55:39 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-02-24 12:59:16 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-02-24 14:20:05 UTC
x86 stable
Comment 10 Rolf Eike Beer archtester 2020-02-28 22:46:03 UTC
hppa stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-03-05 15:06:37 UTC
arm stable
Comment 12 Thomas Deutschmann gentoo-dev 2020-03-12 19:29:08 UTC
Added to an existing GLSA.
Comment 13 Thomas Deutschmann gentoo-dev 2020-03-12 19:49:41 UTC
@ maintainer(s): Please explain why you don't want to stabilize =dev-db/postgresql-9.4.26 and =dev-db/postgresql-9.5.21 because previous 9.4.x and 9.5.x is also affected.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2020-03-12 20:23:46 UTC
This issue was resolved and addressed in
 GLSA 202003-03 at https://security.gentoo.org/glsa/202003-03
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 15 Thomas Deutschmann gentoo-dev 2020-03-12 20:24:34 UTC
Re-opening for remaining architectures and 9.4.x / 9.5.x.
Comment 16 Mart Raudsepp gentoo-dev 2020-03-18 09:17:26 UTC
arm64 stable
Comment 17 Mart Raudsepp gentoo-dev 2020-03-18 09:19:00 UTC
So I guess this is now pending cleanup AND handling of 9.4/9.5 series (or their cleanup)
Comment 18 NATTkA bot gentoo-dev 2020-04-06 14:51:10 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 19 Thomas Deutschmann gentoo-dev 2020-04-23 22:46:07 UTC
Starting stabilization of 9.4.x/9.5,x after maintainer timeout.
Comment 20 Agostino Sarubbo gentoo-dev 2020-04-28 09:39:42 UTC
amd64 stable
Comment 21 Agostino Sarubbo gentoo-dev 2020-04-28 09:40:48 UTC
arm stable
Comment 22 Agostino Sarubbo gentoo-dev 2020-04-28 09:41:42 UTC
sparc stable
Comment 23 Agostino Sarubbo gentoo-dev 2020-04-28 09:42:33 UTC
x86 stable
Comment 24 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-29 10:13:55 UTC
arm64 stable
Comment 25 Agostino Sarubbo gentoo-dev 2020-04-30 14:37:34 UTC
ppc stable
Comment 26 Agostino Sarubbo gentoo-dev 2020-04-30 14:38:22 UTC
ppc64 stable
Comment 27 Sergei Trofimovich (RETIRED) gentoo-dev 2020-05-05 21:12:13 UTC
hppa stable
Comment 28 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-05 21:13:10 UTC
@maintainer(s), please cleanup
Comment 29 Larry the Git Cow gentoo-dev 2020-05-13 11:37:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b5e26ac55a72ac909ee2d830e520d7604c3097e

commit 2b5e26ac55a72ac909ee2d830e520d7604c3097e
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2020-05-13 11:37:11 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2020-05-13 11:37:28 +0000

    dev-db/postgresql: Cleanup old, insecure
    
    Bug: https://bugs.gentoo.org/709708
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 dev-db/postgresql/Manifest                    |  20 --
 dev-db/postgresql/postgresql-10.10.ebuild     | 465 ------------------------
 dev-db/postgresql/postgresql-10.11.ebuild     | 465 ------------------------
 dev-db/postgresql/postgresql-10.9.ebuild      | 465 ------------------------
 dev-db/postgresql/postgresql-11.4.ebuild      | 467 ------------------------
 dev-db/postgresql/postgresql-11.5.ebuild      | 467 ------------------------
 dev-db/postgresql/postgresql-11.6.ebuild      | 467 ------------------------
 dev-db/postgresql/postgresql-12.0.ebuild      | 467 ------------------------
 dev-db/postgresql/postgresql-12.1.ebuild      | 467 ------------------------
 dev-db/postgresql/postgresql-9.4.22-r1.ebuild | 479 -------------------------
 dev-db/postgresql/postgresql-9.4.22.ebuild    | 474 -------------------------
 dev-db/postgresql/postgresql-9.4.23.ebuild    | 479 -------------------------
 dev-db/postgresql/postgresql-9.4.24.ebuild    | 479 -------------------------
 dev-db/postgresql/postgresql-9.4.25.ebuild    | 479 -------------------------
 dev-db/postgresql/postgresql-9.5.17-r1.ebuild | 485 -------------------------
 dev-db/postgresql/postgresql-9.5.17.ebuild    | 480 -------------------------
 dev-db/postgresql/postgresql-9.5.18.ebuild    | 485 -------------------------
 dev-db/postgresql/postgresql-9.5.19.ebuild    | 485 -------------------------
 dev-db/postgresql/postgresql-9.5.20.ebuild    | 485 -------------------------
 dev-db/postgresql/postgresql-9.6.13-r1.ebuild | 490 --------------------------
 dev-db/postgresql/postgresql-9.6.13.ebuild    | 485 -------------------------
 dev-db/postgresql/postgresql-9.6.14.ebuild    | 490 --------------------------
 dev-db/postgresql/postgresql-9.6.15.ebuild    | 490 --------------------------
 dev-db/postgresql/postgresql-9.6.16.ebuild    | 490 --------------------------
 24 files changed, 11005 deletions(-)
Comment 30 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-13 19:56:42 UTC
All done, I think.
Comment 31 Aaron W. Swenson gentoo-dev 2020-05-14 00:24:22 UTC
(In reply to Thomas Deutschmann from comment #13)
> @ maintainer(s): Please explain why you don't want to stabilize
> =dev-db/postgresql-9.4.26 and =dev-db/postgresql-9.5.21 because previous
> 9.4.x and 9.5.x is also affected.

Sorry for the delayed response.

The reason I didn't initially include them is because neither 9.4 nor 9.5 is  affected as noted in comment #1, which is a copy of https://www.postgresql.org/about/news/2011/

But, at this point, they're now old enough to be stabilized,
Comment 32 NATTkA bot gentoo-dev 2020-08-14 00:56:28 UTC
Unable to check for sanity:

> no match for package: =dev-db/postgresql-9.4.26