Summary: | dev-db/postgresql: local privilege escalation | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | esigra, pgsql-bugs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://archives.postgresql.org/pgsql-announce/2005-02/msg00000.php | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Sune Kloppenborg Jeppesen (RETIRED)
2005-02-01 07:14:53 UTC
postgresql please bump. More details from USN-71-1 Details follow: John Heasman discovered a local privilege escalation in the PostgreSQL server. Any user could use the LOAD extension to load any shared library into the PostgreSQL server; the library's initialisation function was then executed with the permissions of the server. Now the use of LOAD is restricted to the database superuser (usually 'postgres'). Note: Since there is no way for normal database users to create arbitrary files, this vulnerability is not exploitable remotely, e. g. by uploading a shared library in the form of a Binary Large Object (BLOB) to a public web server. ok. i'll do that in next few hours. i've added these ebuilds to portage tree. postgresql-7.3.9.ebuild postgresql-7.4.7.ebuild postgresql-8.0.1.ebuild arches, pls test and mark stable... 7.4.x appears to be the latest version that is marked all stable, so 7.4.7 should be the minimum to be stable. Pls consider also to test the other updated versions. (7.3.9 and 8.0.1) postgresql-7.4.7.ebuild: current KEYWORDS="x86 ~ppc sparc ~mips alpha ~arm hppa amd64 ~ia64 ~s390 ~ppc64" target KEYWORDS="x86 ppc sparc mips alpha arm hppa amd64 ia64 s390 ppc64" postgresql-8.0.1.ebuild: current KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~s390 ~ppc64" postgresql-7.3.9.ebuild: current KEYWORDS="x86 ~ppc ~sparc ~alpha ~amd64 ~hppa ~ia64 ~mips" stable on ppc64 7.3.9 to sparc stable. postgresql-7.4.7 already stable on amd64. Tested and verified to work fine. 7.4.7 stable on alpha. Stable on ppc. Sorry for the delay. arm/ia64/s390 stable mips stable. GLSA 200502-08 |