Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 80342

Summary: dev-db/postgresql: local privilege escalation
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: esigra, pgsql-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://archives.postgresql.org/pgsql-announce/2005-02/msg00000.php
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-01 07:14:53 UTC
In order to address a potential security hole recently identified with the "LOAD" option, the PostgreSQL Global Development Group is announcing the release of new versions of PostgreSQL going back to the 7.2.x version.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-01 07:16:17 UTC
postgresql please bump.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-01 07:18:22 UTC
More details from USN-71-1

Details follow:

John Heasman discovered a local privilege escalation in the PostgreSQL
server. Any user could use the LOAD extension to load any shared
library into the PostgreSQL server; the library's initialisation
function was then executed with the permissions of the server.

Now the use of LOAD is restricted to the database superuser (usually
'postgres').

Note: Since there is no way for normal database users to create
arbitrary files, this vulnerability is not exploitable remotely, e. g.
by uploading a shared library in the form of a Binary Large Object
(BLOB) to a public web server.
Comment 3 Masatomo Nakano (RETIRED) gentoo-dev 2005-02-01 08:18:12 UTC
ok. i'll do that in next few hours.
Comment 4 Masatomo Nakano (RETIRED) gentoo-dev 2005-02-01 11:55:59 UTC
i've added these ebuilds to portage tree.
  postgresql-7.3.9.ebuild
  postgresql-7.4.7.ebuild
  postgresql-8.0.1.ebuild
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-01 12:58:34 UTC
arches, pls test and mark stable...

7.4.x appears to be the latest version that is marked all stable, so 7.4.7 should be the minimum to be stable.
Pls consider also to test the other updated versions. (7.3.9 and 8.0.1)

postgresql-7.4.7.ebuild:
current KEYWORDS="x86 ~ppc sparc ~mips alpha ~arm hppa amd64 ~ia64 ~s390 ~ppc64"
target KEYWORDS="x86 ppc sparc mips alpha arm hppa amd64 ia64 s390 ppc64"

postgresql-8.0.1.ebuild:
current KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~s390 ~ppc64"

postgresql-7.3.9.ebuild:
current KEYWORDS="x86 ~ppc ~sparc ~alpha ~amd64 ~hppa ~ia64 ~mips"
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2005-02-02 12:52:46 UTC
stable on ppc64
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2005-02-03 06:55:53 UTC
7.3.9 to sparc stable.
Comment 8 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-02-03 07:49:14 UTC
postgresql-7.4.7 already stable on amd64. Tested and verified to work fine.
Comment 9 Bryan Østergaard (RETIRED) gentoo-dev 2005-02-04 14:20:03 UTC
7.4.7 stable on alpha.
Comment 10 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-02-04 14:31:06 UTC
Stable on ppc. Sorry for the delay.
Comment 11 SpanKY gentoo-dev 2005-02-06 03:01:08 UTC
arm/ia64/s390 stable
Comment 12 Joshua Kinard gentoo-dev 2005-02-06 18:37:46 UTC
mips stable.
Comment 13 Luke Macken (RETIRED) gentoo-dev 2005-02-07 11:33:10 UTC
GLSA 200502-08