Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 865255 (CVE-2022-1552, CVE-2022-2625)

Summary: <dev-db/postgresql-{10.22,11.17,12.12,13.8,14.5}: multiple vulnerabilities
Product: Gentoo Security Reporter: Aaron W. Swenson <titanofold>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: pgsql-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 865327    
Bug Blocks:    

Description Aaron W. Swenson gentoo-dev 2022-08-15 16:46:41 UTC
Versions Affected: 10 - 14. The security team typically does not test unsupported versions, but this problem is quite old.

Some extensions use CREATE OR REPLACE or CREATE IF NOT EXISTS commands. However, some don't adhere to the documented rule to target only objects known to be extension members already. An attack requires permission to create non-temporary objects in at least one schema, ability to lure or wait for an administrator to create or update an affected extension in that schema, and ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS.

Given all three prerequisites, the attacker can run arbitrary code as the victim role, which may be a superuser. Known-affected extensions include both PostgreSQL-bundled and non-bundled extensions. PostgreSQL blocks this attack in the core server, so there's no need to modify individual extensions.

The PostgreSQL project thanks Sven Klemm for reporting this problem.
Comment 1 Larry the Git Cow gentoo-dev 2022-08-15 16:53:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b02edae84b979b6a303de9a9410a57bfa33386d3

commit b02edae84b979b6a303de9a9410a57bfa33386d3
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2022-08-15 16:52:47 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2022-08-15 16:52:47 +0000

    dev-db/postgresql: Security bump
    
    Vulnerability CVE-2022-2625 addressed by bump to:
    - 10.22
    - 11.17
    - 12.12
    - 13.8
    - 14.5
    - 15_beta3
    
    Also, pgbench is installed with -server again.
    
    Removed unused eclasses multilib and prefix.
    
    Bug: https://bugs.gentoo.org/865255
    Closes: https://bugs.gentoo.org/860360
    
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 dev-db/postgresql/Manifest                         |   6 +
 .../files/postgresql-13.8-no-server.patch          | 144 +++++++
 .../files/postgresql-14.5-no-server.patch          | 146 +++++++
 .../files/postgresql-15_beta3-no-server.patch      | 146 +++++++
 dev-db/postgresql/postgresql-10.22.ebuild          | 453 ++++++++++++++++++++
 dev-db/postgresql/postgresql-11.17.ebuild          | 453 ++++++++++++++++++++
 dev-db/postgresql/postgresql-12.12.ebuild          | 453 ++++++++++++++++++++
 dev-db/postgresql/postgresql-13.8.ebuild           | 465 +++++++++++++++++++++
 dev-db/postgresql/postgresql-14.5.ebuild           | 462 ++++++++++++++++++++
 dev-db/postgresql/postgresql-15_beta3.ebuild       | 464 ++++++++++++++++++++
 dev-db/postgresql/postgresql-9999.ebuild           |   7 +-
 11 files changed, 3195 insertions(+), 4 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-15 17:47:03 UTC
Thanks! Please stabilize when ready
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-17 16:05:59 UTC
Please cleanup
Comment 4 Larry the Git Cow gentoo-dev 2022-08-18 11:26:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=92634e10850338c32fa7b3f7751fd83c3a22bee8

commit 92634e10850338c32fa7b3f7751fd83c3a22bee8
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2022-08-18 11:22:38 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2022-08-18 11:22:38 +0000

    dev-db/postgresql: Cleanup insecure
    
    Bug: https://bugs.gentoo.org/865255
    
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 dev-db/postgresql/Manifest                         |  16 -
 dev-db/postgresql/files/postgres-llvm14.patch      | 154 -------
 .../files/postgresql-13_beta1-no-server.patch      | 149 -------
 .../files/postgresql-14_rc1-no-server.patch        | 151 -------
 .../files/postgresql-9.6.3-no-server.patch         | 141 -------
 dev-db/postgresql/postgresql-10.19-r1.ebuild       | 453 --------------------
 dev-db/postgresql/postgresql-10.20-r1.ebuild       | 453 --------------------
 dev-db/postgresql/postgresql-10.21.ebuild          | 453 --------------------
 dev-db/postgresql/postgresql-11.14-r1.ebuild       | 453 --------------------
 dev-db/postgresql/postgresql-11.15-r1.ebuild       | 453 --------------------
 dev-db/postgresql/postgresql-11.16.ebuild          | 453 --------------------
 dev-db/postgresql/postgresql-12.10-r1.ebuild       | 454 --------------------
 dev-db/postgresql/postgresql-12.11.ebuild          | 453 --------------------
 dev-db/postgresql/postgresql-12.9-r1.ebuild        | 454 --------------------
 dev-db/postgresql/postgresql-13.5-r1.ebuild        | 466 ---------------------
 dev-db/postgresql/postgresql-13.6-r2.ebuild        | 466 ---------------------
 dev-db/postgresql/postgresql-13.7.ebuild           | 465 --------------------
 dev-db/postgresql/postgresql-14.1-r1.ebuild        | 466 ---------------------
 dev-db/postgresql/postgresql-14.2-r1.ebuild        | 463 --------------------
 dev-db/postgresql/postgresql-14.4.ebuild           | 462 --------------------
 dev-db/postgresql/postgresql-15_beta2.ebuild       | 464 --------------------
 21 files changed, 7942 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-02 02:09:23 UTC
CVE-2022-1552:

A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity.

Fixed in 14.3, 13.7, 12.11, 11.16, and 10.21 according to:

https://www.postgresql.org/about/news/postgresql-143-137-1211-1116-and-1021-released-2449/
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-22 03:00:33 UTC
GLSA request filed.
Comment 7 Larry the Git Cow gentoo-dev 2022-11-22 04:01:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=694f26b01e42989d9051936ddeae825e13b4acb3

commit 694f26b01e42989d9051936ddeae825e13b4acb3
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-11-19 03:33:11 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-22 03:59:39 +0000

    [ GLSA 202211-04 ] PostgreSQL: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/793734
    Bug: https://bugs.gentoo.org/808984
    Bug: https://bugs.gentoo.org/823125
    Bug: https://bugs.gentoo.org/865255
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202211-04.xml | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 87 insertions(+)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 04:03:49 UTC
GLSA released, all done!