Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 134168 - dev-db/postgresql: SQL injection
Summary: dev-db/postgresql: SQL injection
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Highest normal (vote)
Assignee: Gentoo Security
URL: http://www.postgresql.org/docs/techdo...
Whiteboard: A3 [glsa] jaervosz
Keywords:
Depends on: 135187
Blocks:
  Show dependency tree
 
Reported: 2006-05-23 20:59 UTC by Shirish Jain
Modified: 2019-12-22 11:57 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
overlay for postgresql-8.1.4 (postgresql-8.1.4-overlay.tar.bz2,44.99 KB, application/octet-stream)
2006-05-26 14:54 UTC, John Jay
no flags Details
8.1.4 ebuild (postgresql-8.1.4.ebuild,7.58 KB, text/plain)
2006-05-26 15:27 UTC, John Jay
no flags Details
8.1.4 gentoo patch (postgresql-8.1.4-gentoo.patch,1.10 KB, patch)
2006-05-26 15:28 UTC, John Jay
no flags Details | Diff
8.1.4 init (postgresql.init-8.1.4,1.14 KB, text/plain)
2006-05-26 15:29 UTC, John Jay
no flags Details
8.1.4 spinlock patch (postgresql-8.1.4-sh.patch,780 bytes, patch)
2006-05-26 15:29 UTC, John Jay
no flags Details | Diff
8.1.4 conf (postgresql.conf-8.1.4,390 bytes, text/plain)
2006-05-26 15:32 UTC, John Jay
no flags Details
libpq-8.1.4 ebuild (libpq-8.1.4.ebuild,3.13 KB, text/plain)
2006-05-26 15:32 UTC, John Jay
no flags Details
libpq-8.1.4 patch (libpq-8.1.4-gentoo.patch,2.34 KB, text/plain)
2006-05-26 15:33 UTC, John Jay
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Shirish Jain 2006-05-23 20:59:57 UTC
folks, please refer here http://www.postgresql.org/about/news.561 for the recent urgent security release from Postgres on all the streams. New versions releasd are 8.1.4, 8.0.8, 7.4.13 and 7.3.15.

its also on Slashdot. I could find ebuilds to upgrade to above versions, I did search here as well, alas, no avail. Hence this bug report.

regards

Shirish
Comment 1 Aquila 2006-05-24 00:56:23 UTC
I can support this request. This is urgent because the slashdot article describes possible exploits...
Comment 2 Wolf Giesen (RETIRED) gentoo-dev 2006-05-24 01:08:36 UTC
Definitely urgent, it's all over the news.
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-24 02:01:31 UTC
Hi PGSQL team,

please take care of it, and please update the metadata file with a pgsql-bugs@gentoo.org mention. (herd is postgresql and postgresql@gentoo.org doesn't exist)
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-24 07:52:24 UTC
(little cleanup, was forced to specify a comment by bugzie)
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-05-25 11:03:02 UTC
Wrong category
Comment 6 John Jay 2006-05-26 14:54:56 UTC
Created attachment 87591 [details]
overlay for postgresql-8.1.4

ebuild and patches for 8.1.4
Comment 7 John Jay 2006-05-26 15:27:04 UTC
Created attachment 87594 [details]
8.1.4 ebuild
Comment 8 John Jay 2006-05-26 15:28:09 UTC
Created attachment 87595 [details, diff]
8.1.4 gentoo patch
Comment 9 John Jay 2006-05-26 15:29:04 UTC
Created attachment 87596 [details]
8.1.4 init
Comment 10 John Jay 2006-05-26 15:29:55 UTC
Created attachment 87597 [details, diff]
8.1.4 spinlock patch
Comment 11 John Jay 2006-05-26 15:32:27 UTC
Created attachment 87598 [details]
8.1.4 conf
Comment 12 John Jay 2006-05-26 15:32:59 UTC
Created attachment 87599 [details]
libpq-8.1.4 ebuild
Comment 13 John Jay 2006-05-26 15:33:23 UTC
Created attachment 87600 [details]
libpq-8.1.4 patch
Comment 14 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-30 06:45:09 UTC
whats up here?!
Comment 15 Konstantin Arkhipov (RETIRED) gentoo-dev 2006-05-31 10:42:08 UTC
ok, libpq/postgresql - 8.1.4, 8.0.8, 7.4.13, 7.3.15 committed in portage.
8.1.4 stresstested on two machines (x86/amd64), other's are only known to compile and start.
Comment 16 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-31 10:49:28 UTC
Arches, a lot of work coming up: please test and stable versions 8.1.4, 8.0.8, 7.4.13, 7.3.15, libpq should be stabled in sync.

Last arch that goes stable, please remove old vulnerable cruft from the tree, thanks

Also thanks to voxus for bumping.
Comment 17 Gustavo Zacarias (RETIRED) gentoo-dev 2006-05-31 12:15:47 UTC
Do we really wanna stable 8.1.x in this run? (no previous 8.1.x is stable)
Comment 18 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-31 12:28:22 UTC
(In reply to comment #17)
> Do we really wanna stable 8.1.x in this run? (no previous 8.1.x is stable)

Crap I'm sorry, my fault. 8.1.x does not need to be stabled
Comment 19 Markus Rothe (RETIRED) gentoo-dev 2006-05-31 13:21:27 UTC
7.4.13 and 8.0.8 stable on ppc64.

(7.3.x has no stable ppc64 keyword)
Comment 20 Daniel Ceregatti 2006-05-31 15:34:31 UTC
I noticed the "threads" USE flag was added to 8.1.4. From what I was able to glean from developers in #postgresql on freenode, this USE flag does absolutely nothing for postgresql server, as it's not threaded. This USE flag is meant only for libpq. It should be removed from the postgresql ebuild.

My 2
Comment 21 Daniel Ceregatti 2006-05-31 15:34:31 UTC
I noticed the "threads" USE flag was added to 8.1.4. From what I was able to glean from developers in #postgresql on freenode, this USE flag does absolutely nothing for postgresql server, as it's not threaded. This USE flag is meant only for libpq. It should be removed from the postgresql ebuild.

My 2¢.

Daniel
Comment 22 John Jay 2006-05-31 16:46:47 UTC
The threads USE flag was introduced in 8.1.3...whether it has any real bearing is another question, from the configure (line 16202):

#
# Pthreads
#
# For each platform, we need to know about any special compile and link
# libraries, and whether the normal C function names are thread-safe.
# See the comment at the top of src/port/thread.c for more information.
#

For the lazy src/port/thread.c:
[snip]
/*
 *      Threading sometimes requires specially-named versions of functions
 *      that return data in static buffers, like strerror_r() instead of
 *      strerror().  Other operating systems use pthread_setspecific()
 *      and pthread_getspecific() internally to allow standard library
 *      functions to return static data to threaded applications. And some
 *      operating systems have neither.
[/snip]

Macros for thread safety of threaded applications which use the threaded libraries.
Comment 23 John Jay 2006-05-31 16:48:13 UTC
[clarification] Thread safety was added in 8.1.3, the USE flag was added in 8.1.3-r1
Comment 24 Thomas Cort (RETIRED) gentoo-dev 2006-06-01 11:08:32 UTC
{postgres,libpq}-{7.4.13,8.0.8} stable on alpha.

7.3.15 doesn't compile. I'll file a bug for it and make this bug depend on it.
Comment 25 Gustavo Zacarias (RETIRED) gentoo-dev 2006-06-01 13:00:08 UTC
7.4.13 and 8.0.8 sparc stable.
7.3.15 is br0ke for us too.
Comment 26 Tobias Scherbaum (RETIRED) gentoo-dev 2006-06-01 13:00:58 UTC
{postgres,libpq}-{7.4.13,8.0.8} stable on ppc.

7.3.15 also doesn't compile on ppc, I added us to that bug.
Comment 27 Mark Loeser (RETIRED) gentoo-dev 2006-06-02 20:35:54 UTC
^^what all of those guys said :)

7.4.13 & 8.0.8 done on x86
Comment 28 René Nussbaumer (RETIRED) gentoo-dev 2006-06-04 01:46:47 UTC
Stable on hppa. Forgot to comment this on this bug. 7.3.15 doesn't build on hppa, too. Added us to that bug.
Comment 29 Thomas Cort (RETIRED) gentoo-dev 2006-06-04 19:07:04 UTC
{postgres,libpq}-{7.4.13,8.0.8} stable on amd64.

7.3.15 doesn't compile, I added us to bug #135187.

Comment 30 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-25 15:47:56 UTC
this bug is rather old. Shouldn't we consider sending a GLSA mentionning that the 1.3.x branch is still vulnerable ?
Comment 31 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-26 00:42:47 UTC
> the 1.3.x branch is still vulnerable ?

not 1.3.x, but 7.3.x, of course, you have already corrected me.

Comment 32 Joshua Jackson (RETIRED) gentoo-dev 2006-06-26 10:32:37 UTC
removing x86 as we've stablized the packages requested and don't see a need to be on the bug anymore. If this is not the case and we're still on it for a reason feel free to readd us.
Comment 33 Wolf Giesen (RETIRED) gentoo-dev 2006-06-28 22:14:34 UTC
Since 7.3.15 seems broken on most arches we should consider masking the 7.3 branch, since the bug is aging and we should get the GLSA out.

Jaervosz?
Comment 34 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-30 08:08:14 UTC
@pqsql-bugs: what do you think about masking?

@arches please test and mark stable or comment. We're quite late on this one.
Comment 35 Gustavo Zacarias (RETIRED) gentoo-dev 2006-06-30 08:10:19 UTC
sparc has everything stable except 7.3.15
Comment 36 Thomas Cort (RETIRED) gentoo-dev 2006-06-30 09:19:52 UTC
(In reply to comment #33)
> @arches please test and mark stable or comment. We're quite late on this one.

As I stated in comment #28, alpha has everything stable except 7.3.15, see Bug #135187.
Comment 37 Lars Weiler (RETIRED) gentoo-dev 2006-07-01 01:53:55 UTC
I think I can safely remove ppc from this bug as all mentioned ebuilds (beside 7.3.15) are stable.
Comment 38 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-07-05 10:11:34 UTC
Ok, we'll release a GLSA without a fix for 7.3 (which could be masked)
Comment 39 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-07-09 10:10:02 UTC
GLSA 200607-04
Comment 40 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-19 06:23:00 UTC
*** Bug 151482 has been marked as a duplicate of this bug. ***