Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 175791 - dev-db/postgresql privilege escalation in SECURITY DEFINER functions (CVE-2007-2138)
Summary: dev-db/postgresql privilege escalation in SECURITY DEFINER functions (CVE-200...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2007-04-24 03:29 UTC by Andrew Ross (RETIRED)
Modified: 2020-03-28 23:11 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Ross (RETIRED) gentoo-dev 2007-04-24 03:29:13 UTC
"The PostgreSQL Global Development Group has released updates to patch a privilege escalation exploit in SECURITY DEFINER functions. The fix is available in 8.2.4, 8.1.9, 8.0.13, 7.4.17, and 7.3.19 and all users of this feature are strongly urged to update to the latest minor version and follow instructions on securing these functions as soon as possible."

dev-db/postgresql-8.0.12 is the latest stable version on x86, and is vulnerable.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2007-04-24 16:04:21 UTC
please provide an updated ebuild
Comment 2 Andrew Ross (RETIRED) gentoo-dev 2007-04-30 23:07:46 UTC
If a GLSA is issued, it should refer users to (Creating Secure Security Definer Functions), as the code for all security definer functions written by the user will need to be updated to properly secure the database.
Comment 3 Andrew Ross (RETIRED) gentoo-dev 2007-05-03 04:57:02 UTC
dev-db/postgresql-8.0.13 and its dep dev-db/libpq-8.0.13 are in the tree and need to be marked stable. As per the release notes (, there are very few changes over 8.0.12 (the current stable version) and they are all minor fixes.

If at all possible, 7.3.19 and 7.4.17 should also be marked stable, as they provide a much easier upgrade path for users than jumping to 8.0.13 (which requires a database dump/reload when upgrading from 7.x)

8.2.4 and 8.1.9 can remain in ~arch, as the 8.1.x and 8.2.x series are not currently stable on any archs.

Comment 4 Tiziano Müller (RETIRED) gentoo-dev 2007-05-03 14:40:12 UTC
aross: 7.3, 7.4, 8.0, 8.1 and 8.2 are major versions which will be kept in the tree and have to be bumped as well. I'm taking care of this. Thanks
Comment 5 Matt Drew (RETIRED) gentoo-dev 2007-05-03 18:34:42 UTC
Thanks aross and dev-zero.  Arches, the snowball is in your court, please stabilize:

Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2007-05-04 13:00:37 UTC
I suppose we should match this with the corresponding libpq versions too right?
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2007-05-04 13:12:39 UTC
ia64 + x86 stable
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2007-05-04 15:31:57 UTC
sparc stable.
Comment 9 Konstantin Arkhipov (RETIRED) gentoo-dev 2007-05-04 16:37:59 UTC
amd64 stable.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2007-05-04 19:05:58 UTC
Stable for HPPA.
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2007-05-05 10:26:09 UTC
ppc stable
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2007-05-05 13:20:37 UTC
ppc64 stable
Comment 13 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-05-06 22:20:15 UTC

Stable on alpha.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-10 18:56:24 UTC
GLSA 200705-12

arm, mips, s390 don't forget to mark stable to benifit from the GLSA.