Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 384539 (CVE-2011-2483) - <dev-db/postgresql-server-{8.2.22,8.3.16,8.4.9,9.0.5,9.1.1} Blowfish Signed-Character Bug (CVE-2011-2483)
Summary: <dev-db/postgresql-server-{8.2.22,8.3.16,8.4.9,9.0.5,9.1.1} Blowfish Signed-C...
Status: RESOLVED FIXED
Alias: CVE-2011-2483
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.postgresql.org/about/news....
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-09-26 15:38 UTC by Aaron W. Swenson
Modified: 2011-10-25 07:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron W. Swenson gentoo-dev 2011-09-26 15:38:01 UTC
Upstream applied the further upstream fix in contrib/pg_crypto for blowfish signed-character bug (CVE-2011-2483), where encryption code could give wrong results on platforms where char is signed (which is most), leading to encrypted passwords being weaker than they should be.

This only affects <dev-db/postgresql-server-{8.2.22,8.3.16,8.4.9,9.0.5,9.1.1}. dev-db/postgresql-{base,docs} are unaffected.
Comment 1 Patrick Lauer gentoo-dev 2011-09-26 18:09:33 UTC
All needed ebuilds in tree, stabilization requested
Comment 2 Agostino Sarubbo gentoo-dev 2011-09-26 20:45:32 UTC
Thanks Aaron and Patrick.

Arches, please test and mark stable:

=dev-db/postgresql-server-8.2.22
=dev-db/postgresql-server-8.3.16
=dev-db/postgresql-server-8.4.9
=dev-db/postgresql-server-9.0.5

target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"


=dev-db/postgresql-server-9.1.1 not needs stabilization.
Comment 3 Aaron W. Swenson gentoo-dev 2011-09-26 23:17:02 UTC
(In reply to comment #2)
> Thanks Aaron and Patrick.
> 
> Arches, please test and mark stable:
> 
> =dev-db/postgresql-server-8.2.22
> =dev-db/postgresql-server-8.3.16
> =dev-db/postgresql-server-8.4.9
> =dev-db/postgresql-server-9.0.5
> 
> target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
> 
> 
> =dev-db/postgresql-server-9.1.1 not needs stabilization.

-docs and -base of the same versions and revisions will be required as well, of course excluding 9.1.1.
Comment 4 Agostino Sarubbo gentoo-dev 2011-09-27 08:50:44 UTC
bug 384631 is not a blocker.

amd64 ok
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2011-09-27 20:49:01 UTC
Stable for HPPA.
Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-28 04:24:18 UTC
ppc/ppc64 stable
Comment 7 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-09-29 16:05:03 UTC
amd64: pass
Comment 8 Thomas Kahle (RETIRED) gentoo-dev 2011-09-30 22:35:13 UTC
x86 done. Thanks.
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-10-01 18:31:26 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 10 Markos Chandras (RETIRED) gentoo-dev 2011-10-01 20:17:52 UTC
amd64 done. Thanks Elijah and Agostino
Comment 11 Agostino Sarubbo gentoo-dev 2011-10-01 20:31:56 UTC
Thanks all, adding glsa vote request.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-10-02 00:08:10 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 13 Aaron W. Swenson gentoo-dev 2011-10-02 13:37:54 UTC
Affected versions removed from tree.
Comment 14 Mike Williams 2011-10-03 14:30:44 UTC
FYI guys 8.3.16 isn't stable on x86.
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2011-10-03 17:41:49 UTC
(In reply to comment #14)
> FYI guys 8.3.16 isn't stable on x86.

Indeed, thanks, Mike.

@x86, ping.
Comment 16 Aaron W. Swenson gentoo-dev 2011-10-03 23:10:09 UTC
Marked 8.3.16 x86 stable.

It works for me on x86 as well on the workstation and the Hardened Server. (Both stable except for PostgreSQL.)
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2011-10-03 23:16:48 UTC
(In reply to comment #16)
> Marked 8.3.16 x86 stable.
> 
> It works for me on x86 as well on the workstation and the Hardened Server.
> (Both stable except for PostgreSQL.)

Cool, tnx.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:37:37 UTC
CVE-2011-2483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2483):
  crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms,
  does not properly handle 8-bit characters, which makes it easier for
  context-dependent attackers to determine a cleartext password by leveraging
  knowledge of a password hash.
Comment 19 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-10-08 14:44:26 UTC
GLSA with the other pgsql bugs
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2011-10-25 07:51:50 UTC
This issue was resolved and addressed in
 GLSA 201110-22 at http://security.gentoo.org/glsa/glsa-201110-22.xml
by GLSA coordinator Alex Legler (a3li).