Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 406037 (CVE-2012-0866) - <dev-db/postgresql-server-{9.1.3,9.0.7,8.4.11,8.3.18}: Multiple Vulnerabilities (CVE-2012-{0866,0867,0868})
Summary: <dev-db/postgresql-server-{9.1.3,9.0.7,8.4.11,8.3.18}: Multiple Vulnerabiliti...
Status: RESOLVED FIXED
Alias: CVE-2012-0866
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.postgresql.org/about/news/...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-27 14:04 UTC by Aaron W. Swenson
Modified: 2012-09-28 12:03 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron W. Swenson gentoo-dev 2012-02-27 14:04:07 UTC
CVE-2012-0866: Permissions on a function called by a trigger are not checked.

This fix prevents users from defining triggers which execute functions on which the user does not have EXECUTE permission.

CREATE TRIGGER failed to make any permissions check on the trigger function to be called. An unprivileged database user could attach a trigger function to a table they owned and cause it to be called on data of their choosing. Normally, this would execute with the permissions of a table owner, and thus not give additional capability. However, if a trigger function is marked SECURITY DEFINER, privilege escalation is possible.

---------------------------------------

CVE-2012-0867: SSL certificate name checks are truncated to 32 characters, allowing connection spoofing under some circumstances.

This fixes SSL common name truncation, which could allow hijacking of an SSL connection under exceptional circumstances.

When using SSL certificates, both clients and servers can be configured to verify the other's host name against the common name in the certificate it presents. However, the name extracted from the certificate was incorrectly truncated to 32 characters. Normally that just results in a verification failure, but if the actual host name of a machine is exactly 32 characters long, it could, in principle, be spoofed. The risk of this actually happening appears unlikely, and an attacker would still need to take additional steps outside of PostgreSQL to succeed with an exploit.

---------------------------------------

CVE-2012-0868: Line breaks in object names can be exploited to execute code when loading a pg_dump file.

This fix removes 'n' and 'r' from dumpfile comments.

pg_dump copied object names into comments in a SQL script without sanitizing them. An object name that includes a newline followed by an SQL command would result in a dump script in which the SQL command is exposed for execution. When and if the dump script is reloaded, the command would be executed with the privileges of whoever is running the script - often a superuser.

All supported versions of PostgreSQL are affected. See the release notes for each version for a full list of changes with details of the fixes and steps.

---------------------------------------

I'll get the updated versions in the tree this evening.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-02-27 15:38:48 UTC
Thanks for the bug, Aaron.
Comment 2 Aaron W. Swenson gentoo-dev 2012-02-28 02:12:34 UTC
Stabilization Targets:
dev-db/postgresql-docs-8.3.18
dev-db/postgresql-docs-8.4.11
dev-db/postgresql-docs-9.0.7
dev-db/postgresql-docs-9.1.3

dev-db/postgresql-base-8.3.18
dev-db/postgresql-base-8.4.11
dev-db/postgresql-base-9.0.7
dev-db/postgresql-base-9.1.3

dev-db/postgresql-server-8.3.18
dev-db/postgresql-server-8.4.11
dev-db/postgresql-server-9.0.7
dev-db/postgresql-server-9.1.3
Comment 3 Brent Baude (RETIRED) gentoo-dev 2012-02-28 21:33:47 UTC
ppc done
Comment 4 Jeroen Roovers gentoo-dev 2012-02-29 01:32:10 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2012-02-29 14:31:24 UTC
amd64 stable
Comment 6 Tobias Klausmann gentoo-dev 2012-03-01 17:58:40 UTC
Stable on alpha.
Comment 7 Brent Baude (RETIRED) gentoo-dev 2012-03-03 15:40:04 UTC
ppc64 done
Comment 8 Markus Meier gentoo-dev 2012-03-15 22:20:25 UTC
arm stable
Comment 9 Thomas Kahle (RETIRED) gentoo-dev 2012-04-03 10:19:14 UTC
x86 stable. Thanks
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2012-04-08 14:50:53 UTC
ia64/s390/sh/sparc stable
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2012-04-08 15:26:29 UTC
Thanks, everyone. GLSA request filed.
Comment 12 Aaron W. Swenson gentoo-dev 2012-04-27 12:23:46 UTC
PostgreSQL 8.2 has been removed from the tree. No affected versions left in tree.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-07-19 16:32:43 UTC
CVE-2012-0868 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0868):
  CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18,
  8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows
  user-assisted remote attackers to execute arbitrary SQL commands via a
  crafted file containing object names with newlines, which are inserted into
  an SQL script that is used when the database is restored.

CVE-2012-0867 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0867):
  PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3
  truncates the common name to only 32 characters when verifying SSL
  certificates, which allows remote attackers to spoof connections when the
  host name is exactly 32 characters.

CVE-2012-0866 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0866):
  CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x
  before 9.0.7, and 9.1.x before 9.1.3 does not properly check the execute
  permission for trigger functions marked SECURITY DEFINER, which allows
  remote authenticated users to execute otherwise restricted triggers on
  arbitrary data by installing the trigger on an attacker-owned table.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-09-28 12:03:18 UTC
This issue was resolved and addressed in
 GLSA 201209-24 at http://security.gentoo.org/glsa/glsa-201209-24.xml
by GLSA coordinator Sean Amoss (ackle).