Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 501944 (CVE-2014-0067) - <dev-db/postgresql-server-{9.0.18,9.1.14,9.2.9,9.3.5}: Vulnerability during "make check" (CVE-2014-0067)
Summary: <dev-db/postgresql-server-{9.0.18,9.1.14,9.2.9,9.3.5}: Vulnerability during "...
Status: RESOLVED FIXED
Alias: CVE-2014-0067
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 522184
Blocks:
  Show dependency tree
 
Reported: 2014-02-21 01:57 UTC by Aaron W. Swenson
Modified: 2014-09-20 09:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron W. Swenson gentoo-dev 2014-02-21 01:57:50 UTC
The PostgreSQL Global Development Group security team has discovered a vulnerability in the scripts that orchestrate PostgreSQL test suites that validate the functionality of the PostgreSQL binaries. While a test suite is running, a user with interactive access to the system can hijack the operating system user account running the suite. Only users who run "make check" on a system they share with untrusted users are at risk. A future set of update releases will fix this vulnerability, though there will be no need to reinstall existing deployments. In the meantime, users are advised to run the test suites only on non-shared systems or under operating system user accounts dedicated to the task of running test suites.

This vulnerability arises from the test scripts' use of "initdb" to create a PostgreSQL database cluster permitting local "trust" authentication. User-crafted workflows doing the same will exhibit the same vulnerability. We recommend studying automated usage of initdb in your own software. If a procedure in question could run on a system shared with untrusted users, follow the same precautions around that procedure as for the PostgreSQL test suites. The fix for PostgreSQL itself will establish a secure pattern for automating initdb, which you can later adopt.

On Unix-like platforms the attacker needs to be able to reach the server's socket file, so the risk depends on where the platform places the socket file and whether there are filesystem permissions protections in place. On Windows, the server opens a locally-accessible TCP socket, so there is no possibility of ameliorating the risk through filesystem permissions.

The changes required to make this situation safer are expected to be somewhat invasive and might break user-crafted testing workflows. Therefore, the PostgreSQL project will not actually be supplying a fix on 20-Feb, merely announcing that there is a problem and recommending that users not use "make check" on machines shared with untrusted users. Suitable changes to the regression testing setup will subsequently be debated publicly and can be expected to be incorporated in future releases.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-02-21 02:17:24 UTC
http://www.postgresql.org/support/security/
Comment 2 Agostino Sarubbo gentoo-dev 2014-09-19 10:44:16 UTC
cleanup done, please vote.
Comment 3 Aaron W. Swenson gentoo-dev 2014-09-19 14:51:14 UTC
(In reply to Agostino Sarubbo from comment #2)
> cleanup done, please vote.

Just my 2 cents: Given the temporary nature of the test installation, which should be wiped after a successful emerge, and that it only affects those users who invoke 'FEATURES="test" emerge dev-db/postgresql-server', I don't really think this needs a GLSA as the "affected" portion has already been deleted.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-09-20 00:29:35 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-09-20 00:33:24 UTC
CVE-2014-0067 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0067):
  The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier
  does not properly invoke initdb to specify the authentication requirements
  for a database cluster to be used for the tests, which allows local users to
  gain privileges by leveraging access to this cluster.
Comment 6 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-09-20 09:15:23 UTC
GLSA Vote: No

Closing noglsa