The 2014-02-20 update contains fixes for multiple security issues. Most of these are "Class C" security issues, meaning that they require prior valid login for privilege escalation. Some also require additional database conditions to be true in order to be exploited. One fix below breaks backwards compatibility in a way that complies with our documentation but not with past behavior. ================================================================================ CVE-2014-0060 PostgreSQL: SET ROLE bypasses lack of ADMIN OPTION ================================================================================ *This change will break backwards compatibility for users who were expecting the prior, broken behavior. The new behavior is in compliance with the documentation.* Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role. Issuing SET ROLE before the GRANT bypassed that, because the role itself had an implicit right to add or remove members. This issue was fixed by recognizing that implicit right only when the session user matches the current role. Additionally, do not recognize it during a security-restricted operation or during execution of a SECURITY DEFINER function. The restriction on SECURITY DEFINER is not security-critical. However, it seems best for a user testing his or her own SECURITY DEFINER function to see the same behavior others will see. Affects all supported versions back to 8.4. The SQL standards do not conflate roles and users as PostgreSQL does; only SQL roles have members, and only SQL users initiate sessions. An application using PostgreSQL users and roles as SQL users and roles will never attempt to grant membership in the role that is the session user, so the implicit right to add or remove members will never arise. The security impact was mostly that a role member could revoke access from others, contrary to the wishes of the role member's grantor. Unapproved role member additions are less notable, because the member can still largely achieve that by creating a view or a SECURITY DEFINER function. ================================================================================ CVE-2014-0061 PostgreSQL: Privilege escalation via explicit calls to validator functions ================================================================================ PostgreSQL procedural languages (PLs) normally provide a "validator" function that performs creation-time checking of syntax etc. for functions written in that language. These validator functions can be called directly from SQL, too, which is intended to allow post-facto checking of existing function definitions. However, unexpected and possibly insecure results could be obtained by feeding the text of a function defined in one language to the validator for another language. Moreover, in many languages the validator might perform some limited amount of code execution, opening the possibility of an attacker executing code without permission. The security impact is thus that an authenticated database user might be able to escalate his or her privileges. The fix will cause validator functions to throw an error when used against a function defined in another language, or against a function the current user doesn't have permissions to call. While the PostgreSQL project will fix the validator functions in PLs distributed with PostgreSQL, the same two-line fix will be needed in validator functions of PLs developed externally. There are many such extensions and we cannot be certain that all of their developers will respond promptly. ================================================================================ CVE-2014-0062 PostgreSQL: Race condition in CREATE INDEX allows for privilege escalation ================================================================================ CREATE INDEX, and some ALTER TABLE statements, did multiple independent lookups of the table the index is supposed to be created on. Concurrent creation or deletion of another table of the same name (but in a different schema) might cause some of these lookups to find one table and some the other table. This allows effects such as creating an index on a table one doesn't own, thus exposing data to the calling user that should not be able to access. This vulnerability exists in all affected versions, but is more easily exploited in 9.2 and 9.3. ================================================================================ CVE-2014-0063 PostgreSQL: Potential buffer overruns in datetime input/output ================================================================================ Many functions use the MAXDATELEN constant to size a buffer for parsing or displaying a datetime value. However, the buffer was much too small for the longest possible interval output and slightly too small for certain valid timestamp inputs, particularly input with a long timezone name. Inputs that were too long would be rejected needlessly, while outputs that were too long would result in stack corruption, which could crash the server and could be exploitable for arbitrary code execution. ================================================================================ CVE-2014-0064 PostgreSQL: Potential buffer overruns due to integer overflow in size calculations ================================================================================ Several functions, mostly type input functions, calculated an allocation size such that the calculation wrapped to a small positive value when arguments implied a sufficiently-large requirement. Writes past the end of the inadvertent small allocation followed shortly thereafter. Coverity Scan identified the path_in() vulnerability; code inspection led to the rest. In passing, add check_stack_depth() to prevent stack overflow in related functions. Affects all supported versions back to 8.4. The non-comment hstore changes touch code that did not exist in 8.4, so that part stops at 9.0. ================================================================================ CVE-2014-0065 PostgreSQL: Potential buffer overruns of fixed-size buffers ================================================================================ Coverity Scan identified a number of places in which it could not prove that a string being copied into a fixed-size buffer would fit. We believe that most, perhaps all of these, are in fact safe or are copying data that is coming from a trusted source so that any overrun is not really a security issue. Nonetheless it seems prudent to forestall any risk by using strlcpy() and similar functions. ================================================================================ CVE-2014-0066 PostgreSQL: Potential null pointer dereference crash when crypt(3) returns NULL ================================================================================ The chkpass extension uses the standard crypt() library function, which is defined to return NULL on failure, but it was not checking for NULL before using the result. The main practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms ("FIPS mode").
+ 21 Feb 2014; Patrick Lauer <patrick@gentoo.org> + +postgresql-server-8.4.20.ebuild, +postgresql-server-9.0.16.ebuild, + +postgresql-server-9.1.12.ebuild, +postgresql-server-9.2.7.ebuild, + +postgresql-server-9.3.3.ebuild: + Bump for #501946 All ebuilds in place.
Full list of files to stable: =dev-db/postgresql-docs-8.4.20 =dev-db/postgresql-docs-9.0.16 =dev-db/postgresql-docs-9.1.12 =dev-db/postgresql-docs-9.2.7 =dev-db/postgresql-docs-9.3.3 =dev-db/postgresql-base-8.4.20 =dev-db/postgresql-base-9.0.16 =dev-db/postgresql-base-9.1.12 =dev-db/postgresql-base-9.2.7 =dev-db/postgresql-base-9.3.3 =dev-db/postgresql-server-8.4.20 =dev-db/postgresql-server-9.0.16 =dev-db/postgresql-server-9.1.12 =dev-db/postgresql-server-9.2.7 =dev-db/postgresql-server-9.3.3
amd64 stable
x86 stable
ppc stable
ppc64 stable
Stable for HPPA.
alpha stable
> CVE-2014-0061 PostgreSQL: Privilege escalation via explicit calls to validator > functions I'd say to set it to B1, why it has been set to C3??
arm stable
ia64 stable
(In reply to Agostino Sarubbo from comment #9) > > CVE-2014-0061 PostgreSQL: Privilege escalation via explicit calls to validator > functions > > I'd say to set it to B1, why it has been set to C3?? Because no one has been successful in escalating their privileges just yet (at least, from what I've been able to discover), and if they were, they'd only be escalated within the database.
sparc stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Aaron W. Swenson from comment #12) > Because no one has been successful in escalating their privileges just yet > (at least, from what I've been able to discover), and if they were, they'd > only be escalated within the database. I don't guess this is the right interpretation. It is described to be a privilege escalation. I don't care if someone ha produced a real POC or not.
From https://bugzilla.redhat.com/show_bug.cgi?id=1082154 : Common Vulnerabilities and Exposures assigned an identifier CVE-2014-2669 to the following vulnerability: Name: CVE-2014-2669 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2669 Assigned: 20140328 Reference: http://wiki.postgresql.org/wiki/20140220securityrelease Reference: http://www.postgresql.org/about/news/1506/ Reference: http://www.postgresql.org/support/security/ Reference: https://github.com/postgres/postgres/commit/31400a673325147e1205326008e32135a78b4d8a Reference: DEBIAN:DSA-2864 Reference: http://www.debian.org/security/2014/dsa-2864 Reference: DEBIAN:DSA-2865 Reference: http://www.debian.org/security/2014/dsa-2865 Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact via vectors related to the (1) hstore_recv, (2) hstore_from_arrays, and (3) hstore_from_array functions in contrib/hstore/hstore_io.c; and the (4) hstoreArrayToPairs function in contrib/hstore/hstore_op.c, which triggers a buffer overflow. NOTE: this issue was SPLIT from CVE-2014-0064 because it has a different set of affected versions.
CVE-2014-2669 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2669): Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact via vectors related to the (1) hstore_recv, (2) hstore_from_arrays, and (3) hstore_from_array functions in contrib/hstore/hstore_io.c; and the (4) hstoreArrayToPairs function in contrib/hstore/hstore_op.c, which triggers a buffer overflow. NOTE: this issue was SPLIT from CVE-2014-0064 because it has a different set of affected versions. CVE-2014-0066 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0066): The chkpass extension in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly check the return value of the crypt library function, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors. CVE-2014-0065 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0065): Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, a different vulnerability than CVE-2014-0063. CVE-2014-0064 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0064): Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, which trigger a buffer overflow. NOTE: this identifier has been SPLIT due to different affected versions; use CVE-2014-2669 for the hstore vector. CVE-2014-0063 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0063): Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065. CVE-2014-0062 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0062): Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating or deleting a table with the same name during the timing window. CVE-2014-0061 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0061): The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions. CVE-2014-0060 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0060): PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.
Arches and Mainter(s), Thank you for your work. Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 201408-15 at http://security.gentoo.org/glsa/glsa-201408-15.xml by GLSA coordinator Kristian Fiskerstrand (K_F).