Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 649288 (CVE-2018-1058) - <dev-db/postgresql-{9.3.22,9.4.17,9.5.12,9.6.8,10.3} - Schema Name trojan-horse attack (CVE-2018-1058)
Summary: <dev-db/postgresql-{9.3.22,9.4.17,9.5.12,9.6.8,10.3} - Schema Name trojan-hor...
Status: RESOLVED FIXED
Alias: CVE-2018-1058
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.postgresql.org/about/news...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: 647246
  Show dependency tree
 
Reported: 2018-03-01 22:40 UTC by Aaron W. Swenson
Modified: 2018-05-20 14:32 UTC (History)
4 users (show)

See Also:
Package list:
dev-db/postgresql-9.3.22 dev-db/postgresql-9.4.17 dev-db/postgresql-9.5.12 dev-db/postgresql-9.6.8 dev-db/postgresql-10.3
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron W. Swenson gentoo-dev 2018-03-01 22:40:39 UTC
2018-03-01 Security Update Release
==================================
The PostgreSQL Global Development Group has released an update to all supported
versions of the PostgreSQL database system, including 10.3, 9.6.8, 9.5.12,
9.4.17, and 9.3.22.

The purpose of this release is to address CVE-2018-1058, which describes how a
user can create like-named objects in different schemas that can change the
behavior of other users' queries and cause unexpected or malicious behavior,
also known as a "trojan-horse" attack. Most of this release centers around added
documentation that describes the issue and how to take steps to mitigate the
impact on PostgreSQL databases.

We strongly encourage all of our users to please visit
https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path
for a detailed explanation of CVE-2018-1058 and how to protect your PostgreSQL
installations.

After evaluating the documentation for CVE-2018-1058, a database administrator
may need to take follow up steps on their PostgreSQL installations to ensure
they are protected from exploitation.

Security Issues
---------------

One security vulnerability is addressed in this release:

* CVE-2018-1058: Uncontrolled search path element in pg_dump and other client
applications

Please visit https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path
for a full explanation of the CVE-2018-1058.
Comment 1 Larry the Git Cow gentoo-dev 2018-03-01 22:46:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64d29b8d6c50d098caebdf8df6cec58375d2ec55

commit 64d29b8d6c50d098caebdf8df6cec58375d2ec55
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2018-03-01 22:46:29 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2018-03-01 22:46:50 +0000

    dev-db/postgresql: Security Bump
    
    Mitigates a “trojan-horse” attack based on  schema names.
    
    Security bump to:
     - 10.3
     - 9.6.8
     - 9.5.12
     - 9.4.17
     - 9.3.22
    
    See PostgreSQL’s wiki article for a complete explanation of the
    vulnerability:
    https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path
    
    Bug: https://bugs.gentoo.org/649288
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 dev-db/postgresql/Manifest                 |   5 +
 dev-db/postgresql/postgresql-10.3.ebuild   | 460 +++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-9.3.22.ebuild | 450 ++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-9.4.17.ebuild | 482 ++++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-9.5.12.ebuild | 488 ++++++++++++++++++++++++++++
 dev-db/postgresql/postgresql-9.6.8.ebuild  | 493 +++++++++++++++++++++++++++++
 6 files changed, 2378 insertions(+)}
Comment 2 Aaron W. Swenson gentoo-dev 2018-03-01 22:54:43 UTC
Please stabilize:

=dev-db/postgresql-10.3   ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.6.8  ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.5.12 ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.4.17 ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.3.22 ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86


To test client-only, build/install is typically enough. Optionally, use psql to connect to a server:
USE="-server" emerge dev-db/postgresql:{9.{3..6},10}

To test server:
FEATURES="userpriv test" USE="server" emerge dev-db/postgresql:{9.{3..6},10}
Comment 3 Agostino Sarubbo gentoo-dev 2018-03-02 15:36:12 UTC
amd64 stable
Comment 4 Mart Raudsepp gentoo-dev 2018-03-02 18:24:08 UTC
arm64 doesn't have any stable versions, not sure why we are CCed; add back if I missed something.
Note though that we'll want to carry stable keywords on postgres at some later point in the not too distant future - it's used on servers. But that'll be a newstable and probably 9.5+ only (or only 10/11) and the version at first that amd64 has last stable in the slot at the time.
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-02 23:24:17 UTC
ia64 stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-04 06:55:26 UTC
x86 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2018-03-05 17:15:56 UTC
Stable on alpha.
Comment 8 Markus Meier gentoo-dev 2018-03-13 17:55:28 UTC
arm stable
Comment 9 Matt Turner gentoo-dev 2018-03-17 21:09:01 UTC
ppc/ppc64 stable
Comment 10 Aaron W. Swenson gentoo-dev 2018-03-22 15:54:17 UTC
(In reply to Tobias Klausmann from comment #7)
> Stable on alpha.

Missed dev-db/postgresql-9.6.8
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2018-03-22 18:06:33 UTC
(In reply to Aaron W. Swenson from comment #10)
> (In reply to Tobias Klausmann from comment #7)
> > Stable on alpha.
> 
> Missed dev-db/postgresql-9.6.8

Fixed.
Comment 12 Larry the Git Cow gentoo-dev 2018-05-19 18:15:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30cbf998dc97248b11f16c87c56d816a8cf9fe55

commit 30cbf998dc97248b11f16c87c56d816a8cf9fe55
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-05-19 18:08:02 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-19 18:15:05 +0000

    dev-db/postgresql: stable 10.3 for sparc
    
    Bug: https://bugs.gentoo.org/649288
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 dev-db/postgresql/postgresql-10.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1043f61b432a8d612d935fc1d63851d703f4cc9f

commit 1043f61b432a8d612d935fc1d63851d703f4cc9f
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-05-19 18:06:48 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-19 18:15:05 +0000

    dev-db/postgresql: stable 9.6.8 for sparc
    
    Bug: https://bugs.gentoo.org/649288
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 dev-db/postgresql/postgresql-9.6.8.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7d6d7237e19bcd3b23b3892b46dabe514c209214

commit 7d6d7237e19bcd3b23b3892b46dabe514c209214
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-05-19 18:05:34 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-19 18:15:05 +0000

    dev-db/postgresql: stable 9.5.12 for sparc
    
    Bug: https://bugs.gentoo.org/649288
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 dev-db/postgresql/postgresql-9.5.12.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=805a8c1d7a566dec44b9fbc1d0f6bff56fc802fc

commit 805a8c1d7a566dec44b9fbc1d0f6bff56fc802fc
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-05-19 18:04:20 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-19 18:15:05 +0000

    dev-db/postgresql: stable 9.4.17 for sparc
    
    Bug: https://bugs.gentoo.org/649288
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 dev-db/postgresql/postgresql-9.4.17.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3a41fc4d12d1519c83302bd3d9be654acaa31d3

commit e3a41fc4d12d1519c83302bd3d9be654acaa31d3
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-05-19 18:03:07 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-05-19 18:15:04 +0000

    dev-db/postgresql: stable 9.3.22 for sparc
    
    Bug: https://bugs.gentoo.org/649288
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    RepoMan-Options: --include-arches="sparc"

 dev-db/postgresql/postgresql-9.3.22.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2018-05-19 22:01:01 UTC
hppa is now exp and no longer security supported.

@maintainer(s), please clean the vulnerable ebuilds.
Comment 14 Larry the Git Cow gentoo-dev 2018-05-20 09:42:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=389ff0cbbc0887419892791e1e136466b0fde120

commit 389ff0cbbc0887419892791e1e136466b0fde120
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2018-05-20 09:41:47 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2018-05-20 09:41:47 +0000

    dev-db/postgresql: Cleanup insecure
    
    Bug: https://bugs.gentoo.org/649288
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 dev-db/postgresql/Manifest                         |   6 -
 .../files/postgresql-10beta2-no-server.patch       | 146 ------
 dev-db/postgresql/postgresql-10.1.ebuild           | 460 -------------------
 dev-db/postgresql/postgresql-9.3.20.ebuild         | 450 -------------------
 dev-db/postgresql/postgresql-9.4.15.ebuild         | 482 --------------------
 dev-db/postgresql/postgresql-9.5.10.ebuild         | 488 --------------------
 dev-db/postgresql/postgresql-9.6.6.ebuild          | 493 ---------------------
 dev-db/postgresql/postgresql-9.6.7.ebuild          | 493 ---------------------
 8 files changed, 3018 deletions(-)
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2018-05-20 14:32:27 UTC
(In reply to Larry the Git Cow from comment #14)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=389ff0cbbc0887419892791e1e136466b0fde120
> 
> commit 389ff0cbbc0887419892791e1e136466b0fde120
> Author:     Aaron W. Swenson <titanofold@gentoo.org>
> AuthorDate: 2018-05-20 09:41:47 +0000
> Commit:     Aaron W. Swenson <titanofold@gentoo.org>
> CommitDate: 2018-05-20 09:41:47 +0000
> 
>     dev-db/postgresql: Cleanup insecure
>     
>     Bug: https://bugs.gentoo.org/649288
>     Package-Manager: Portage-2.3.24, Repoman-2.3.6
> 
>  dev-db/postgresql/Manifest                         |   6 -
>  .../files/postgresql-10beta2-no-server.patch       | 146 ------
>  dev-db/postgresql/postgresql-10.1.ebuild           | 460 -------------------
>  dev-db/postgresql/postgresql-9.3.20.ebuild         | 450 -------------------
>  dev-db/postgresql/postgresql-9.4.15.ebuild         | 482
> --------------------
>  dev-db/postgresql/postgresql-9.5.10.ebuild         | 488
> --------------------
>  dev-db/postgresql/postgresql-9.6.6.ebuild          | 493
> ---------------------
>  dev-db/postgresql/postgresql-9.6.7.ebuild          | 493
> ---------------------
>  8 files changed, 3018 deletions(-)

Thanks, Aaron!