Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 771942 (CVE-2021-20229, CVE-2021-3393) - <dev-db/postgresql-{11.11,12.6,13.2} Multiple vulnerabilities (CVE-2021-{3393,20229})
Summary: <dev-db/postgresql-{11.11,12.6,13.2} Multiple vulnerabilities (CVE-2021-{3393...
Status: RESOLVED FIXED
Alias: CVE-2021-20229, CVE-2021-3393
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.postgresql.org/about/news...
Whiteboard: B4 [glsa+ cve]
Keywords:
: 772320 (view as bug list)
Depends on:
Blocks: 766225
  Show dependency tree
 
Reported: 2021-02-21 14:15 UTC by Aaron W. Swenson
Modified: 2021-05-26 10:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: No


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron W. Swenson gentoo-dev 2021-02-21 14:15:06 UTC
==========================================================================
CVE-2021-3393: Partition constraint violation errors leak values of denied
columns
==========================================================================
Versions Affected: 11 - 13.

A user having an UPDATE privilege on a partitioned table but lacking the SELECT privilege on some column may be able to acquire denied-column values from an error message. This is similar to CVE-2014-8161, but the conditions to exploit are more rare.

The PostgreSQL project thanks Heikki Linnakangas for reporting this problem.

==========================================================================
CVE-2021-20229: Single-column SELECT privilege enables reading all columns
==========================================================================
Versions Affected: 13.

A user having a SELECT privilege on an individual column can craft a special query that returns all columns of the table.

Additionally, a stored view that uses column-level privileges will have incomplete column-usage bitmaps. In installations that depend on column-level permissions for security, it is recommended to execute CREATE OR REPLACE on all user-defined views to force them to be re-parsed.

The PostgreSQL project thanks Sven Klemm for reporting this problem.
Comment 1 Larry the Git Cow gentoo-dev 2021-02-21 14:21:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5fd6830195d614ec11bbf6465f170d0086ae4ea

commit b5fd6830195d614ec11bbf6465f170d0086ae4ea
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2021-02-21 14:15:27 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2021-02-21 14:15:27 +0000

    dev-db/postgresql: Security Bump
    
    Bump to 13.2, 12.6, 11.11, 10.16, 9.6.21, and 9.5.25. Addresses vulnerabilities:
    CVE-2021-3393 and CVE-2021-20229.
    
    Includes ICU68 fix, and extra workaround patch for 10.16 (thanks Marco
    Sirabella).
    
    Bug: https://bugs.gentoo.org/771942
    Bug: https://bugs.gentoo.org/766225
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 dev-db/postgresql/Manifest                         |   6 +
 .../postgresql/files/postgresql-10.0-icu68-2.patch |  11 +
 dev-db/postgresql/postgresql-10.16.ebuild          | 461 ++++++++++++++++++++
 dev-db/postgresql/postgresql-11.11.ebuild          | 458 ++++++++++++++++++++
 dev-db/postgresql/postgresql-12.6.ebuild           | 458 ++++++++++++++++++++
 dev-db/postgresql/postgresql-13.2.ebuild           | 462 ++++++++++++++++++++
 dev-db/postgresql/postgresql-9.5.25.ebuild         | 476 ++++++++++++++++++++
 dev-db/postgresql/postgresql-9.6.21.ebuild         | 481 +++++++++++++++++++++
 8 files changed, 2813 insertions(+)
Comment 2 Aaron W. Swenson gentoo-dev 2021-02-21 14:33:25 UTC
Please stabilize the following targets:
=dev-db/postgresql-10.16 ~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-11.11 ~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-12.6 ~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-13.2 ~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.5.25 ~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.6.21 ~amd64 ~arm ~arm64 ~ppc ~ppc64 ~sparc ~x86
Comment 3 Rolf Eike Beer 2021-02-23 18:17:26 UTC
sparc stable
Comment 4 Aaron W. Swenson gentoo-dev 2021-02-24 10:50:38 UTC
*** Bug 772320 has been marked as a duplicate of this bug. ***
Comment 5 Sam James archtester gentoo-dev Security 2021-02-24 20:23:50 UTC
ppc done
Comment 6 Sam James archtester gentoo-dev Security 2021-02-24 20:26:00 UTC
ppc64 done
Comment 7 Sam James archtester gentoo-dev Security 2021-02-24 20:35:57 UTC
amd64 done
Comment 8 Sam James archtester gentoo-dev Security 2021-02-24 23:42:55 UTC
arm done
Comment 9 Sam James archtester gentoo-dev Security 2021-02-24 23:52:56 UTC
x86 done
Comment 10 Sam James archtester gentoo-dev Security 2021-02-25 01:06:10 UTC
arm64 done

all arches done
Comment 11 Sam James archtester gentoo-dev Security 2021-02-25 01:13:23 UTC
Please cleanup, thanks!
Comment 12 Larry the Git Cow gentoo-dev 2021-02-25 14:25:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0cb57f5044dc87248afd6f5f40794d16bd5c649c

commit 0cb57f5044dc87248afd6f5f40794d16bd5c649c
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2021-02-25 14:24:59 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2021-02-25 14:24:59 +0000

    dev-db/postgresql: Cleanup
    
    Bug: https://bugs.gentoo.org/771942
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 dev-db/postgresql/Manifest                 |   6 -
 dev-db/postgresql/postgresql-10.15.ebuild  | 459 ---------------------------
 dev-db/postgresql/postgresql-11.10.ebuild  | 461 ---------------------------
 dev-db/postgresql/postgresql-12.5.ebuild   | 461 ---------------------------
 dev-db/postgresql/postgresql-13.1.ebuild   | 465 ----------------------------
 dev-db/postgresql/postgresql-9.5.24.ebuild | 476 ----------------------------
 dev-db/postgresql/postgresql-9.6.20.ebuild | 481 -----------------------------
 7 files changed, 2809 deletions(-)
Comment 13 John Helmert III gentoo-dev Security 2021-02-25 17:11:46 UTC
Thank you!
Comment 14 Thomas Deutschmann gentoo-dev Security 2021-05-25 18:52:28 UTC
New GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 10:29:51 UTC
This issue was resolved and addressed in
 GLSA 202105-32 at https://security.gentoo.org/glsa/202105-32
by GLSA coordinator Thomas Deutschmann (whissi).