384539 – (CVE-2011-2483) <dev-db/postgresql-server-{8.2.22,8.3.16,8.4.9,9.0.5,9.1.1} Blowfish Signed-Character Bug (CVE-2011-2483)

Bug 384539 (CVE-2011-2483) - <dev-db/postgresql-server-{8.2.22,8.3.16,8.4.9,9.0.5,9.1.1} Blowfish Signed-Character Bug (CVE-2011-2483)

Summary: <dev-db/postgresql-server-{8.2.22,8.3.16,8.4.9,9.0.5,9.1.1} Blowfish Signed-C...

Status:	RESOLVED FIXED

Alias:	CVE-2011-2483

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	http://www.postgresql.org/about/news....
Whiteboard:	B3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-09-26 15:38 UTC by Aaron W. Swenson
Modified:	2011-10-25 07:51 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aaron W. Swenson gentoo-dev

2011-09-26 15:38:01 UTC

Upstream applied the further upstream fix in contrib/pg_crypto for blowfish signed-character bug (CVE-2011-2483), where encryption code could give wrong results on platforms where char is signed (which is most), leading to encrypted passwords being weaker than they should be.

This only affects <dev-db/postgresql-server-{8.2.22,8.3.16,8.4.9,9.0.5,9.1.1}. dev-db/postgresql-{base,docs} are unaffected.

Comment 1 Patrick Lauer gentoo-dev

2011-09-26 18:09:33 UTC

All needed ebuilds in tree, stabilization requested

Comment 2 Agostino Sarubbo gentoo-dev

2011-09-26 20:45:32 UTC

Thanks Aaron and Patrick.

Arches, please test and mark stable:

=dev-db/postgresql-server-8.2.22
=dev-db/postgresql-server-8.3.16
=dev-db/postgresql-server-8.4.9
=dev-db/postgresql-server-9.0.5

target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"


=dev-db/postgresql-server-9.1.1 not needs stabilization.

Comment 3 Aaron W. Swenson gentoo-dev

2011-09-26 23:17:02 UTC

(In reply to comment #2)
> Thanks Aaron and Patrick.
> 
> Arches, please test and mark stable:
> 
> =dev-db/postgresql-server-8.2.22
> =dev-db/postgresql-server-8.3.16
> =dev-db/postgresql-server-8.4.9
> =dev-db/postgresql-server-9.0.5
> 
> target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
> 
> 
> =dev-db/postgresql-server-9.1.1 not needs stabilization.

-docs and -base of the same versions and revisions will be required as well, of course excluding 9.1.1.

Comment 4 Agostino Sarubbo gentoo-dev

2011-09-27 08:50:44 UTC

bug 384631 is not a blocker.

amd64 ok

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2011-09-27 20:49:01 UTC

Stable for HPPA.

Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-09-28 04:24:18 UTC

ppc/ppc64 stable

Comment 7 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-09-29 16:05:03 UTC

amd64: pass

Comment 8 Thomas Kahle (RETIRED) gentoo-dev

2011-09-30 22:35:13 UTC

x86 done. Thanks.

Comment 9 Raúl Porcel (RETIRED) gentoo-dev

2011-10-01 18:31:26 UTC

alpha/arm/ia64/s390/sh/sparc stable

Comment 10 Markos Chandras (RETIRED) gentoo-dev

2011-10-01 20:17:52 UTC

amd64 done. Thanks Elijah and Agostino

Comment 11 Agostino Sarubbo gentoo-dev

2011-10-01 20:31:56 UTC

Thanks all, adding glsa vote request.

Comment 12 Tim Sammut (RETIRED) gentoo-dev

2011-10-02 00:08:10 UTC

Thanks, everyone. GLSA Vote: yes.

Comment 13 Aaron W. Swenson gentoo-dev

2011-10-02 13:37:54 UTC

Affected versions removed from tree.

Comment 14 Mike Williams 2011-10-03 14:30:44 UTC

FYI guys 8.3.16 isn't stable on x86.

Comment 15 Tim Sammut (RETIRED) gentoo-dev

2011-10-03 17:41:49 UTC

(In reply to comment #14)
> FYI guys 8.3.16 isn't stable on x86.

Indeed, thanks, Mike.

@x86, ping.

Comment 16 Aaron W. Swenson gentoo-dev

2011-10-03 23:10:09 UTC

Marked 8.3.16 x86 stable.

It works for me on x86 as well on the workstation and the Hardened Server. (Both stable except for PostgreSQL.)

Comment 17 Tim Sammut (RETIRED) gentoo-dev

2011-10-03 23:16:48 UTC

(In reply to comment #16)
> Marked 8.3.16 x86 stable.
> 
> It works for me on x86 as well on the workstation and the Hardened Server.
> (Both stable except for PostgreSQL.)

Cool, tnx.

Comment 18 GLSAMaker/CVETool Bot gentoo-dev

2011-10-07 22:37:37 UTC

CVE-2011-2483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2483):
  crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms,
  does not properly handle 8-bit characters, which makes it easier for
  context-dependent attackers to determine a cleartext password by leveraging
  knowledge of a password hash.

Comment 19 Alex Legler (RETIRED) archtester

2011-10-08 14:44:26 UTC

GLSA with the other pgsql bugs

Comment 20 GLSAMaker/CVETool Bot gentoo-dev

2011-10-25 07:51:50 UTC

This issue was resolved and addressed in
 GLSA 201110-22 at http://security.gentoo.org/glsa/glsa-201110-22.xml
by GLSA coordinator Alex Legler (a3li).