Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 463884 (CVE-2013-1899) - <dev-db/postgresql-server-{9.2.4,9.1.9,9.0.13,8.4.17}: Multiple vulnerabilities (CVE-2013-{1899,1900,1901})
Summary: <dev-db/postgresql-server-{9.2.4,9.1.9,9.0.13,8.4.17}: Multiple vulnerabiliti...
Alias: CVE-2013-1899
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2013-03-30 16:00 UTC by Mike Doty (RETIRED)
Modified: 2014-08-31 11:30 UTC (History)
9 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Mike Doty (RETIRED) gentoo-dev 2013-03-30 16:00:51 UTC
Please see [1].  Perhaps our postgresql devs might know what the issue is and make a better decision, but I wonder if we should mask postgresql until we have better information.

[1] -

Reproducible: Always
Comment 1 Aaron W. Swenson gentoo-dev 2013-03-30 18:14:52 UTC
PostgreSQL does not yet need to be masked. The vulnerability is not public, yet. Patrick or I will bump it as soon as we see the tarballs available upstream, which is usually a day before an announcement.

We do expect to be quick about it, all of us collectively. You know, like Gentoo penguins.
Comment 2 Adrian 2013-04-04 12:07:28 UTC
Any news? The update isn't out yet but will be released today.

According to the #postgresql channel Debian, FreeBSD, etc. people already got the update to spread it to their mirrors etc.
So if Gentoo was just as quick once it's out it would be surely great
Comment 3 Vadim A. Misbakh-Soloviov (mva) gentoo-dev 2013-04-04 15:06:40 UTC
Hey, guys! How about bump?
Comment 4 Petteri Räty (RETIRED) gentoo-dev 2013-04-04 15:35:51 UTC
QA: One of you available to bump?
Comment 5 Aaron W. Swenson gentoo-dev 2013-04-04 15:40:50 UTC
Working on this now. Was released 2 hours ago while I was at work. I'm on lunch now and it will get bumped shortly.
Comment 6 Aaron W. Swenson gentoo-dev 2013-04-04 15:47:15 UTC
CVE-2013-1899 <dev-db/postgresql-server-{9.2.4,9.1.9,9.0.13}
A connection request containing a database name that begins with "-" may be crafted to damage or destroy files within a server's data directory.

CVE-2013-1900 <dev-db/postgresql-server-{9.2.4,9.1.9,9.0.13,8.4.17}
Random numbers generated by contrib/pgcrypto functions may be easy for another database user to guess

CVE-2013-1901 <dev-db/postgresql-server-{9.2.4,9.1.9}
An unprivileged user can run commands that could interfere with in-progress backups.
Comment 7 Aaron W. Swenson gentoo-dev 2013-04-04 16:23:04 UTC
Stabilization targets:



Comment 8 Petteri Räty (RETIRED) gentoo-dev 2013-04-04 18:05:42 UTC
Thanks Aaron. I thought that maybe no-one was actively available to look at the issue when it was indicated that the tarballs would have been out for some time now.
Comment 9 Aaron W. Swenson gentoo-dev 2013-04-04 18:27:23 UTC
(In reply to comment #8)
> Thanks Aaron. I thought that maybe no-one was actively available to look at
> the issue when it was indicated that the tarballs would have been out for
> some time now.

No problem.

The tarballs did become available shortly before the announcement. I'm not sure how much earlier, but probably less than half an hour.
Comment 10 Agostino Sarubbo gentoo-dev 2013-04-04 19:09:58 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-04-04 19:11:09 UTC
x86 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-04-04 19:15:00 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-04-04 19:17:28 UTC
ppc64 stable
Comment 14 Aaron W. Swenson gentoo-dev 2013-04-04 20:06:42 UTC
CVE-2013-{1902,1903} do not affect us. We do not use EnterpriseDB's installers.
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2013-04-05 16:37:05 UTC
Stable for HPPA.
Comment 16 Agostino Sarubbo gentoo-dev 2013-04-05 18:39:40 UTC
alpha stable
Comment 17 Agostino Sarubbo gentoo-dev 2013-04-05 18:40:45 UTC
ia64 stable
Comment 18 Agostino Sarubbo gentoo-dev 2013-04-05 18:41:50 UTC
arm stable
Comment 19 Agostino Sarubbo gentoo-dev 2013-04-05 18:42:55 UTC
s390 stable
Comment 20 Agostino Sarubbo gentoo-dev 2013-04-05 18:43:59 UTC
sh stable
Comment 21 Agostino Sarubbo gentoo-dev 2013-04-05 18:45:07 UTC
sparc stable
Comment 22 Agostino Sarubbo gentoo-dev 2013-04-05 19:23:51 UTC
Removal of vulnerable, done. 

Security, please vote.
Comment 23 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-06 16:18:49 UTC
GLSA vote: yes.
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2013-04-10 20:50:26 UTC
CVE-2013-1901 (
  PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check
  REPLICATION privileges, which allows remote authenticated users to bypass
  intended backup restrictions by calling the (1) pg_start_backup or (2)
  pg_stop_backup functions.

CVE-2013-1900 (
  PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and
  8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random
  numbers, which might allow remote authenticated users to have an unspecified
  impact via vectors related to the "contrib/pgcrypto functions."

CVE-2013-1899 (
  Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x
  before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a
  denial of service (file corruption), and allows remote authenticated users
  to modify configuration settings and execute arbitrary code, via a
  connection request using a database name that begins with a "-" (hyphen).
Comment 25 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-20 13:38:22 UTC
On GLSA draft.
Comment 26 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:30:11 UTC
This issue was resolved and addressed in
 GLSA 201408-15 at
by GLSA coordinator Kristian Fiskerstrand (K_F).