The PostgreSQL Global Development Group security team has discovered a vulnerability in the scripts that orchestrate PostgreSQL test suites that validate the functionality of the PostgreSQL binaries. While a test suite is running, a user with interactive access to the system can hijack the operating system user account running the suite. Only users who run "make check" on a system they share with untrusted users are at risk. A future set of update releases will fix this vulnerability, though there will be no need to reinstall existing deployments. In the meantime, users are advised to run the test suites only on non-shared systems or under operating system user accounts dedicated to the task of running test suites.
This vulnerability arises from the test scripts' use of "initdb" to create a PostgreSQL database cluster permitting local "trust" authentication. User-crafted workflows doing the same will exhibit the same vulnerability. We recommend studying automated usage of initdb in your own software. If a procedure in question could run on a system shared with untrusted users, follow the same precautions around that procedure as for the PostgreSQL test suites. The fix for PostgreSQL itself will establish a secure pattern for automating initdb, which you can later adopt.
On Unix-like platforms the attacker needs to be able to reach the server's socket file, so the risk depends on where the platform places the socket file and whether there are filesystem permissions protections in place. On Windows, the server opens a locally-accessible TCP socket, so there is no possibility of ameliorating the risk through filesystem permissions.
The changes required to make this situation safer are expected to be somewhat invasive and might break user-crafted testing workflows. Therefore, the PostgreSQL project will not actually be supplying a fix on 20-Feb, merely announcing that there is a problem and recommending that users not use "make check" on machines shared with untrusted users. Suitable changes to the regression testing setup will subsequently be debated publicly and can be expected to be incorporated in future releases.
cleanup done, please vote.
(In reply to Agostino Sarubbo from comment #2)
> cleanup done, please vote.
Just my 2 cents: Given the temporary nature of the test installation, which should be wiped after a successful emerge, and that it only affects those users who invoke 'FEATURES="test" emerge dev-db/postgresql-server', I don't really think this needs a GLSA as the "affected" portion has already been deleted.
Arches and Maintainer(s), Thank you for your work.
GLSA Vote: No
The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier
does not properly invoke initdb to specify the authentication requirements
for a database cluster to be used for the tests, which allows local users to
gain privileges by leveraging access to this cluster.
GLSA Vote: No