Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 574456 (CVE-2016-0766, CVE-2016-0773) - <dev-db/postgresql-{9.1.20,9.2.15,9.3.11,9.4.6,9.5.1} - multiple vulnerabilities (CVE-2016-{0766,0773})
Summary: <dev-db/postgresql-{9.1.20,9.2.15,9.3.11,9.4.6,9.5.1} - multiple vulnerabilit...
Status: RESOLVED FIXED
Alias: CVE-2016-0766, CVE-2016-0773
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.postgresql.org/about/news/...
Whiteboard: B1 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-11 17:01 UTC by Aaron W. Swenson
Modified: 2017-01-12 16:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron W. Swenson gentoo-dev 2016-02-11 17:01:46 UTC
Security Fixes for Regular Expressions, PL/Java

This release closes security hole CVE-2016-0773, an issue with regular expression (regex) parsing. Prior code allowed users to pass in expressions which included out-of-range Unicode characters, triggering a backend crash. This issue is critical for PostgreSQL systems with untrusted users or which generate regexes based on user input.

The update also fixes CVE-2016-0766, a privilege escalation issue for users of PL/Java. Certain custom configuration settings (GUCS) for PL/Java will now be modifiable only by the database superuser.

============================================================================

Stabilization targets:
=dev-db/postgresql-9.1.20 ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.2.15 ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.3.11 ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.4.6 ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
Comment 1 Agostino Sarubbo gentoo-dev 2016-02-12 09:44:45 UTC
amd64 stable
Comment 2 Agostino Sarubbo gentoo-dev 2016-02-12 09:45:19 UTC
x86 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-14 13:34:46 UTC
Stable for PPC64.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-15 05:01:01 UTC
Stable for HPPA.
Comment 5 Markus Meier gentoo-dev 2016-02-20 14:30:29 UTC
arm stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2016-03-16 09:22:11 UTC
Stable on alpha.
Comment 7 Agostino Sarubbo gentoo-dev 2016-03-16 14:10:39 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-03-19 12:29:13 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-03-20 12:25:20 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2016-11-27 11:24:06 UTC
CVE-2016-0773 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0773):
  PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x
  before 9.4.6, and 9.5.x before 9.5.1 allows remote attackers to cause a
  denial of service (infinite loop or buffer overflow and crash) via a large
  Unicode character range in a regular expression.

CVE-2016-0766 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0766):
  PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x
  before 9.4.6, and 9.5.x before 9.5.1 does not properly restrict access to
  unspecified custom configuration settings (GUCS) for PL/Java, which allows
  attackers to gain privileges via unspecified vectors.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2017-01-12 16:10:32 UTC
This issue was resolved and addressed in
 GLSA 201701-33 at https://security.gentoo.org/glsa/201701-33
by GLSA coordinator Aaron Bauman (b-man).