Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 602130 (CVE-2016-5423, CVE-2016-5424) - <dev-db/postgresql-{9.1.23,9.2.18,9.3.14,9.4.9,9.5.4}: multiple vulnerabilities (CVE-2016-{5423,5424})
Summary: <dev-db/postgresql-{9.1.23,9.2.18,9.3.14,9.4.9,9.5.4}: multiple vulnerabiliti...
Status: RESOLVED FIXED
Alias: CVE-2016-5423, CVE-2016-5424
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://www.postgresql.org/about/news...
Whiteboard: B1 [glsa cve cleanup]
Keywords:
: 591052 (view as bug list)
Depends on:
Blocks: 591052
  Show dependency tree
 
Reported: 2016-12-09 09:59 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-01-12 16:12 UTC (History)
3 users (show)

See Also:
Package list:
=dev-db/postgresql-9.1.24 =dev-db/postgresql-9.2.19 =dev-db/postgresql-9.3.15 =dev-db/postgresql-9.4.10 =dev-db/postgresql-9.5.5
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-09 09:59:36 UTC
CVE-2016-5423: certain nested CASE expressions can cause the server to crash.

A flaw was found in the way PostgreSQL server handled certain SQL statements containing CASE/WHEN commands. A remote, authenticated attacker could use a specially crafted SQL statement to cause PostgreSQL to crash or disclose a few bytes of server memory or possibly execute arbitrary code.



CVE-2016-5424: database and role names with embedded special characters can allow code injection during administrative operations like pg_dumpall.

A flaw was found in the way PostgreSQL client programs handled database and role names containing newlines, carriage returns, double quotes, or backslashes. By crafting such an object name, roles with the CREATEDB or CREATEROLE option could escalate their privileges to superuser when a superuser next executes maintenance with a vulnerable client program.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-09 10:09:01 UTC
@ Arches,

please test and mark stable:

=dev-db/postgresql-9.1.24
=dev-db/postgresql-9.2.19
=dev-db/postgresql-9.3.15
=dev-db/postgresql-9.4.10
=dev-db/postgresql-9.5.5
Comment 2 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-12 15:57:56 UTC
Stable on alpha.
Comment 3 Agostino Sarubbo gentoo-dev 2016-12-13 11:07:41 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-12-13 11:32:53 UTC
x86 stable
Comment 5 Markus Meier gentoo-dev 2016-12-17 15:41:28 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-12-19 14:44:01 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-12-19 15:19:38 UTC
ia64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-12-20 09:53:22 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-12-22 09:41:38 UTC
ppc64 stable
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-01 18:40:26 UTC
@ HPPA AT, you are the last arch remaining.

Please test and mark stable:

=dev-db/postgresql-9.1.24 hppa
=dev-db/postgresql-9.2.19 hppa
=dev-db/postgresql-9.3.15 hppa
=dev-db/postgresql-9.4.10 hppa
=dev-db/postgresql-9.5.5 hppa
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-12 09:32:06 UTC
Stable for HPPA.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-01-12 10:13:57 UTC
CVE-2016-5424 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5424):
  PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x
  before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users
  with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1)
  " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline
  character in a (a) database or (b) role name that is mishandled during an
  administrative operation.

CVE-2016-5423 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5423):
  PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x
  before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to
  cause a denial of service (NULL pointer dereference and server crash),
  obtain sensitive memory information, or possibly execute arbitrary code via
  (1) a CASE expression within the test value subexpression of another CASE or
  (2) inlining of an SQL function that implements the equality operator used
  for a CASE expression involving values of different types.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-01-12 10:23:30 UTC
@alpha, ==dev-db/postgresql-9.5.5 was not stabilized.  I see there was a lot of movement on the keywords etc:

please mark stable:

=dev-db/postgresql-9.5.5
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2017-01-12 10:36:21 UTC
*** Bug 591052 has been marked as a duplicate of this bug. ***
Comment 15 Aaron W. Swenson gentoo-dev 2017-01-12 13:27:52 UTC
(In reply to Aaron Bauman from comment #13)
> @alpha, ==dev-db/postgresql-9.5.5 was not stabilized.  I see there was a lot
> of movement on the keywords etc:
> 
> please mark stable:
> 
> =dev-db/postgresql-9.5.5

From 9.5 forward, Alpha will never be stabilized as upstream has dropped official support and, as a result, there is a severe drop in performance (around a 40% drop from 9.4 to 9.5).

If Alpha is desired to be a supported platform, someone with that hardware should approach upstream.
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2017-01-12 13:59:40 UTC
(In reply to Aaron W. Swenson from comment #15)
> (In reply to Aaron Bauman from comment #13)
> > @alpha, ==dev-db/postgresql-9.5.5 was not stabilized.  I see there was a lot
> > of movement on the keywords etc:
> > 
> > please mark stable:
> > 
> > =dev-db/postgresql-9.5.5
> 
> From 9.5 forward, Alpha will never be stabilized as upstream has dropped
> official support and, as a result, there is a severe drop in performance
> (around a 40% drop from 9.4 to 9.5).
> 
> If Alpha is desired to be a supported platform, someone with that hardware
> should approach upstream.

Thanks for the information.  Please proceed with cleanup of the vulnerable versions.
Comment 17 Aaron W. Swenson gentoo-dev 2017-01-12 14:18:09 UTC
(In reply to Aaron Bauman from comment #16)
> Thanks for the information.  Please proceed with cleanup of the vulnerable
> versions.

Done.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2017-01-12 16:12:47 UTC
This issue was resolved and addressed in
 GLSA 201701-33 at https://security.gentoo.org/glsa/201701-33
by GLSA coordinator Aaron Bauman (b-man).