Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 636978 (CVE-2017-12172, CVE-2017-15098, CVE-2017-15099) - <dev-db/postgresql-{9.2.24,9.3.20,9.4.15,9.5.10,9.6.6} - multiple vulnerabilities (CVE-2017-{12172,15098,15099})
Summary: <dev-db/postgresql-{9.2.24,9.3.20,9.4.15,9.5.10,9.6.6} - multiple vulnerabili...
Status: RESOLVED FIXED
Alias: CVE-2017-12172, CVE-2017-15098, CVE-2017-15099
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.postgresql.org/about/news...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-09 16:24 UTC by Aaron W. Swenson
Modified: 2018-04-02 23:03 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron W. Swenson gentoo-dev 2017-11-09 16:24:33 UTC
We are unaffected by CVE-2017-12172.

CVE-2017-15098 is missing a summary. At this time, the most I understand it to be is potentially exposing server memory contents through a server crash triggered by json{b}_populate_recordset() mismatching on the rowtype.


Snippet of the security portion of linked announcement:

CVE-2017-12172: Start scripts permit database administrator to modify root-owned files
================================================================================
Prior to this release, the startup log file for the postmaster (in newer releases, "postgres") process was opened while the process was still owned by root. With this setup, the database owner could specify a file that they did not have access to and cause the file to be corrupted with logged data.

This fix ensures that the startup log file is opened as the user specified to run the PostgreSQL server. Any users who have made use of the start scripts will need to ensure the startup log files are owned by the user specified to run the PostgreSQL server.

CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges
================================================================================
Prior to this release, the "INSERT ... ON CONFLICT DO UPDATE" would not check to see if the executing user had permission to perform a "SELECT" on the index performing the conflicting check. Additionally, in a table with row-level security enabled, the "INSERT ... ON CONFLICT DO UPDATE" would not check the SELECT policies for that table before performing the update.

This fix ensures that "INSERT ... ON CONFLICT DO UPDATE" checks against table permissions and RLS policies before executing.
Comment 1 Aaron W. Swenson gentoo-dev 2017-11-09 16:34:27 UTC
Committed:

commit b7f8856d754e8ddeecde825cb4275bd48e645496 (HEAD -> master, origin/master, origin/HEAD)
Author: Aaron W. Swenson <titanofold@gentoo.org>
Date:   Thu Nov 9 11:30:20 2017 -0500

    dev-db/postgresql: Security Bump (Bug 636978)

    Security-related version bump to:
     * 10.1
     * 9.6.6
     * 9.5.10
     * 9.4.15
     * 9.3.20
     * 9.2.24

    Headlines from the release announcement[1]:
     * CVE-2017-12172: Start scripts permit database administrator to
       modify root-owned files (Gentoo is unaffected)
     * CVE-2017-15098: Memory disclosure in JSON functions
     * CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce
       SELECT privileges

    [1]: https://www.postgresql.org/about/news/1801/

    Gentoo-Bug: https://bugs.gentoo.org/636978
    Package-Manager: Portage-2.3.8, Repoman-2.3.3


Stabilization targets:
=dev-db/postgresql-9.6.6 ~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.5.10 ~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.4.15 ~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.3.20 ~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.2.24 ~alpha ~amd64 ~arm ~arm64 ~ia64 ~ppc ~ppc64 ~sparc ~x86
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-11 12:55:16 UTC
ppc/ppc64 stable
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-11 18:01:42 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-11-12 23:12:04 UTC
amd64 stable
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2017-11-17 11:22:30 UTC
Stable on alpha.
Comment 6 Markus Meier gentoo-dev 2017-11-19 15:18:59 UTC
arm stable
Comment 7 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-23 02:18:50 UTC
@Maintainer any particular reason why hppa was not CCed in stabilization request?

HPPA and Sparc both have stable versions affected on almost every SLOT available.

Thank you,
Comment 8 Aaron W. Swenson gentoo-dev 2017-11-28 19:30:25 UTC
(In reply to Christopher Díaz Riveros from comment #7)
> @Maintainer any particular reason why hppa was not CCed in stabilization
> request?
> 
> HPPA and Sparc both have stable versions affected on almost every SLOT
> available.
> 
> Thank you,

HPPA is pretty far behind the rest of the arches, and there was supposed to be some discussion about whether or not HPPA should be downgraded to an unstable arch right around when this was released. Looks like nothing came of it.

Just waiting on HPPA and IA64 now.

=dev-db/postgresql-9.6.6  ~hppa ~ia64
=dev-db/postgresql-9.5.10 ~hppa ~ia64
=dev-db/postgresql-9.4.15 ~hppa ~ia64
=dev-db/postgresql-9.3.20 ~hppa ~ia64
=dev-db/postgresql-9.2.24 ~hppa ~ia64
Comment 9 Stabilization helper bot gentoo-dev 2017-11-28 20:03:52 UTC
An automated check of this bug failed - repoman reported dependency errors (35 lines truncated): 

> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.3.20.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.3.20.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.3.20.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.3.20.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.2.24.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
> dependency.bad dev-db/postgresql/postgresql-9.3.20.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
Comment 10 Stabilization helper bot gentoo-dev 2017-11-28 22:02:01 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-06 22:50:31 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-29 17:42:45 UTC
ia64 stable
Comment 13 D'juan McDonald (domhnall) 2017-12-30 03:59:32 UTC
@security, Adjusting Severity to agree with Whiteboard.


Gentoo Security Padawan
(Jmbailey/mbailey_j)
Comment 14 Larry the Git Cow gentoo-dev 2018-02-11 15:54:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=850efe2a5700c2ba30f9e9860dd83143cf15da34

commit 850efe2a5700c2ba30f9e9860dd83143cf15da34
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2018-02-11 15:54:10 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2018-02-11 15:54:38 +0000

    dev-db/postgresql: Cleanup Old and Insecure Files
    
    Bug: https://bugs.gentoo.org/627462
    Bug: https://bugs.gentoo.org/636978
    Bug: https://bugs.gentoo.org/630824
    Bug: https://bugs.gentoo.org/603720
    Bug: https://bugs.gentoo.org/603716
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 dev-db/postgresql/Manifest                         |   6 -
 .../files/postgresql-9.2-9.4-tz-dir-overflow.patch |  16 -
 dev-db/postgresql/files/postgresql.confd           |  58 ---
 dev-db/postgresql/files/postgresql.init            | 137 -------
 dev-db/postgresql/files/postgresql.init-9.3        | 142 -------
 dev-db/postgresql/files/postgresql.service         |  55 ---
 dev-db/postgresql/files/postgresql.service-9.6     |  56 ---
 dev-db/postgresql/postgresql-9.2.19.ebuild         | 390 ------------------
 dev-db/postgresql/postgresql-9.2.22.ebuild         | 441 --------------------
 dev-db/postgresql/postgresql-9.2.23-r1.ebuild      | 445 ---------------------
 dev-db/postgresql/postgresql-9.2.23.ebuild         | 441 --------------------
 dev-db/postgresql/postgresql-9.3.15.ebuild         | 395 ------------------
 dev-db/postgresql/postgresql-9.4.10.ebuild         | 427 --------------------
 dev-db/postgresql/postgresql-9.5.5.ebuild          | 438 --------------------
 14 files changed, 3447 deletions(-)}
Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-15 18:13:46 UTC
commit 3b3ec30d0b02920ec76eeef4db2a968c3a907d23
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Sun Feb 11 13:09:46 2018 +0100

    dev-db/postgresql: Stable for HPPA too.
Comment 16 Aaron W. Swenson gentoo-dev 2018-03-22 17:45:50 UTC
All affected versions removed.
Comment 17 Aaron Bauman (RETIRED) gentoo-dev 2018-04-02 23:03:04 UTC
GLSA Vote: No

Tree is clean