The CVE notes from $URL are copied in the next section. 7546 is the most severe as it would allow a remote user to gain privileged access without a password. This would allow an attacker unrestricted access to the database if a DBA were so foolish to set an empty password for a database superuser account. 7547 can reveal passwords used to access other databases, not necessarily the database the user is directly connected to. The least severe is 7548 which would lead to data corruption or other malicious modification of data stored within the database, but the remote user must have gained access to the system. ==================================== CVE-2017-7546: Empty password accepted in some authentication methods libpq, and by extension any connection driver that utilizes libpq, ignores empty passwords and does not transmit them to the server. When using libpq or a libpq-based connection driver to perform password-based authentication methods, it would appear that setting an empty password would be the equivalent of disabling password login. However, using a non-libpq based connection driver could allow a client with an empty password to log in. To fix this issue, this update disables empty passwords from being submitted in any of the password-based authentication methods. The server will reject any empty passwords from being set on accounts. ********************************** CVE-2017-7547: The "pg_user_mappings" catalog view discloses passwords to users lacking server privileges This fix pertains to the usage of the foreign data wrapper functionality, particularly for the user mapping feature. Before this fix, a user had access to see the options in pg_user_mappings even if the user did not have the USAGE permission on the associated foreign server. This meant that a user could see details such as a password that might have been set by the server administrator rather than the user. This fix will only fix the behavior in newly created clusters utilizing initdb. To fix this issue on existing systems, you will need to follow the below steps. For more details, please see the release notes. In your postgresql.conf file, add the following: allow_system_table_mods = true After adding that line, you will need to restart your PostgreSQL cluster. In each database of the cluster, run the following commands as a superuser: SET search_path = pg_catalog; CREATE OR REPLACE VIEW pg_user_mappings AS SELECT U.oid AS umid, S.oid AS srvid, S.srvname AS srvname, U.umuser AS umuser, CASE WHEN U.umuser = 0 THEN 'public' ELSE A.rolname END AS usename, CASE WHEN (U.umuser <> 0 AND A.rolname = current_user AND (pg_has_role(S.srvowner, 'USAGE') OR has_server_privilege(S.oid, 'USAGE'))) OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE')) OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user) THEN U.umoptions ELSE NULL END AS umoptions FROM pg_user_mapping U LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN pg_foreign_server S ON (U.umserver = S.oid); You also need to run the command on your template0 and template1 databases, otherwise the vulnerability will exist in future databases that you create. First, you will need to allow template0 to accept connections. In PostgreSQL 9.5 you can run the following: ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true; In PostgreSQL 9.4 and below, you will have to run this command: UPDATE pg_database SET datallowconn = true WHERE datname = 'template0'; Then, in your template0 and template1 databases, run the commands as describe in Step 3 When you are done, you will need to disallow connections from template0. In PostgreSQL 9.5, you can run the following: ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false; In PostgreSQL 9.4 and below, you will have to run the following: UPDATE pg_database SET datallowconn = false WHERE datname = 'template0'; Remove the following line from your postgresql.conf file: allow_system_table_mods = false Restart your PostgreSQL cluster For more details, please see the release notes. ********************************** CVE-2017-7548: lo_put() function ignores ACLs The lo_put() function should require the same permissions as lowrite(), but there was a missing permission check which would allow any user to change the data in a large object. To fix this, the lo_put() function was changed to check the UPDATE privileges on the target object. ================================== Stabilization targets: =dev-db/postgresql-9.2.22 ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.3.18 ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.4.13 ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.5.8 ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 =dev-db/postgresql-9.6.4 ~amd64 ~arm ~ia64 As noted previously, upstream has dropped support for Alpha beginning 9.5 which is why it's excluded on the last two targets. Slot 9.6 only had 3 arches stabilized (bug 624432), so only those are listed here. ================================== Since there may be some new arch testers, here's how I test these: # for u in -server server ; do FEATURES="userpriv test" USE="$u" emerge -v dev-db/postgresql:9.{2..6} || break ; done Or: # for p in postgresql-9.* postgresql-10* ; do USE="-server" ebuild $p {clean,install} || break ; done # for p in postgresql-9.* postgresql-10* ; do USE="server" FEATURES="userpriv test" ebuild $p {clean,install} || break ; done
An automated check of this bug failed - the following atoms are unknown: dev-db/postgresql-9.3.18 dev-db/postgresql-9.4.13 dev-db/postgresql-9.5.8 dev-db/postgresql-9.6.4 dev-db/postgresql-9.2.22 Please verify the atom list.
Packages pushed to tree. commit 8475b7b1352af134678fe0280d97478a8e713013 (HEAD -> master, origin/master, origin/HEAD) Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Thu Aug 10 11:03:21 2017 -0400 dev-db/postgresql: Security Version Bump Security releases: 9.2.22 9.3.18 9.4.13 9.5.8 9.6.4 Version bump: 10_beta3 Three security vulnerabilities have been closed by this release: * CVE-2017-7546: Empty password accepted in some authentication methods * CVE-2017-7547: The "pg_user_mappings" catalog view discloses passwords to users lacking server privileges * CVE-2017-7548: lo_put() function ignores ACLs Full release notes at: https://www.postgresql.org/about/news/1772/ Gentoo-Bug: 627462 Package-Manager: Portage-2.3.6, Repoman-2.3.1
An automated check of this bug failed - repoman reported dependency errors (35 lines truncated): > dependency.bad dev-db/postgresql/postgresql-9.2.22.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.22.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.3.18.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.22.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.22.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.3.18.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.22.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.22.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.3.18.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.22.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.22.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.3.18.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.22.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.2.22.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0'] > dependency.bad dev-db/postgresql/postgresql-9.3.18.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=app-eselect/eselect-postgresql-2.0']
ia64 stable
ppc/ppc64 stable
arm stable
Stable on alpha.
sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
ppc64 stable
ppc stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bc2b3101f0b4ee3e4d70d7804c78146961a4ed4 commit 2bc2b3101f0b4ee3e4d70d7804c78146961a4ed4 Author: Michael Palimaka <kensington@gentoo.org> AuthorDate: 2017-09-30 03:46:42 +0000 Commit: Michael Palimaka <kensington@gentoo.org> CommitDate: 2017-09-30 03:47:02 +0000 dev-db/postgresql: amd64/x86 stable Bug: https://bugs.gentoo.org/627462 Package-Manager: Portage-2.3.8, Repoman-2.3.3 dev-db/postgresql/postgresql-9.2.22.ebuild | 2 +- dev-db/postgresql/postgresql-9.3.18.ebuild | 2 +- dev-db/postgresql/postgresql-9.4.13.ebuild | 2 +- dev-db/postgresql/postgresql-9.5.8.ebuild | 2 +- dev-db/postgresql/postgresql-9.6.4.ebuild | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-)}
*** Bug 624944 has been marked as a duplicate of this bug. ***
hppa / please complete stabilization for this security bug, it is holding up completion and cleanup of this bug. New GLSA Request filed.
tried a test on hppa, which fails because the usual local breakage on hppa, so no test results: ============== creating temporary instance ============== ============== initializing database system ============== pg_regress: initdb failed Examine /var/tmp/portage/dev-db/postgresql-9.6.4/work/postgresql-9.6.4/src/test/regress/log/initdb.log for the reason. Command was: "initdb" -D "/var/tmp/portage/dev-db/postgresql-9.6.4/work/postgresql-9.6.4/src/test/regress/./tmp_check/data" --noclean --nosync > "/var/tmp/portage/dev-db/postgresql-9.6.4/work/postgresql-9.6.4/src/test/regress/log/initdb.log" 2>&1 make[1]: *** [GNUmakefile:130: check] Error 2 make[1]: Leaving directory '/var/tmp/portage/dev-db/postgresql-9.6.4/work/postgresql-9.6.4/src/test/regress' make: *** [GNUmakefile:67: check] Error 2 * ERROR: dev-db/postgresql-9.6.4::gentoo failed (test phase): * emake failed * * If you need support, post the output of `emerge --info '=dev-db/postgresql-9.6.4::gentoo'`, * the complete build log and the output of `emerge -pqv '=dev-db/postgresql-9.6.4::gentoo'`. * The complete build log is located at '/var/tmp/portage/dev-db/postgresql-9.6.4/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/dev-db/postgresql-9.6.4/temp/environment'. * Working directory: '/var/tmp/portage/dev-db/postgresql-9.6.4/work/postgresql-9.6.4' * S: '/var/tmp/portage/dev-db/postgresql-9.6.4/work/postgresql-9.6.4' pioneer ~ # cat /var/tmp/portage/dev-db/postgresql-9.6.4/work/postgresql-9.6.4/src/test/regress/log/initdb.log Running in noclean mode. Mistakes will not be cleaned up. The files belonging to this database system will be owned by user "portage". This user must also own the server process. initdb: invalid locale settings; check LANG and LC_* environment variables
sparc stable (thanks to Rolf Eike Beer)
(In reply to Rolf Eike Beer from comment #15) > tried a test on hppa, which fails because the usual local breakage on hppa, > so no test results: > > ============== creating temporary instance ============== > ============== initializing database system ============== > > pg_regress: initdb failed > Examine > /var/tmp/portage/dev-db/postgresql-9.6.4/work/postgresql-9.6.4/src/test/ > regress/log/initdb.log for the reason. > Command was: "initdb" -D > "/var/tmp/portage/dev-db/postgresql-9.6.4/work/postgresql-9.6.4/src/test/ > regress/./tmp_check/data" --noclean --nosync > > "/var/tmp/portage/dev-db/postgresql-9.6.4/work/postgresql-9.6.4/src/test/ > regress/log/initdb.log" 2>&1 > make[1]: *** [GNUmakefile:130: check] Error 2 > make[1]: Leaving directory > '/var/tmp/portage/dev-db/postgresql-9.6.4/work/postgresql-9.6.4/src/test/ > regress' > make: *** [GNUmakefile:67: check] Error 2 > * ERROR: dev-db/postgresql-9.6.4::gentoo failed (test phase): > * emake failed > * > * If you need support, post the output of `emerge --info > '=dev-db/postgresql-9.6.4::gentoo'`, > * the complete build log and the output of `emerge -pqv > '=dev-db/postgresql-9.6.4::gentoo'`. > * The complete build log is located at > '/var/tmp/portage/dev-db/postgresql-9.6.4/temp/build.log'. > * The ebuild environment file is located at > '/var/tmp/portage/dev-db/postgresql-9.6.4/temp/environment'. > * Working directory: > '/var/tmp/portage/dev-db/postgresql-9.6.4/work/postgresql-9.6.4' > * S: '/var/tmp/portage/dev-db/postgresql-9.6.4/work/postgresql-9.6.4' > pioneer ~ # cat > /var/tmp/portage/dev-db/postgresql-9.6.4/work/postgresql-9.6.4/src/test/ > regress/log/initdb.log > Running in noclean mode. Mistakes will not be cleaned up. > The files belonging to this database system will be owned by user "portage". > This user must also own the server process. > > initdb: invalid locale settings; check LANG and LC_* environment variables I've never seen a report about this before now. Please make a separate bug. Does this issue prevent a successful emerge and subsequent emerge --config?
This issue was resolved and addressed in GLSA 201710-06 at https://security.gentoo.org/glsa/201710-06 by GLSA coordinator Aaron Bauman (b-man).
re-opening for cleanup. @maintainer(s), I am leaving the blocked bugs in place until you cleanup. They don't seem to be needed though.
I haven't removed all as we're waiting on HPPA, which is now 3 or 4 versions behind current (depending on the definition of current). commit 4205f0659c831b9e6594bb6973c21d4f8842f45c (HEAD -> master, origin/master, origin/HEAD) Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Sun Oct 8 10:31:20 2017 -0400 dev-db/postgresql: Partial Security Cleanup Remove some of the affected packages. Package-Manager: Portage-2.3.8, Repoman-2.3.3
An automated check of this bug failed - the following atom is unknown: app-eselect/eselect-postgresql-2.1 Please verify the atom list.
An automated check of this bug failed - the following atoms are unknown: dev-db/postgresql-9.5.8 dev-db/postgresql-9.4.13 dev-db/postgresql-9.6.4 app-eselect/eselect-postgresql-2.1 dev-db/postgresql-9.3.18 Please verify the atom list.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=850efe2a5700c2ba30f9e9860dd83143cf15da34 commit 850efe2a5700c2ba30f9e9860dd83143cf15da34 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2018-02-11 15:54:10 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2018-02-11 15:54:38 +0000 dev-db/postgresql: Cleanup Old and Insecure Files Bug: https://bugs.gentoo.org/627462 Bug: https://bugs.gentoo.org/636978 Bug: https://bugs.gentoo.org/630824 Bug: https://bugs.gentoo.org/603720 Bug: https://bugs.gentoo.org/603716 Package-Manager: Portage-2.3.19, Repoman-2.3.6 dev-db/postgresql/Manifest | 6 - .../files/postgresql-9.2-9.4-tz-dir-overflow.patch | 16 - dev-db/postgresql/files/postgresql.confd | 58 --- dev-db/postgresql/files/postgresql.init | 137 ------- dev-db/postgresql/files/postgresql.init-9.3 | 142 ------- dev-db/postgresql/files/postgresql.service | 55 --- dev-db/postgresql/files/postgresql.service-9.6 | 56 --- dev-db/postgresql/postgresql-9.2.19.ebuild | 390 ------------------ dev-db/postgresql/postgresql-9.2.22.ebuild | 441 -------------------- dev-db/postgresql/postgresql-9.2.23-r1.ebuild | 445 --------------------- dev-db/postgresql/postgresql-9.2.23.ebuild | 441 -------------------- dev-db/postgresql/postgresql-9.3.15.ebuild | 395 ------------------ dev-db/postgresql/postgresql-9.4.10.ebuild | 427 -------------------- dev-db/postgresql/postgresql-9.5.5.ebuild | 438 -------------------- 14 files changed, 3447 deletions(-)}
An automated check of this bug failed - the following atoms are unknown: dev-db/postgresql-9.3.18 dev-db/postgresql-9.5.8 dev-db/postgresql-9.6.4 dev-db/postgresql-9.4.13 dev-db/postgresql-9.2.22 app-eselect/eselect-postgresql-2.1 Please verify the atom list.
Tree is clean