Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 664332 (CVE-2018-10915, CVE-2018-10925, CVE-2018-1115) - <dev-db/postgresql-{9.3.24,9.4.19,9.5.14,9.6.10,10.5}: multiple vulnerabilities (CVE-2018-{1115,10915,10925})
Summary: <dev-db/postgresql-{9.3.24,9.4.19,9.5.14,9.6.10,10.5}: multiple vulnerabiliti...
Status: RESOLVED FIXED
Alias: CVE-2018-10915, CVE-2018-10925, CVE-2018-1115
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.postgresql.org/about/news...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-22 23:31 UTC by GLSAMaker/CVETool Bot
Modified: 2018-10-30 21:08 UTC (History)
1 user (show)

See Also:
Package list:
dev-db/postgresql-9.3.24 dev-db/postgresql-9.4.19 dev-db/postgresql-9.5.14 dev-db/postgresql-9.6.10 dev-db/postgresql-10.5
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-08-22 23:31:07 UTC
CVE-2018-10915 (https://nvd.nist.gov/vuln/detail/CVE-2018-10915):
  A vulnerability was found in libpq, the default PostgreSQL client library
  where libpq failed to properly reset its internal state between connections.
  If an affected version of libpq was used with "host" or "hostaddr"
  connection parameters from untrusted input, attackers could bypass
  client-side connection security features, obtain access to higher privileged
  connections or potentially cause other impact through SQL injection, by
  causing the PQescape() functions to malfunction. Postgresql versions before
  10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-08-22 23:33:43 UTC
@ Maintainer(s): Can we start stabilization?
Comment 2 Aaron W. Swenson gentoo-dev 2018-08-23 13:17:15 UTC
Please stabilize:
=dev-db/postgresql-9.3.24 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.4.19 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.5.14 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.6.10 ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-10.5   ~alpha ~amd64 ~arm ~ia64 ~ppc ~ppc64 ~sparc ~x86
Comment 3 Thomas Deutschmann gentoo-dev Security 2018-08-24 01:41:38 UTC
x86 stable
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-08-24 02:07:22 UTC
amd64 stable
Comment 5 Rolf Eike Beer archtester 2018-08-24 21:48:30 UTC
sparc done.
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-08-26 18:55:21 UTC
ppc stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2018-08-26 18:57:25 UTC
ppc64 stable
Comment 8 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-08-26 21:38:24 UTC
CVE ID: CVE-2018-10925

Summary: It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table.
 Published: 2018-08-09T21:29:00.000Z

Adding CVE-2018-10925 just for tracking purposes, no need to restart stabilization.
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2018-09-01 23:44:20 UTC
ia64 stable
Comment 10 Tobias Klausmann gentoo-dev 2018-09-14 10:21:05 UTC
Stable on alpha.
Comment 11 Markus Meier gentoo-dev 2018-09-19 17:41:05 UTC
arm stable, all arches done.
Comment 12 Michael Boyle 2018-09-20 23:03:11 UTC
GLSA filed.

Please clean vulnerable.Thank you

Michael Boyle
Security Padawan
Comment 13 Larry the Git Cow gentoo-dev 2018-09-21 16:28:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5e36758fa019653c390058097c6b09bf54158bc

commit b5e36758fa019653c390058097c6b09bf54158bc
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2018-09-21 16:14:07 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2018-09-21 16:27:30 +0000

    dev-db/postgresql: Cleanup old and insecure
    
    Bug: https://bugs.gentoo.org/664332
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-db/postgresql/Manifest                   |  11 -
 dev-db/postgresql/postgresql-10.3.ebuild     | 460 -------------------------
 dev-db/postgresql/postgresql-10.4.ebuild     | 460 -------------------------
 dev-db/postgresql/postgresql-11_beta1.ebuild | 449 ------------------------
 dev-db/postgresql/postgresql-9.3.22.ebuild   | 450 ------------------------
 dev-db/postgresql/postgresql-9.3.23.ebuild   | 450 ------------------------
 dev-db/postgresql/postgresql-9.4.17.ebuild   | 482 --------------------------
 dev-db/postgresql/postgresql-9.4.18.ebuild   | 482 --------------------------
 dev-db/postgresql/postgresql-9.5.12.ebuild   | 488 --------------------------
 dev-db/postgresql/postgresql-9.5.13.ebuild   | 488 --------------------------
 dev-db/postgresql/postgresql-9.6.8.ebuild    | 493 ---------------------------
 dev-db/postgresql/postgresql-9.6.9.ebuild    | 493 ---------------------------
 12 files changed, 5206 deletions(-)
Comment 14 Aaron W. Swenson gentoo-dev 2018-09-23 13:24:36 UTC
@alpha: You missed 9.6.10.
Comment 15 Tobias Klausmann gentoo-dev 2018-09-23 16:48:56 UTC
Whissi has since fixed the alpha commit oversight.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2018-10-30 21:08:49 UTC
This issue was resolved and addressed in
 GLSA 201810-08 at https://security.gentoo.org/glsa/201810-08
by GLSA coordinator Thomas Deutschmann (whissi).