Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 685846 (CVE-2019-10129, CVE-2019-10130) - <dev-db/postgresql-{11.3,10.8,9.6.13,9.5.17,9.4.22}: multiple vulnerabilities (CVE-2019-{10129,10130})
Summary: <dev-db/postgresql-{11.3,10.8,9.6.13,9.5.17,9.4.22}: multiple vulnerabilities...
Status: RESOLVED FIXED
Alias: CVE-2019-10129, CVE-2019-10130
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.postgresql.org/about/news...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-13 14:58 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-12 20:23 UTC (History)
1 user (show)

See Also:
Package list:
dev-db/postgresql-11.3 dev-db/postgresql-10.8 dev-db/postgresql-9.6.13 dev-db/postgresql-9.5.17 dev-db/postgresql-9.4.22
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-05-13 14:58:25 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2019-05-13 15:01:24 UTC
CVE-2019-10129: Memory disclosure in partition routing

Prior to this release, a user running PostgreSQL 11 can read arbitrary bytes of server memory by executing a purpose-crafted INSERT statement to a partitioned table.


CVE-2019-10130: Selectivity estimators bypass row security policies

PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user able to execute SQL queries with permissions to read a given column could craft a leaky operator that could read whatever data had been sampled from that column. If this happened to include values from rows that the user is forbidden to see by a row security policy, the user could effectively bypass the policy. This is fixed by only allowing a non-leakproof operator to use this data if there are no relevant row security policies for the table.
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-05-15 14:55:49 UTC
amd64 stable
Comment 3 Rolf Eike Beer 2019-05-16 08:11:02 UTC
sparc stable
Comment 4 Thomas Deutschmann gentoo-dev Security 2019-05-16 23:58:02 UTC
x86 stable
Comment 5 Rolf Eike Beer 2019-05-18 19:23:40 UTC
hppa stable
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-05-23 13:18:19 UTC
arm stable
Comment 7 Sergei Trofimovich gentoo-dev 2019-05-25 07:58:20 UTC
ppc stable
Comment 8 Sergei Trofimovich gentoo-dev 2019-05-25 08:03:20 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-06-05 09:13:00 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2019-06-06 06:49:24 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Larry the Git Cow gentoo-dev 2019-06-15 10:58:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=87cf3bd99d04619a664a6ef898edecba1125126a

commit 87cf3bd99d04619a664a6ef898edecba1125126a
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2019-06-15 10:56:02 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2019-06-15 10:56:09 +0000

    dev-db/postgresql: Cleanup old/insecure
    
    Bug: https://bugs.gentoo.org/685846
    Package-Manager: Portage-2.3.62, Repoman-2.3.11
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 dev-db/postgresql/Manifest                         |  11 -
 .../files/postgresql-9.3-no-server.patch           | 144 ------
 dev-db/postgresql/postgresql-10.6.ebuild           | 460 -------------------
 dev-db/postgresql/postgresql-10.7.ebuild           | 460 -------------------
 dev-db/postgresql/postgresql-11.1.ebuild           | 460 -------------------
 dev-db/postgresql/postgresql-11.2.ebuild           | 460 -------------------
 dev-db/postgresql/postgresql-12_beta1.ebuild       | 460 -------------------
 dev-db/postgresql/postgresql-9.3.25.ebuild         | 443 -------------------
 dev-db/postgresql/postgresql-9.4.20.ebuild         | 475 --------------------
 dev-db/postgresql/postgresql-9.4.21.ebuild         | 475 --------------------
 dev-db/postgresql/postgresql-9.5.15.ebuild         | 481 --------------------
 dev-db/postgresql/postgresql-9.5.16.ebuild         | 481 --------------------
 dev-db/postgresql/postgresql-9.6.11.ebuild         | 486 ---------------------
 dev-db/postgresql/postgresql-9.6.12.ebuild         | 486 ---------------------
 14 files changed, 5782 deletions(-)
Comment 12 Thomas Deutschmann gentoo-dev Security 2019-10-26 23:59:06 UTC
Added to an existing GLSA.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2020-03-12 20:23:28 UTC
This issue was resolved and addressed in
 GLSA 202003-03 at https://security.gentoo.org/glsa/202003-03
by GLSA coordinator Thomas Deutschmann (whissi).