Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 737032 (CVE-2020-14349, CVE-2020-14350) - <dev-db/postgresql-{12.4,11.9,10.14,9.6.19,9.5.23}: Multiple vulnerabilities (CVE-2020-{14349,14350})
Summary: <dev-db/postgresql-{12.4,11.9,10.14,9.6.19,9.5.23}: Multiple vulnerabilities ...
Status: RESOLVED FIXED
Alias: CVE-2020-14349, CVE-2020-14350
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.postgresql.org/about/news...
Whiteboard: C2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-14 02:13 UTC by Aaron W. Swenson
Modified: 2020-09-11 14:11 UTC (History)
2 users (show)

See Also:
Package list:
dev-db/postgresql-12.4 dev-db/postgresql-11.9 dev-db/postgresql-10.14 dev-db/postgresql-9.6.19 dev-db/postgresql-9.5.23
Runtime testing required: No
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron W. Swenson gentoo-dev 2020-08-14 02:13:10 UTC 
From: https://www.postgresql.org/about/news/2060/

CVE-2020-14349: Uncontrolled search path element in logical replication.
========================================================================
Versions Affected: 10 - 12.

The PostgreSQL search_path setting determines schemas searched for tables, functions, operators, etc. The CVE-2018-1058 fix caused most PostgreSQL-provided client applications to sanitize search_path, but logical replication continued to leave search_path unchanged. Users of a replication publisher or subscriber database can create objects in the public schema and harness them to execute arbitrary SQL functions under the identity running replication, often a superuser. Installations having adopted a documented secure schema usage pattern are not vulnerable.

The PostgreSQL project thanks Noah Misch for reporting this problem.
--------------------------------------------------------------------


CVE-2020-14350: Uncontrolled search path element in CREATE EXTENSION.
=====================================================================
Versions Affected: 9.5 - 12. The security team typically does not test unsupported versions, but this problem is quite old.

When a superuser runs certain CREATE EXTENSION statements, users may be able to execute arbitrary SQL functions under the identity of that superuser. The attacker must have permission to create objects in the new extension's schema or a schema of a prerequisite extension. Not all extensions are vulnerable.

In addition to correcting the extensions provided with PostgreSQL, the PostgreSQL Global Development Group is issuing guidance for third-party extension authors to secure their own work.

The PostgreSQL project thanks Andres Freund for reporting this problem.
-----------------------------------------------------------------------


Please stabilize:
=dev-db/postgresql-12.4   ~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-11.9   ~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-10.14  ~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.6.19 ~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86
=dev-db/postgresql-9.5.23 ~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 02:05:01 UTC 
arm64 done
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 02:06:02 UTC 
arm done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 03:05:53 UTC 
x86 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-15 03:30:43 UTC 
amd64 done
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2020-08-15 07:42:00 UTC 
sparc stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2020-08-16 13:58:27 UTC 
hppa stable
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-08-26 21:43:53 UTC 
This issue was resolved and addressed in
 GLSA 202008-13 at https://security.gentoo.org/glsa/202008-13
by GLSA coordinator Sam James (sam_c).
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-26 21:44:38 UTC 
Reopening for cleanup.
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-03 01:29:44 UTC 
(In reply to Sam James from comment #8)
> Reopening for cleanup.

more stables, even.
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-04 14:10:16 UTC 
ppc64 stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2020-09-08 07:00:44 UTC 
ppc stable
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-10 15:08:45 UTC 
Please cleanup.
Comment 13 Larry the Git Cow gentoo-dev 2020-09-11 11:08:47 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cabc37d4b5bf47047932f2b7b5cc6fa3a8e93f50

commit cabc37d4b5bf47047932f2b7b5cc6fa3a8e93f50
Author:     Aaron W. Swenson <titanofold@gentoo.org>
AuthorDate: 2020-09-11 11:07:42 +0000
Commit:     Aaron W. Swenson <titanofold@gentoo.org>
CommitDate: 2020-09-11 11:08:39 +0000

    dev-db/postgresql: Cleanup
    
    Bug:https://bugs.gentoo.org/737032
    
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org>

 dev-db/postgresql/Manifest                   |  11 -
 dev-db/postgresql/postgresql-10.12.ebuild    | 465 -------------------------
 dev-db/postgresql/postgresql-10.13.ebuild    | 456 -------------------------
 dev-db/postgresql/postgresql-11.7.ebuild     | 467 -------------------------
 dev-db/postgresql/postgresql-11.8.ebuild     | 458 -------------------------
 dev-db/postgresql/postgresql-12.2.ebuild     | 467 -------------------------
 dev-db/postgresql/postgresql-12.3.ebuild     | 458 -------------------------
 dev-db/postgresql/postgresql-13_beta2.ebuild | 458 -------------------------
 dev-db/postgresql/postgresql-9.5.21.ebuild   | 485 --------------------------
 dev-db/postgresql/postgresql-9.5.22.ebuild   | 476 --------------------------
 dev-db/postgresql/postgresql-9.6.17.ebuild   | 490 ---------------------------
 dev-db/postgresql/postgresql-9.6.18.ebuild   | 481 --------------------------
 12 files changed, 5172 deletions(-)
Comment 14 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-11 14:11:52 UTC 
Tree is clean, all done, thanks all.