Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 937573 (CVE-2024-7348) - <dev-db/postgresql-{12.20,13.16,14.13,15.8,16.4}: relation replacement during pg_dump executes arbitrary SQL
Summary: <dev-db/postgresql-{12.20,13.16,14.13,15.8,16.4}: relation replacement during...
Status: CONFIRMED
Alias: CVE-2024-7348
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal blocker
Assignee: Gentoo Security
URL: https://www.postgresql.org/about/news...
Whiteboard: A1 [glsa+ cleanup]
Keywords:
Depends on: 937572
Blocks:
  Show dependency tree
 
Reported: 2024-08-08 13:20 UTC by Patrick Lauer
Modified: 2024-09-22 05:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick Lauer gentoo-dev 2024-08-08 13:20:56 UTC
From upstream:

CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL

CVSS v3.1 Base Score: 8.8

Supported, Vulnerable Versions: 12 - 16.

An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.
Comment 1 Hans de Graaff gentoo-dev Security 2024-08-13 06:57:54 UTC
Downgrading this to A1 since the attacker must be "able to create and drop non-temporary objects", which as far as I can tell requires some kind of existing access to the database server.
Comment 2 Larry the Git Cow gentoo-dev 2024-09-22 05:47:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=d0b7a61aa1bef2572192a9c1be444b1ade4a3aa1

commit d0b7a61aa1bef2572192a9c1be444b1ade4a3aa1
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-22 05:47:12 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 05:47:28 +0000

    [ GLSA 202409-02 ] PostgreSQL: Privilege Escalation
    
    Bug: https://bugs.gentoo.org/937573
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-02.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)