Bug 1319806 (CVE-2016-2193)

Summary: CVE-2016-2193 postgresql: row security policies in prepared statements disregard user ID changes
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: databases-maint, hhorak, jorton, mmaslano, pkajaba, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: postgresql 9.5.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-31 20:44:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1322984    
Bug Blocks: 1319814    

Description Andrej Nemec 2016-03-21 15:01:03 UTC 
This vulnerability leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles, which could happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
Comment 1 Andrej Nemec 2016-03-21 15:01:12 UTC 
Acknowledgments:

Name: the PostgreSQL project
Upstream: Ashutosh Bapat
Comment 2 Andrej Nemec 2016-03-31 14:49:17 UTC 
External references:

http://www.postgresql.org/about/news/1656/
Comment 3 Tomas Hoger 2016-03-31 20:27:41 UTC 
Upstream commit:

http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=db69e58a0642ef7fa46d62f6c4cf2460c3a1b41b
Comment 5 Tomas Hoger 2016-03-31 20:44:16 UTC 
Only PostgreSQL 9.5 was affected, which is not yet part of any Red Hat product.