Bug 1539619 (CVE-2018-1053)

Summary: CVE-2018-1053 postgresql: pg_upgrade creates file of sensitive metadata under prevailing umask
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, bdawidow, bkearney, cbudzilo, chazlett, cpelland, dajohnso, databases-maint, devrim, dffrench, dmetzger, dmoppert, drieden, drusso, gblomqui, gmccullo, gtanzill, gvarsami, hhorak, hhudgeon, jcoleman, jfrey, jhardy, jmadigan, jmlich83, jorton, jprause, jshepherd, jstanek, kconner, kdixon, ldimaggi, lgriffin, loleary, meissner, mike, ngough, nwallace, obarenbo, pdrozd, pkubat, praiskup, pwright, roliveri, rrajasek, rwagner, security-response-team, simaishi, spinder, sthorger, tcunning, tgl, theute, thomas, tkirby, tlestach, trepel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: postgresql 9.3.21, postgresql 9.4.16, postgresql 9.5.11, postgresql 9.6.7, postgresql 10.2 Doc Type: If docs needed, set a value
Doc Text:
This release of CloudForms corrects an issue invoked when running pg_upgrade by which attackers could read or modify the output of `pg_dumpall -g` in the current working directory. With this release, any attack is rendered infeasible as the directory mode blocks an intruder from searching the current working directory, and the prevailing umask prevents attackers from opening the file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:38:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1539624, 1543751, 1543752, 1543753, 1544878, 1544879, 1544880, 1544881, 1544882, 1544883, 1544884, 1544885, 1546367, 1546368, 1546369, 1612669, 1612670, 1612671, 1612672    
Bug Blocks: 1539623    

Description Adam Mariš 2018-01-29 10:40:32 UTC 
pg_upgrade creates temporary files in the current working directory. It
creates most of them with umask 0077, so only the current user can open those.
However, for the file containing the output of "pg_dumpall -g", it uses the
umask in effect when the user invoked pg_upgrade. This can allow an attacker
to read or modify the one file, which may contain encrypted or unencrypted
database passwords. However, the attack is infeasible if a directory mode
blocks the attacker searching the current working directory or if the
prevailing umask blocks the attacker opening the file.

Vulnerable Versions: 9.3 - 10
Comment 2 Adam Mariš 2018-01-29 10:43:24 UTC 
Acknowledgments:

Name: the PostgreSQL project
Upstream: Tom Lane
Comment 4 Adam Mariš 2018-02-09 08:29:24 UTC 
External References:

https://www.postgresql.org/about/news/1829/
Comment 5 Adam Mariš 2018-02-09 08:30:29 UTC 
Created mingw-postgresql tracking bugs for this issue:

Affects: epel-7 [bug 1543752]
Affects: fedora-all [bug 1543751]


Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1543753]
Comment 9 Andrej Nemec 2018-05-14 13:57:17 UTC 
Statement:

This issue affects the versions of PostgreSQL 9.x as shipped with Red Hat Satellite 5.x and CloudForms 5.x. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 11 errata-xmlrpc 2018-08-20 10:50:24 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:2511 https://access.redhat.com/errata/RHSA-2018:2511
Comment 12 errata-xmlrpc 2018-08-27 08:33:59 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:2566 https://access.redhat.com/errata/RHSA-2018:2566
Comment 13 errata-xmlrpc 2018-12-13 15:15:17 UTC 
This issue has been addressed in the following products:

  CloudForms Management Engine 5.9

Via RHSA-2018:3816 https://access.redhat.com/errata/RHSA-2018:3816