Bug 157366

Summary:	CAN-2005-1409, CAN-2005-1410 Multiple postgresql issues
Product:	[Retired] Fedora Legacy	Reporter:	Marc Deslauriers <marc.deslauriers>
Component:	postgresql	Assignee:	Fedora Legacy Bugs <bugs>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	pekkas, tseaver
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:	LEGACY, rh90, 1, 2
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2006-02-28 00:53:55 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Marc Deslauriers 2005-05-10 22:39:34 UTC

+++ This bug was initially created as a clone of Bug #156726 +++

Two serious security errors have been found in PostgreSQL 7.3 and newer
releases.  These errors at least allow an unprivileged database user to
crash the backend process, and may make it possible for an unprivileged
user to gain the privileges of a database superuser.

Comment 1 Marc Deslauriers 2006-02-11 22:29:35 UTC

*** Bug 157367 has been marked as a duplicate of this bug. ***

Comment 2 Marc Deslauriers 2006-02-11 22:29:48 UTC

*** Bug 157368 has been marked as a duplicate of this bug. ***

Comment 3 Marc Deslauriers 2006-02-12 04:55:12 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated postgresql packages to QA for rh9, fc1 and fc2.
rh73 and fc3 are not affected.

a7b65953b98935e35b88f299744225a9b2aea0f9  9/postgresql-7.3.10-0.90.1.legacy.src.rpm
0adca4edf71b2380fff90afeaeea08e5349ae31c  1/postgresql-7.3.10-1.1.legacy.src.rpm
f7e2dff75d37e96ed559219db5c02b548e06a9e4  2/postgresql-7.4.8-1.FC2.1.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/postgresql-7.3.10-0.90.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/postgresql-7.3.10-1.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/postgresql-7.4.8-1.FC2.1.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD7sEaLMAs/0C4zNoRAlPaAKCM4S6oRKvpfSFVH6ztL6klKtDO0gCZAcS9
jzKj3XcZ3lzd2F+SDnDFHU0=
=tCs5
-----END PGP SIGNATURE-----

Comment 4 Pekka Savola 2006-02-12 19:30:40 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh
 - source integrity OK
 - spec file changes minimal (either to previous, or compared to RHEL)

comments:
 - FC1 and FC2 were updated to match RHEL3 and RHEL4, respectively, so it's
   OK.  Was there a specific reason not to update RHL9 to match RHEL3?
 - you forgot to add "legacy" in the FC2 package name

In any case, the first issue is not blocking and the second can be fixed at
build time.

+PUBLISH RHL9, FC1, FC2

a7b65953b98935e35b88f299744225a9b2aea0f9  postgresql-7.3.10-0.90.1.legacy.src.rpm
0adca4edf71b2380fff90afeaeea08e5349ae31c  postgresql-7.3.10-1.1.legacy.src.rpm
f7e2dff75d37e96ed559219db5c02b548e06a9e4  postgresql-7.4.8-1.FC2.1.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFD743yGHbTkzxSL7QRAsyNAKC4bi+tGucS2JZZxO9FzXdP+qo15QCgmDAX
G395Mm2MTz3qgwnVhzxHjmo=
=87xG
-----END PGP SIGNATURE-----

Comment 5 Marc Deslauriers 2006-02-12 20:55:26 UTC

Thanks for the QA.

The RHL9 postgres package is substantially different from the RHEL and FC
packages. It uses a different JDBC driver, among other things. I'm afraid
changing it to the RHEL package will break things.

Comment 6 Marc Deslauriers 2006-02-13 00:36:42 UTC

Packages were pushed to updates-testing

Comment 7 Pekka Savola 2006-02-14 06:31:00 UTC

New policy: automatic accept after two weeks if no negative feedback.

Comment 8 Tres Seaver 2006-02-15 04:14:26 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Re:  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157366

System:  Fedora Core 1

Packages tested:

 - postgresql
 - postgresql-devel
 - postgresql-libs
 - postgresql-server

 1. Verify the GPG signature and the SHA1 checksum of the package.

    $ cd /var/cache/yum/updates-testing/packages
    $ sha1sum *.rpm
    de59e42459e24cd8846fbd6d765bc892d621a0dc  \
       postgresql-7.3.10-1.1.legacy.i386.rpm
    39a6163dffc299ba088f8f71c0393fca08648ae9  \
       postgresql-devel-7.3.10-1.1.legacy.i386.rpm
    421fc09afacbeb0e6773a8c2c1dd2ebb45406fd9  \
       postgresql-libs-7.3.10-1.1.legacy.i386.rpm
    71c2abb0a89a19fa88eaa3a22048062ea4d938f3  \
       postgresql-server-7.3.10-1.1.legacy.i386.rpm

    These checksums match those published in the notification sent to
    the legacy list.

    $ rpm --checksig postgresql-*.rpm
    postgresql-7.3.10-1.1.legacy.i386.rpm: \
       (sha1) dsa sha1 md5 gpg OK
    postgresql-devel-7.3.10-1.1.legacy.i386.rpm: \
       (sha1) dsa sha1 md5 gpg OK
    postgresql-libs-7.3.10-1.1.legacy.i386.rpm: \
       (sha1) dsa sha1 md5 gpg OK
    postgresql-server-7.3.10-1.1.legacy.i386.rpm: \
       (sha1) dsa sha1 md5 gpg OK

 2. Could you install or update the package without problems?

    The packages listed installed cleanly via yum from updates-testing.

 3. Could you use the package, as appropriate for the package,
    without problems?

   Yes.  The timesheet application I use on this host, which is backed
   against postgresql, continued to work after the update.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD8qqD+gerLs4ltQ4RAgDDAKDSbzTYU5rpSX4+SqC2Br+5wFoziwCfQq9Q
/73ZWLhZGfAgK1xZ9oeM6T8=
=qC5V
-----END PGP SIGNATURE-----

Comment 9 Pekka Savola 2006-02-15 07:09:08 UTC

Great!  Thanks for the test!

Comment 10 David Eisenstein 2006-02-15 07:18:16 UTC

Thanks, Tres, for tesing!  :)

Comment 11 Pekka Savola 2006-02-15 17:26:33 UTC

Sigh, this just appeared today: CVE-2006-0553.  Do we respin now or wait until
later (e.g., after RHEL has released an update)?

Comment 12 Tres Seaver 2006-02-15 17:45:46 UTC

The writeup[1] says:

  PostgreSQL minor version 8.1.3 has been released, containing a patch for a
  serious security issue present in the 8.1 branch.  All users of 8.1 are urged
  to upgrade at the earliest opportunity.  

  Minor versions 8.0.7, 7.4.12, and 7.3.14 are being released at the same time.
  These  contain only minor bug fixes to the 8.0, 7.4 and 7.3 versions and can
  be upgraded on a more planned schedule, unless of course you are encountering
  one of the bugs described.

  The security issue in 8.1.x allows an authenticated database user to escalate
  his ROLE privileges by exploiting knowledge of the backend protocol.  While
  there are no known exploits in the wild for this, users are urged not to wait
  until they encounter one.


  8.1.3 also contains a number of other bug fixes, most of them for very
  specific (rare) database configurations and schema issues, but including a
  number of crash fixes.   Notable also is a fix to the TSearch2 GiST index
  generation code which will significantly speed up creation of TSearch2
  indexes.   See the release notes for more detail.

I would say that we can defer picking up those fixes, as no legacy release is
using 8.1.x.


[1] http://archives.postgresql.org/pgsql-announce/2006-02/msg00008.php

Comment 13 Pekka Savola 2006-02-27 06:40:43 UTC

Timeout over.

Comment 14 Marc Deslauriers 2006-02-28 00:53:55 UTC

Packages were released.