Bug 1645937 (CVE-2018-16850)
Summary: | CVE-2018-16850 postgresql: SQL injection in pg_upgrade and pg_dump, via CREATE TRIGGER ... REFERENCING | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abergmann, abhgupta, anon.amish, bkearney, bmcclain, dajohnso, databases-maint, dbaker, dblechte, dclarizi, devrim, dfediuck, dmetzger, eedri, gblomqui, ggainey, gmainwar, gmccullo, gtanzill, hhorak, jfrey, jhardy, jlaska, jmlich83, jokerman, jorton, jprause, jstanek, kdixon, meissner, mgoldboi, michal.skrivanek, mike, mperina, obarenbo, pkajaba, pkubat, praiskup, ratamir, roliveri, rschiron, sbonazzo, security-response-team, sherold, simaishi, sthangav, tgl, tlestach, trankin, trupti_pardeshi |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | postgresql 11.1, postgresql 10.6 | Doc Type: | If docs needed, set a value |
Doc Text: |
A SQL Injection flaw has been discovered in PostgreSQL server in the way triggers that enable transition relations are dumped. The transition relation name is not correctly quoted and it may allow an attacker with CREATE privilege on some non-temporary schema or TRIGGER privilege on some table to create a malicious trigger that, when dumped and restored, would result in additional SQL statements being executed.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-12-03 09:41:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1649236, 1649237, 1649238, 1649239, 1649240, 1649369, 1649370 | ||
Bug Blocks: | 1645938 |
Description
Sam Fowler
2018-11-05 01:33:19 UTC
External References: https://www.postgresql.org/about/news/1905/ Created mingw-postgresql tracking bugs for this issue: Affects: epel-7 [bug 1649238] Affects: fedora-all [bug 1649237] Created postgresql tracking bugs for this issue: Affects: fedora-all [bug 1649236] Upstream commit: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=06292bb949e555f34edde7603237194a7daac942 https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=2da33cbd52aaf5cbc4bc6c4e42e8879ee75a859d Public report: https://www.postgresql.org/message-id/15440-02d1468e94d63d76@postgresql.org Since postgresql version 10, when creating a trigger you can specify a name to enable transition relations. This name, however, is not properly quoted when dumping the database, allowing to inject SQL code in the dump, which is later run by a superuser to restore the database. As said in comment 0, the attack requires CREATE privilege on some non-temporary schema or TRIGGER privilege on some table. However, a new user with no special permissions have by default CREATE permissions on the "public" schema, which would allow him to exploit the flaw. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2018:3757 https://access.redhat.com/errata/RHSA-2018:3757 Statement: This issue did not affect the versions of postgresql as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they did not include support for triggers with `referecing` syntax, which was included in a later version of the program. It also doesn't affect the versions of postgresql shipped with CloudForms 4.2, 4.5 and 4.6, and Satellite 5, for the same reason as above. This issue did not affect the versions of postgresql shipped within Tower, as there is no code path for Tower users to call the CREATE statement. Hello, May I know if Linux PostgreSQL 7.1beta6 version is also affected and requires this fix? Any heads up will be appreciated. Thank you in advance. Best Regards, |