Bug 1707098 (CVE-2019-10127)

Summary: CVE-2019-10127 postgresql: BigSQL installer does not clear permissive ACL entries
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anon.amish, bbuckingham, bcourt, bkearney, bmcclain, btotty, dajohnso, databases-maint, dblechte, devrim, dfediuck, dmetzger, eedri, gacton, gblomqui, gmainwar, gmccullo, gtanzill, hhorak, hhudgeon, jfrey, jhardy, jlaska, jmlich83, jorton, jprause, jstanek, kdixon, mgoldboi, michal.skrivanek, mike, mmccune, mperina, obarenbo, panovotn, pkajaba, pkubat, praiskup, rchan, rjerrido, roliveri, sbonazzo, security-response-team, sherold, simaishi, tgl, tlestach
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
The Windows installer for BigSQL-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. An attacker having only the unprivileged Windows account can read arbitrary data directory files, essentially bypassing database-imposed read access limitations. An attacker having only the unprivileged Windows account can also delete certain data directory files.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-13 07:14:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1707112, 1940787    

Description Pedro Sampaio 2019-05-06 19:45:20 UTC
The Windows installer for BigSQL-supplied PostgreSQL does not lock down the
ACL of the binary installation directory or the ACL of the data directory; it
keeps the inherited ACL. In the default configuration, an attacker having
both an unprivileged Windows account and an unprivileged PostgreSQL account
can cause the PostgreSQL service account to execute arbitrary code. An
attacker having only the unprivileged Windows account can read arbitrary data
directory files, essentially bypassing database-imposed read access
limitations. An attacker having only the unprivileged Windows account can
also delete certain data directory files.

Comment 3 Pedro Sampaio 2019-05-06 19:55:03 UTC
Acknowledgments:

Name: Noah Misch, the PostgreSQL Project
Upstream: Conner Jones

Comment 5 Doran Moppert 2019-05-15 05:14:50 UTC
External References:

https://www.postgresql.org/about/news/1939/