Bug 1734416 (CVE-2019-10208)

Summary: CVE-2019-10208 postgresql: TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akoufoud, alazarot, almorale, anon.amish, anstephe, asakala, bkearney, cbuissar, databases-maint, dblechte, ddj_luo, devrim, dfediuck, eedri, etirelli, hhorak, ibek, jmlich83, jorton, krathod, kverlaen, mgoldboi, michal.skrivanek, mike, mnovotny, mperina, panovotn, paradhya, pkajaba, pkubat, praiskup, puebele, rrajasek, rsynek, sbonazzo, sdaley, security-response-team, sherold, sisharma, tgl, tlestach, trupti_pardeshi, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: postgresql 11.5, postgresql 10.10, postgresql 9.6.15, postgresql 9.5.19, postgresql 9.4.24 Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in postgresql where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-08 13:18:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1739211, 1739215, 1739217, 1741488, 1741489, 1741490, 1741492, 1741493, 1857226, 1872762, 1881769, 1881777, 1909706, 1909707, 1909717, 1909718, 1909719    
Bug Blocks: 1734467    

Description msiddiqu 2019-07-30 13:52:35 UTC 
Given a suitable SECURITY DEFINER function, an attacker can execute arbitrary
SQL under the identity of the function owner.  An attack requires EXECUTE
permission on the function, which must itself contain a function call having
inexact argument type match.  For example, length('foo'::varchar) and
length('foo') are inexact, while length('foo'::text) is exact.  As part of
exploiting this vulnerability, the attacker uses CREATE DOMAIN to create a
type in a pg_temp schema.  The attack pattern and fix are similar to that for
CVE-2007-2138.  Writing SECURITY DEFINER functions continues to require
following the considerations noted in the documentation, though this
vulnerability affects functions observing them and functions not observing
them:

References: 

https://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY
Comment 1 msiddiqu 2019-07-30 13:55:47 UTC 
Acknowledgments:

Name: the PostgreSQL project
Upstream: Tom Lane
Comment 3 Joshua Padman 2019-07-31 05:10:20 UTC 
The following products only contain the JBDC postgresql driver, not the server and are not affected:
* Red Hat Decision Manager
* Red Hat Process Automation Manager
Comment 6 msiddiqu 2019-08-08 18:40:10 UTC 
Created mingw-postgresql tracking bugs for this issue:

Affects: epel-7 [bug 1739217]
Affects: fedora-all [bug 1739211]


Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1739215]
Comment 7 msiddiqu 2019-08-09 09:43:06 UTC 
External References:

https://www.postgresql.org/about/news/1960/
Comment 8 Hardik Vyas 2019-08-14 09:07:38 UTC 
Red Hat Gluster Storage 3 ships JDBC part of postgresql embedded in rhevm-dependencies, hence not affected.
Comment 10 Cedric Buissart 2019-08-15 10:32:27 UTC 
Upstream fixes per branches :

9.4 : https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=8673743
9.5 : https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=752fa3d
9.6 : https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=7da4619
10 : https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=2062007
11 : https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=21f94c5
Comment 12 Trupti Pardeshi 2019-08-19 07:53:17 UTC 
Hello,

May I know if Linux PostgreSQL 7.1beta6 version is also affected by this vulnerability and requires the fix? Any heads up will be appreciated.

Thank you in advance.

Best Regards,
Comment 13 Doran Moppert 2019-08-20 05:30:58 UTC 
Mitigation:

If your use case requires SECURITY DEFINER functions, please follow the advice below to write them safely so they do not rely on search_path and restrict the set of users which can access them.

https://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY
Comment 14 Cedric Buissart 2019-08-20 08:12:20 UTC 
(In reply to Trupti Pardeshi from comment #12)
> May I know if Linux PostgreSQL 7.1beta6 version is also affected by this
> vulnerability and requires the fix? Any heads up will be appreciated.
Hi,

PostgreSQL 7.1 has not been tested. I believe that this version does not support SECURITY DEFINER (as far as I know, it was a new feature from 7.3). If so, then 7.1 might not be vulnerable.
Comment 15 Eric Christensen 2019-08-20 18:35:31 UTC 
Statement:

Red Hat Virtualization Management Appliance included affected versions of postgresql, however no custom SECURITY DEFINER functions are declared so this vulnerability can not be exploited in the default configuration.
Comment 17 errata-xmlrpc 2020-09-08 09:49:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3669 https://access.redhat.com/errata/RHSA-2020:3669
Comment 18 Product Security DevOps Team 2020-09-08 13:18:03 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10208
Comment 26 errata-xmlrpc 2020-10-21 13:06:36 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2020:4295 https://access.redhat.com/errata/RHSA-2020:4295
Comment 33 errata-xmlrpc 2020-12-17 15:52:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:5619 https://access.redhat.com/errata/RHSA-2020:5619
Comment 34 errata-xmlrpc 2020-12-22 08:53:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:5661 https://access.redhat.com/errata/RHSA-2020:5661
Comment 35 errata-xmlrpc 2020-12-22 09:26:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:5664 https://access.redhat.com/errata/RHSA-2020:5664
Comment 36 errata-xmlrpc 2021-01-18 10:00:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0164 https://access.redhat.com/errata/RHSA-2021:0164
Comment 37 errata-xmlrpc 2021-01-18 16:19:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0166 https://access.redhat.com/errata/RHSA-2021:0166
Comment 38 errata-xmlrpc 2021-01-18 16:20:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0167 https://access.redhat.com/errata/RHSA-2021:0167
Comment 39 errata-xmlrpc 2021-05-06 10:34:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:1512 https://access.redhat.com/errata/RHSA-2021:1512