Bug 1734447 (CVE-2019-10209)

Summary: CVE-2019-10209 postgresql: Memory disclosure in cross-type comparison for hashed subplan
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: akoufoud, alazarot, almorale, anon.amish, anstephe, asakala, bkearney, databases-maint, dblechte, devrim, dfediuck, eedri, etirelli, hhorak, ibek, jmlich83, jorton, jstanek, krathod, kverlaen, lpetrovi, mgoldboi, michal.skrivanek, mike, mnovotny, mperina, panovotn, paradhya, pkajaba, pkubat, praiskup, puebele, rrajasek, rsynek, sbonazzo, sdaley, security-response-team, sherold, sisharma, tgl, tlestach, trupti_pardeshi, vbellur, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: postgresql 11.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-14 14:46:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1739212    
Bug Blocks: 1734467    

Description msiddiqu 2019-07-30 14:42:46 UTC 
In a database containing hypothetical, user-defined hash equality operators,
an attacker could read arbitrary bytes of server memory.  For an attack to
become possible, a superuser would need to create unusual operators.  It is
possible for operators not purpose-crafted for attack to have the properties
that enable an attack, but we are not aware of specific examples.
Comment 3 Joshua Padman 2019-07-31 05:10:28 UTC 
The following products only contain the JBDC postgresql driver, not the server and are not affected:
* Red Hat Decision Manager
* Red Hat Process Automation Manager
Comment 4 msiddiqu 2019-08-07 11:56:54 UTC 
Acknowledgments:

Name: the PostgreSQL project
Upstream: Andreas Seltenreich
Comment 7 msiddiqu 2019-08-08 18:40:01 UTC 
Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1739212]
Comment 8 msiddiqu 2019-08-09 09:43:30 UTC 
External References:

https://www.postgresql.org/about/news/1960/
Comment 9 Trupti Pardeshi 2019-08-13 11:10:01 UTC 
Hello,

May I know if Linux PostgreSQL 7.1beta6 version is also affected and requires this fix? Any heads up will be appreciated.

Thank you in advance.

Best Regards,
Comment 10 Cedric Buissart 2019-08-13 12:00:29 UTC 
Upstream fix :

postgresql-11 : https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=a034418cfc85fffa300d4d44792561c09e76f68b
Comment 11 Cedric Buissart 2019-08-13 12:02:19 UTC 
In reply to comment #9:
> May I know if Linux PostgreSQL 7.1beta6 version is also affected and
> requires this fix? Any heads up will be appreciated.
This vulnerability was introduced with commit bf6c614a2, and thus affects only PostgreSQL version 11. Older versions are safe from that vulnerability.
Comment 12 Trupti Pardeshi 2019-08-13 12:22:49 UTC 
(In reply to Cedric Buissart 🐶 from comment #11)
> In reply to comment #9:
> > May I know if Linux PostgreSQL 7.1beta6 version is also affected and
> > requires this fix? Any heads up will be appreciated.
> This vulnerability was introduced with commit bf6c614a2, and thus affects
> only PostgreSQL version 11. Older versions are safe from that vulnerability.

Thanks a lot Cedric for clarification.
Comment 13 Hardik Vyas 2019-08-14 09:05:39 UTC 
Red Hat Gluster Storage 3 ships JDBC part of postgresql embedded in rhevm-dependencies, hence not affected.
Comment 14 Product Security DevOps Team 2019-08-14 14:46:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10209