Bug 1734461 (CVE-2019-10211)

Summary: CVE-2019-10211 postgresql: Windows installer bundled OpenSSL executes code from unprotected directory
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akoufoud, alazarot, almorale, anon.amish, anstephe, asakala, bkearney, databases-maint, dblechte, devrim, dfediuck, eedri, etirelli, hhorak, ibek, jmlich83, jorton, jstanek, krathod, kverlaen, lpetrovi, mgoldboi, michal.skrivanek, mike, mnovotny, mperina, panovotn, paradhya, pkajaba, pkubat, praiskup, puebele, rrajasek, rsynek, sbonazzo, sdaley, security-response-team, sherold, sisharma, tgl, tlestach, vbellur, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: postgresql 11.5, postgresql 10.10, postgresql 9.6.15, postgresql 9.5.19, postgresql 9.4.24 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-20 08:20:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1739210, 1739213, 1739216    
Bug Blocks: 1734467    

Description msiddiqu 2019-07-30 15:17:18 UTC
When the database server or libpq client library initializes SSL, libeay32.dll
attempts to read configuration from a hard-coded directory.  Typically, the
directory does not exist, but any local user could create it and inject
configuration.  This configuration can direct OpenSSL to load and execute
arbitrary code as the user running a PostgreSQL server or client.  Most
PostgreSQL client tools and libraries use libpq, and one can encounter this
vulnerability by using any of them.  This vulnerability is much like
CVE-2019-5443, but it originated independently.  One can work around the
vulnerability by setting environment variable OPENSSL_CONF to
"NUL:/openssl.cnf" or any other name that cannot exist as a file.

Comment 4 msiddiqu 2019-08-07 11:45:24 UTC
Acknowledgments:

Name: the PostgreSQL project
Upstream: Daniel Gustafsson (Curl security team)

Comment 7 msiddiqu 2019-08-08 18:40:08 UTC
Created mingw-postgresql tracking bugs for this issue:

Affects: epel-7 [bug 1739216]
Affects: fedora-all [bug 1739210]


Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1739213]

Comment 8 msiddiqu 2019-08-09 09:44:39 UTC
External References:

https://www.postgresql.org/about/news/1960/