Bug 1956883 (CVE-2021-32029)

Summary: CVE-2021-32029 postgresql: Memory disclosure in partitioned-table UPDATE ... RETURNING
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anon.amish, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, databases-maint, devrim, dkreling, dosoudil, drieden, eleandro, etirelli, fjanus, fjuma, ggaughan, gmalinko, gsmet, hamadhan, hhorak, ibek, iweiss, janstey, jmlich83, jochrist, jorton, jpallich, jperkins, jstastny, jwon, kaycoth, krathod, kverlaen, kwills, lgao, lthon, mcascell, mike, mnovotny, msochure, msvehla, mszynkie, nwallace, panovotn, peholase, pgallagh, pjindal, pkubat, pmackay, praiskup, probinso, rguimara, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, sdouglas, security-response-team, smaestri, tgl, tom.jenkinson, tzimanyi, yborgess
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: postgresql 13.3, postgresql 12.7, postgresql 11.12 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in postgresql. Using an UPDATE ... RETURNING command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-10 15:04:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1962775, 1962776, 1962777, 1962778, 1962779, 1962783, 1962784, 1962785, 1962813, 1963691, 1963692, 1963700, 1966218, 1966219, 1966220, 1967310    
Bug Blocks: 1956885, 1956886, 1972613    

Description Michael Kaplan 2021-05-04 15:25:29 UTC 
Using an UPDATE ... RETURNING on a purpose-crafted partitioned table, an
attacker can read arbitrary bytes of server memory.  In the default
configuration, any authenticated database user can create prerequisite objects
and complete this attack at will.  A user lacking the CREATE and TEMPORARY
privileges on all databases and the CREATE privilege on all schemas typically
cannot use this attack at will.
Comment 3 Mauro Matteo Cascella 2021-05-20 15:48:59 UTC 
Created mingw-postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1962777]


Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1962776]


Created postgresql:11/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1962775]


Created postgresql:12/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1962778]


Created postgresql:13/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1962779]
Comment 8 Mauro Matteo Cascella 2021-05-24 15:06:42 UTC 
Upstream commits:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=a71cfc56bf6013e3ea1d673acaf73fe7ebbd6bf3 [REL_13_STABLE]
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=3fb93103a9fd5182f4f75d6da87dadcb3b36d7b1 [REL_12_STABLE]
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=27835b5476642d6a4eeb06e32095d29daeb9c585 [REL_11_STABLE]

https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=d479d00285255d422a2b38f1cfaa35808968a08c [master]
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=2602ee4689c7691196568c59656662acf3be4e87 [REL_13_STABLE]
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=05ce4bf8b1d45cc55762fab627ea91d1ffbbdc03 [REL_12_STABLE]
Comment 10 Mauro Matteo Cascella 2021-06-03 20:08:05 UTC 
Upstream advisory:
https://www.postgresql.org/support/security/CVE-2021-32029/
Comment 12 errata-xmlrpc 2021-06-10 10:07:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2372 https://access.redhat.com/errata/RHSA-2021:2372
Comment 13 errata-xmlrpc 2021-06-10 11:20:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2375 https://access.redhat.com/errata/RHSA-2021:2375
Comment 14 Product Security DevOps Team 2021-06-10 15:04:08 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-32029
Comment 15 errata-xmlrpc 2021-06-14 08:53:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2389 https://access.redhat.com/errata/RHSA-2021:2389
Comment 16 errata-xmlrpc 2021-06-14 09:17:43 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2394 https://access.redhat.com/errata/RHSA-2021:2394
Comment 17 errata-xmlrpc 2021-06-14 09:26:09 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2396 https://access.redhat.com/errata/RHSA-2021:2396