Bug 2268465 (CVE-2024-27289)

Summary: CVE-2024-27289 pgx: SQL Injection via Line Comment Creation
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, agarcial, aoconnor, asegurap, bdettelb, caswilli, dfreiber, drow, eglynn, epacific, fjansen, gparvin, jburrell, jcammara, jhardy, jjoyce, jneedle, jobarker, jschluet, jsherril, kaycoth, kshier, lbainbri, lgamliel, lhh, lsvaty, mabashia, mburns, mgarciac, njean, omaciel, orabin, owatkins, pahickey, pgrist, psegedy, rfreiman, rhaigner, rhos-maint, sidakwo, simaishi, smcdonal, stcannon, teagle, vkumar, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pgx 4.18.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in pgx. SQL injection can occur when all of the following conditions are met in versions before 4.18.2 of pgx.  - The non-default simple protocol is used - A placeholder for a numeric value must be immediately preceded by a minus - There must be a second placeholder for a string value after the first placeholder - Both must be on the same line - Both parameter values must be user-controlled
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2268467, 2268466, 2268468, 2268469, 2268470, 2268471, 2268472, 2268476, 2268477    
Bug Blocks: 2268479    

Description Pedro Sampaio 2024-03-07 17:53:24 UTC 
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.

References:

https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df
https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
Comment 1 Pedro Sampaio 2024-03-07 17:54:25 UTC 
Created caddy tracking bugs for this issue:

Affects: epel-all [bug 2268467]
Affects: fedora-all [bug 2268468]


Created golang-github-jackc-pgproto3 tracking bugs for this issue:

Affects: fedora-all [bug 2268471]


Created golang-github-jackc-pgx tracking bugs for this issue:

Affects: fedora-all [bug 2268470]


Created golang-github-jackc-pgx-3 tracking bugs for this issue:

Affects: fedora-all [bug 2268472]


Created migrate tracking bugs for this issue:

Affects: fedora-all [bug 2268466]


Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2268469]
Comment 7 errata-xmlrpc 2024-03-13 20:55:44 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.3

Via RHSA-2024:1321 https://access.redhat.com/errata/RHSA-2024:1321
Comment 43 errata-xmlrpc 2024-10-16 02:40:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:7922 https://access.redhat.com/errata/RHSA-2024:7922
Comment 44 errata-xmlrpc 2024-10-16 16:51:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:7944 https://access.redhat.com/errata/RHSA-2024:7944