Bug 2268465 (CVE-2024-27289)

Summary: CVE-2024-27289 pgx: SQL Injection via Line Comment Creation
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agarcial, amctagga, aoconnor, asegurap, bdettelb, caswilli, davidn, dfreiber, drow, eglynn, epacific, fjansen, gparvin, jaharrin, jburrell, jcammara, jeder, jhardy, jjoyce, jkoehler, jneedle, jobarker, jschluet, jsherril, kaycoth, lbainbri, lgamliel, lhh, lsvaty, mabashia, mburns, mgarciac, mrajanna, muagarwa, nbecker, njean, odf-bz-bot, orabin, osapryki, owatkins, pahickey, pgrist, psegedy, rfreiman, rhaigner, rhos-maint, rjohnson, sapillai, sidakwo, simaishi, smcdonal, teagle, tnielsen, vkareh, vkumar, yguenane, ypadia, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pgx 4.18.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2268466, 2268467, 2268468, 2268469, 2268470, 2268471, 2268472, 2268476, 2268477    
Bug Blocks: 2268479    

Description Pedro Sampaio 2024-03-07 17:53:24 UTC 
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second placeholder for a string value after the first placeholder; both must be on the same line; and both parameter values must be user-controlled. The problem is resolved in v4.18.2. As a workaround, do not use the simple protocol or do not place a minus directly before a placeholder.

References:

https://github.com/jackc/pgx/commit/f94eb0e2f96782042c96801b5ac448f44f0a81df
https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
Comment 1 Pedro Sampaio 2024-03-07 17:54:25 UTC 
Created caddy tracking bugs for this issue:

Affects: epel-all [bug 2268467]
Affects: fedora-all [bug 2268468]


Created golang-github-jackc-pgproto3 tracking bugs for this issue:

Affects: fedora-all [bug 2268471]


Created golang-github-jackc-pgx tracking bugs for this issue:

Affects: fedora-all [bug 2268470]


Created golang-github-jackc-pgx-3 tracking bugs for this issue:

Affects: fedora-all [bug 2268472]


Created migrate tracking bugs for this issue:

Affects: fedora-all [bug 2268466]


Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2268469]
Comment 7 errata-xmlrpc 2024-03-13 20:55:44 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.3

Via RHSA-2024:1321 https://access.redhat.com/errata/RHSA-2024:1321