Bug 2415323

Summary: CVE-2025-12818 postgresql18: libpq undersizes allocations, via integer wraparound [fedora-43]
Product: [Fedora] Fedora Reporter: TEJ RATHI <trathi>
Component: postgresql18Assignee: Filip Januš <fjanus>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 43CC: anezbeda, buschmann, fjanus, ndavidov
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["4afe8e40-168b-49e3-ad30-cfbe58d8969e"]}
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2414826    

Description TEJ RATHI 2025-11-17 06:27:43 UTC 
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Comment 1 Hans Buschmann 2025-11-25 11:01:54 UTC 
With release of PostgreSQL 18.1 this CVE vulnerability was addressed by upstream and should be deployed on all Fedora/RedHat distributions involved.

Please refer also to bug #2416111 which shows how libpq breaks compatibility with upstream.

https://bugzilla.redhat.com/show_bug.cgi?id=2416111

-----------

GENERAL update policy:

Since Postgres / fedora provide only the latest libpq library (downward compatible) usable with all supported PostgreSQL versions, this library should always be updatede when a new version of the highest supported major version is released.

This was the last time with the release of 18.1 at  2025-11-13 by PostgreSQL Global Development Group.

https://www.postgresql.org/about/news/postgresql-181-177-1611-1515-1420-and-1323-released-3171/

At every minor release there may be also bug fixes in libpq, which can be important to the corresponding postgres version.

The library libpq should be automatically updated at every minor and major release of PostgreSQL like all the postgresql rpms in the corresponding distribution.

My customers systems seem to be at risk to this vulnerability by using the fedora supplied libpq (not updated), and the pgdg_common supplied libpq5 is not usable with php85 (see bug #2416111).

I propose to change the priority to URGENT, but don't want to create a separate bug report.

Is it possible to implement the same update policy like the normal postgresqlxx rpms for libpq?


Thank you for your support!

Hans Buschmann
Comment 2 Filip Januš 2025-11-26 09:01:55 UTC 
Since it's medium severity and there is no SLAs in Fedora, it's in the backlog. If you want to speed it up, feel free to prepare PR in https://src.fedoraproject.org/rpms/libpq