Bug 522085 (CVE-2009-3230)

Summary: CVE-2009-3230 postgresql: SQL privilege escalation, incomplete fix for CVE-2007-6600
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: devrim, jlieskov, kaigai, kreilly, kseifried, kvolny, ldimaggi, pasteur, tgl, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-25 18:51:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 522222, 525282, 525283, 525284, 525285, 525322, 812238    
Bug Blocks:    

Description Tomas Hoger 2009-09-09 13:10:30 UTC
Quoting upstream PostgreSQL security page:
  http://www.postgresql.org/support/security.html

  The fix for issue CVE-2007-2138 (below) failed to include protection
  against misuse of RESET SESSION AUTHORIZATION.

Affected versions: 8.4, 8.3, 8.2, 8.1, 8.0, 7.4
  (note: this may affect previous 7.x versions too, but upstream does not
   support pre-7.4 versions any more)

Fixed in versions: 8.4.1, 8.3.8, 8.2.14, 8.1.18, 8.0.22, 7.4.26

Severity: C - A vulnerabilty that is exploitable for privilege escalation, but requiring a valid prior login.

CVE-2007-2138 was previously tracked via bug #237680 and bug #237682, more info on the updates addressing this flaw is available at:
  https://www.redhat.com/security/data/cve/CVE-2007-2138.html

Comment 1 Tom Lane 2009-09-09 13:24:46 UTC
The above is incorrect --- the related prior CVE is CVE-2007-6600.

Comment 2 Tomas Hoger 2009-09-09 13:41:40 UTC
CVE-2007-6600 was bug #427127
  https://www.redhat.com/security/data/cve/CVE-2007-6600.html

Is upstream already correcting this?

Comment 3 Tomas Hoger 2009-09-09 14:25:31 UTC
(In reply to comment #2)
> Is upstream already correcting this?  

http://archives.postgresql.org/pgsql-www/2009-09/msg00023.php

Comment 4 Tom Lane 2009-09-09 14:31:09 UTC
I'm told it is fixed, just hasn't propagated yet.

Comment 5 Fedora Update System 2009-09-09 18:14:54 UTC
postgresql-8.3.8-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/postgresql-8.3.8-1.fc11

Comment 6 Fedora Update System 2009-09-09 18:15:08 UTC
postgresql-8.3.8-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/postgresql-8.3.8-1.fc10

Comment 8 Tom Lane 2009-09-11 16:41:20 UTC
*** Bug 522822 has been marked as a duplicate of this bug. ***

Comment 9 Fedora Update System 2009-09-11 23:21:01 UTC
postgresql-8.3.8-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2009-09-11 23:21:36 UTC
postgresql-8.3.8-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Jan Lieskovsky 2009-09-17 08:30:06 UTC
MITRE's CVE-2009-3230 record:
-----------------------------

The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before
8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and
7.4 before 7.4.26 does not use the appropriate privileges for the (1)
RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, which
allows remote authenticated users to gain privileges.  NOTE: this is
due to an incomplete fix for CVE-2007-6600.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230
http://archives.postgresql.org/pgsql-www/2009-09/msg00024.php
http://www.postgresql.org/docs/8.3/static/release-8-3-8.html
http://www.postgresql.org/support/security.html
https://bugzilla.redhat.com/show_bug.cgi?id=522085
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00305.html
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00307.html
http://www.securityfocus.com/bid/36314
http://secunia.com/advisories/36660
http://secunia.com/advisories/36695
http://secunia.com/advisories/36727
http://www.vupen.com/english/advisories/2009/2602

Comment 13 errata-xmlrpc 2009-09-23 21:38:53 UTC
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:1461 https://rhn.redhat.com/errata/RHSA-2009-1461.html

Comment 15 errata-xmlrpc 2009-10-07 16:22:49 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1484 https://rhn.redhat.com/errata/RHSA-2009-1484.html

Comment 16 errata-xmlrpc 2009-10-07 16:26:53 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1485 https://rhn.redhat.com/errata/RHSA-2009-1485.html

Comment 17 Kurt Seifried 2011-10-25 18:51:04 UTC
This issue has been addressed in the following RHSAs:

Red Hat Application Stack v2 for Enterprise Linux (v.5) 	RHSA-2009:1461	
Red Hat Enterprise Linux version 4 (postgresql)	RHSA-2009:1484
Red Hat Enterprise Linux version 5 (postgresql)	RHSA-2009:1484
Red Hat Enterprise Linux version 3 (rh-postgresql)	RHSA-2009:1485