Bug 639371 (CVE-2010-3433)

Summary: CVE-2010-3433 PostgreSQL (PL/Perl, PL/Tcl): SECURITY DEFINER function keyword bypass
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kvolny, security-response-team, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-07 16:52:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 639928, 639929, 639930, 639931, 639932, 639933, 639934, 640069, 640090, 640433, 812235, 812242    
Bug Blocks:    

Description Jan Lieskovsky 2010-10-01 15:11:42 UTC 
A flaw was found in the way PostgreSQL handled SQL functions, created
with SECURITY DEFINER keyword and implemented in PL/Perl or PL/Tcl
languages. Once the PL/Perl or PL/Tcl procedural language was registered
on particular database, a remote, authenticated user, running a
specially-crafted PL/Perl or PL/Tcl script could use this flaw to bypass
intended PostgreSQL SECURITY DEFINER function definition refinement /
protection mechanism, allowing them to run particular PostgreSQL function
under their effective user ID, potentially leading to escalation of their
privileges.

References:
[1] http://www.postgresql.org/docs/8.1/interactive/plperl.html
[2] http://www.postgresql.org/docs/8.1/static/pltcl.html
[3] http://www.postgresql.org/docs/8.1/interactive/sql-createfunction.html
Comment 12 Jan Lieskovsky 2010-10-05 19:33:34 UTC 
Public via:
[1] http://www.postgresql.org/docs/8.4/static/release-8-4-5.html
[2] http://www.postgresql.org/docs/8.1/static/release.html#RELEASE-8-1-22
Comment 13 Jan Lieskovsky 2010-10-05 19:36:41 UTC 
Created postgresql tracking bugs for this issue

Affects: fedora-all [bug 640433]
Comment 14 errata-xmlrpc 2010-10-06 10:29:34 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0742 https://rhn.redhat.com/errata/RHSA-2010-0742.html
Comment 15 Tomas Hoger 2010-10-06 16:39:55 UTC 
Upstream wiki page with additional details and FAQ:
  http://wiki.postgresql.org/wiki/20101005securityrelease
Comment 16 errata-xmlrpc 2010-11-23 16:00:18 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0908 https://rhn.redhat.com/errata/RHSA-2010-0908.html