Bug 872527 (CVE-2012-4575)

Summary: pgbouncer: DoS (pooler server shutdown) by adding database with large name
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: devrim
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120910,reported=20121102,source=debian,cvss2=4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P,fedora-all/pgbouncer=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-10 16:23:39 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 872529    
Bug Blocks:    

Description Jan Lieskovsky 2012-11-02 06:48:56 EDT
A denial of service flaw was found in the way pgbouncer, a lightweight connection pooler for PostgreSQL, performed processing of client requests attempting to add new database(s) with large name(s). A remote attacker could use this flaw to cause pooler server shutdown.

Relevant upstream patch:
[1] http://git.postgresql.org/gitweb/?p=pgbouncer.git;a=commitdiff;h=4b92112b820830b30cd7bc91bef3dd8f35305525

References:
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692103
Comment 1 Jan Lieskovsky 2012-11-02 06:50:16 EDT
This issue affects the versions of the pgbouncer package, as shipped with Fedora release of 16 and 17. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-11-02 06:51:00 EDT
Created pgbouncer tracking bugs for this issue

Affects: fedora-all [bug 872529]
Comment 3 Jan Lieskovsky 2012-11-02 06:54:27 EDT
CVE Request:
[3] http://www.openwall.com/lists/oss-security/2012/11/02/4
Comment 4 Devrim GÜNDÜZ 2012-11-02 08:33:48 EDT
I fixed this in master and f18. Do you think that I should push it also to f17? The current patch set that I applied also moves conf file under /etc/pgbouncer/pgbouncer.ini, instead of /etc/pgbouncer.ini. This is an incompatible change for released version. I can rip it out, but...

BTW I am also maintaining the community RPMs, I used exactly the same patches that I used there. That is the reason of the change.
Comment 5 Jan Lieskovsky 2012-11-02 09:32:44 EDT
(In reply to comment #4)
> I fixed this in master and f18.

Thank you for that update, Devrim.

> Do you think that I should push it also to
> f17?

Ad the DoS - yes, the patch should be applied to both pgbouncer versions (Fedora-16 and Fedora-17).

> The current patch set that I applied also moves conf file under
> /etc/pgbouncer/pgbouncer.ini, instead of /etc/pgbouncer.ini. This is an
> incompatible change for released version. I can rip it out, but...

Depends on you (to be honest I am not sure what are the rules wrt to rebasing packages in Fedora against more recent upstream versions).

But if this (move /etc/pgbouncer.ini to /etc/pgbouncer/pgbouncer.ini) upstream decision, which is supposed to be supported from now onwards, I would say OK to make that change (under assumption you would simultaneously rebase Fedora-16 and Fedora-17 pgbouncer versions to upstream 1.5.3 one too).

The users would need to get accustomed with that change anyway (now or later). And if this is new *.ini file location (IOW it won't be changed to the original in two weeks back), I would say it's OK.

If you would just selectively apply patches (IOW keep the Fedora-16 / Fedora-17 still based on upstream 1.4 version), I would say just fix the DoS and keep the
*.ini file in its older / previous location.

> 
> BTW I am also maintaining the community RPMs, I used exactly the same
> patches that I used there. That is the reason of the change.

Ok, understood. See above (if this change is intended to be long term option), OK to apply that in Fedora too (maybe you could symlink /etc/pgbouncer/pgbouncer.ini to /etc/pgbouncer.ini if you think such a change might cause issues).

Thank you, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 6 Kurt Seifried 2012-11-02 13:37:02 EDT
Assigned CVE as per http://www.openwall.com/lists/oss-security/2012/11/02/8