Bug 1319806 (CVE-2016-2193) - CVE-2016-2193 postgresql: row security policies in prepared statements disregard user ID changes
Summary: CVE-2016-2193 postgresql: row security policies in prepared statements disreg...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2016-2193
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1322984
Blocks: 1319814
TreeView+ depends on / blocked
 
Reported: 2016-03-21 15:01 UTC by Andrej Nemec
Modified: 2021-02-17 04:08 UTC (History)
6 users (show)

Fixed In Version: postgresql 9.5.2
Clone Of:
Environment:
Last Closed: 2016-03-31 20:44:16 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2016-03-21 15:01:03 UTC 
This vulnerability leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles, which could happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
Comment 1 Andrej Nemec 2016-03-21 15:01:12 UTC 
Acknowledgments:

Name: the PostgreSQL project
Upstream: Ashutosh Bapat
Comment 2 Andrej Nemec 2016-03-31 14:49:17 UTC 
External references:

http://www.postgresql.org/about/news/1656/
Comment 3 Tomas Hoger 2016-03-31 20:27:41 UTC 
Upstream commit:

http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=db69e58a0642ef7fa46d62f6c4cf2460c3a1b41b
Comment 5 Tomas Hoger 2016-03-31 20:44:16 UTC 
Only PostgreSQL 9.5 was affected, which is not yet part of any Red Hat product.
Note You need to log in before you can comment on or make changes to this bug.