http://secunia.com/advisories/12860/ A vulnerability has been reported in PostgreSQL, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerability is caused due to the "make_oidjoins_check" script creating temporary files insecurely. This can be exploited via symlink attacks to create or overwrite arbitrary files with the privileges of the user executing the script. CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0977 Red Hat Bugzilla: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136300 ------- Additional Comments From marcdeslauriers 2005-02-10 14:27:23 ---- Also: CAN-2005-0227 and: A permission checking flaw in PostgreSQL was discovered. A local user could bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0244 to this issue. Multiple buffer overflows were found in PL/PgSQL. A database user who has permissions to create plpgsql functions could trigger this flaw which could lead to arbitrary code execution, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0245 and CAN-2005-0247 to these issues. A flaw in the integer aggregator (intagg) contrib module for PostgreSQL was found. A user could create carefully crafted arrays and cause a denial of service (crash). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0246 to this issue. See: https://bugzilla.redhat.com/beta/show_bug.cgi?id=147442 https://bugzilla.redhat.com/beta/show_bug.cgi?id=147703 ------- Additional Comments From pekkas 2005-02-15 07:09:48 ---- Now the RHEL updates are out: https://rhn.redhat.com/errata/RHSA-2005-141.html https://rhn.redhat.com/errata/RHSA-2004-489.html (older one for -0977) so, we need packages, but luckily enough this isn't high priority job. ------- Additional Comments From sheltren.edu 2005-02-16 09:22:21 ---- There is a patch for the 2.1 verion (which is what 7.3 uses) in the 2.1AS updates: ftp://ftp.redhat.com/pub/redhat/linux/updates/enterprise/2.1AS/en/os/SRPMS/postgresql-7.1.3-6.rhel2.1AS.src.rpm The patch is here: http://www.cs.ucsb.edu/~jeff/postgresql-7.1.3-update.patch 37be4240781c7bf845aeb91c7f2cde273f635661 postgresql-7.1.3-update.patch RH9 and FC1 both use postgresql-7.3.x and it looks like RH has not bothered to backport patches for the 7.3.x package, but rather they used the 7.3.9 source from upstream - that may be what we should do as well. Opinions? ------- Additional Comments From marcdeslauriers 2005-02-16 11:34:21 ---- I'd go for 7.3.9, but not just a rebuild of the rhel packages... ------- Additional Comments From deisenst 2005-02-16 16:26:32 ---- Why not a rebuild of RHEL 3 srpms, Marc? ------- Additional Comments From marcdeslauriers 2005-02-16 17:34:35 ---- All I meant was to check if the same options/patches/etc apply to rh9 and fc1 before rebuilding the rhel packages intact. ------- Additional Comments From deisenst 2005-02-17 02:53:43 ---- Created an attachment (id=999) Notes: on postgresql-7.2.x patches (for Red Hat Linux 7.3). Just to bring us up to a little more speed, some info here. I am also enclosing as an attachment some sundry notes (pointers to patches &c) for the RH 7.3 version of PostgreSQL gleaned from the upstream CVS. ----------------------- CAN-2004-0977 & CAN-2005-0227 --------------------- Further info on CAN-2004-0977: * From: RHSA-2004-489 (2004/12/20) <http://rhn.redhat.com/errata/RHSA-2004-489.html> "Trustix has identified improper temporary file usage in the make_oidjoins_check script. It is possible that an attacker could overwrite arbitrary file contents as the user running the make_oidjoins_check script. This script has been removed from the RPM file since it has no use to ordinary users. The Common Vulner- abilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0977 to this issue." According to Red Hat Bugzilla # 136300, this issue does not affect RHEL 2.1. I don't yet know whether this affects RH 7.3. This issue likely affects RH9 and FC1. Further info on CAN-2005-0227: * From: dsa-668 (2005/02/04) <http://www.debian.org/security/2005/dsa-668> "John Heasman and others discovered a bug in the PostgreSQL engine which would allow any user load an arbitrary local library into it." * From: RHSA-2005-141 (2005/02/14) <http://rhn.redhat.com/errata/RHSA-2005-141.html> "A flaw in the LOAD command in PostgreSQL was discovered. A local user could use this flaw to load arbitrary shared librarys [sic] and there- fore execute arbitrary code, gaining the privileges of the PostgreSQL server. The Common Vulnerabilities and Exposures project (cve.mitre .org) has assigned the name CAN-2005-0227 to this issue." (RHEL 3). ---------------------------------- RH 7.3 ------------------------------- With regards to Red Hat 7.3, please correct me if I am wrong, but AFAICS RH7.3 uses the 7.2.x version of PostgreSQL (base RH7.3 using version 7.2.1-5 with the last update from Red Hat being postgresql-7.2.4-5.73, dated 11-Nov-2003). Doesn't look like RH 7.3 uses postgresql-7.1.3-xx like RHEL 2.1 does. Other sundry points: * There is a new upstream version of postgresql-7.2.x, dated 31-Jan-2005 19:50, available. <http://www.postgresql.org/ftp/source/v7.2.7/> * <http://www.postgresql.org/about/news.281>, PostgreSQL's own announce- ment, says that the 7.2.7 version of postgresql is fixed. I can fairly confidently confirm that it's fixed, at least for CAN-2005-0227 (LOAD command issue). It probably also fixes at least a portion of CAN-2005- 0245. We would still need patches for CAN-2005-0247. * Postgresql-7.2.x does not appear vulnerable to CAN-2005-0244 and CAN-2005-0246. Researching on PostgreSQL's CVS, I found that the code that these two CVE's fix was not yet implemented in 7.2.x. ------- Additional Comments From marcdeslauriers 2005-03-04 17:59:49 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages to QA: The fc1 package is simply a rebuild RHEL package with the "fedora" spec switch set as they share the same codebase. The RHEL packages could not be used to build 7.3 and 9 as the changes are too extensive. I decided to upgrade 7.3 and 9 to the latest version in their series as it seemed to be the best solution. The changes are mainly security fixes and small bug fixes so there shouldn't be significant problems doing this. It seems to be the approach Red Hat uses also. 7.3 Changelog: * Fri Mar 04 2005 Marc Deslauriers <marcdeslauriers> 7.2.7-1.1.legacy - - Update to 7.2.7 to fix multiple security issues (CAN-2005-0227, CAN-2005-0245, and other issues) - - Patch additional buffer overruns in plpgsql (CAN-2005-0247) - - Remove contrib/oidjoins stuff from installed fileset; it's of no use to ordinary users and has a security issue (RH bugs 136300, 136301) 9 Changelog: * Fri Mar 04 2005 Marc Deslauriers <marcdeslauriers> 7.3.9-1.1.legacy - - Update to PostgreSQL 7.3.9 (fixes CAN-2005-0227, CAN-2005-0244, CAN-2005-0245, CAN-2005-0246, CAN-2004-0977 and other issues). - - Patch additional buffer overruns in plpgsql (CAN-2005-0247) - - Remove contrib/oidjoins stuff from installed fileset; it's of no use to ordinary users and has a security issue (RH bugs 136300, 136301) fc1 Changelog: * Fri Mar 04 2005 Marc Deslauriers <marcdeslauriers> 7.3.9-1.1.legacy - - Rebuilt as Fedora Legacy security update for FC1 * Tue Feb 08 2005 Tom Lane <tgl> 7.3.9-2 - - Patch additional buffer overruns in plpgsql (CAN-2005-0247) * Mon Feb 07 2005 Tom Lane <tgl> 7.3.9-1 - - Update to PostgreSQL 7.3.9 (fixes CAN-2005-0227, CAN-2005-0244, CAN-2005-0245, CAN-2005-0246, and other issues). 1ed4472cb307a6376eabfd4eb318b828c1aba565 7.3/postgresql-7.2.7-1.1.legacy.i386.rpm 80dae0c7d7ec83e8a9b1336a8c227476abb40fec 7.3/postgresql-7.2.7-1.1.legacy.src.rpm 2859cb183caaa8d6124e01b96dbdb0b16dfeb608 7.3/postgresql-contrib-7.2.7-1.1.legacy.i386.rpm 346490d1cc80fbda732349810e47f875cc2f500a 7.3/postgresql-devel-7.2.7-1.1.legacy.i386.rpm dae7232ae9f3f45a828be751b63913af5d5133a3 7.3/postgresql-docs-7.2.7-1.1.legacy.i386.rpm 9083a22690039048914650e4ff5a09e0bc64a82d 7.3/postgresql-jdbc-7.2.7-1.1.legacy.i386.rpm da4483907fcb71b1386cf4f6e5761135ce1e2190 7.3/postgresql-libs-7.2.7-1.1.legacy.i386.rpm dc1f21457f7bde40bed498f828d992fcddbfd0bb 7.3/postgresql-odbc-7.2.7-1.1.legacy.i386.rpm d308455eefece49a2fcddad52fa2b81a58221ab4 7.3/postgresql-perl-7.2.7-1.1.legacy.i386.rpm b56af3f702833c335f9b35098e86f6807e11c10a 7.3/postgresql-python-7.2.7-1.1.legacy.i386.rpm da28149a955cf02791e07572818239f0d181ec66 7.3/postgresql-server-7.2.7-1.1.legacy.i386.rpm 5fdb456353c3333ab4d262db9e87ae21f78d6158 7.3/postgresql-tcl-7.2.7-1.1.legacy.i386.rpm 244a1fe3e39ddeb4166aeace0e5e12b13f943b04 7.3/postgresql-test-7.2.7-1.1.legacy.i386.rpm dc326bab605eafc814131bee5e2a3dec3ebe5519 7.3/postgresql-tk-7.2.7-1.1.legacy.i386.rpm e20fbf6f8e1d8fe8028d746df3b6cb29ce1b27c4 9/postgresql-7.3.9-0.90.1.legacy.i386.rpm c37014555636ea849776d7ba0db03637b98c4d2a 9/postgresql-7.3.9-0.90.1.legacy.src.rpm f0fa3df81c5e4948782eaf20b43d5a1370867664 9/postgresql-contrib-7.3.9-0.90.1.legacy.i386.rpm 7e40b566772b74c2551e9060662c9c8c63eecb3e 9/postgresql-devel-7.3.9-0.90.1.legacy.i386.rpm 5f6a0a303ddab7c56f88db47d88a92bb62268036 9/postgresql-docs-7.3.9-0.90.1.legacy.i386.rpm 6a9696a9f31818983aa4ed06f13caf39a15db8b1 9/postgresql-jdbc-7.3.9-0.90.1.legacy.i386.rpm 571b86829e3cd3bb3bf8b1f758ee35f63f44e14a 9/postgresql-libs-7.3.9-0.90.1.legacy.i386.rpm d0a96bc6b43295665c2ae5495bf038c0b32530b6 9/postgresql-pl-7.3.9-0.90.1.legacy.i386.rpm 0ab37f659bfa8f0b2d4ab476ccc9c86fadb6d35e 9/postgresql-python-7.3.9-0.90.1.legacy.i386.rpm a423eae088ff5610973aeabe0359d6cb7b3c840a 9/postgresql-server-7.3.9-0.90.1.legacy.i386.rpm 58b13d609cc005485b7fecdf04eb88f083f6dd13 9/postgresql-tcl-7.3.9-0.90.1.legacy.i386.rpm fd3cfeef0fd397d4a356d30535c958781b68ac68 9/postgresql-test-7.3.9-0.90.1.legacy.i386.rpm c54ca7a120ad264b9c8b436f20d42a3e022358f1 1/postgresql-7.3.9-1.1.legacy.i386.rpm 5af81a7a9e798be0d5d48fbe23c292ede00fab25 1/postgresql-7.3.9-1.1.legacy.src.rpm 3ca12e39ca74ff212764fc5ea1573932bc46ad9e 1/postgresql-contrib-7.3.9-1.1.legacy.i386.rpm d6fbcc3bc8a397cd7d716c2e1ad571f5e319fd55 1/postgresql-devel-7.3.9-1.1.legacy.i386.rpm 6e459e28db9ad96e05e06c4aeaaa5060bbe0960f 1/postgresql-docs-7.3.9-1.1.legacy.i386.rpm 69eba87a0549cc892363c6fa335f51a2b9408952 1/postgresql-jdbc-7.3.9-1.1.legacy.i386.rpm eb8119b508f312b3906464419f2244ac5fe04007 1/postgresql-libs-7.3.9-1.1.legacy.i386.rpm ecc677a90a8b959558badf3e4cf98da0e35fddc3 1/postgresql-pl-7.3.9-1.1.legacy.i386.rpm 8de531394b0e24f63a1108553f402aecbf51bdc1 1/postgresql-python-7.3.9-1.1.legacy.i386.rpm 928c96a8e4f573857057cf831258f2623ed4e0fc 1/postgresql-server-7.3.9-1.1.legacy.i386.rpm 866bb62b91c78ad9b90bf6a224b102b57aa11c4c 1/postgresql-tcl-7.3.9-1.1.legacy.i386.rpm e610200482e9880a2229d6fc8035cf08127730f1 1/postgresql-test-7.3.9-1.1.legacy.i386.rpm Downloads: http://www.infostrategique.com/linuxrpms/legacy/7.3/postgresql-7.2.7-1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/ http://www.infostrategique.com/linuxrpms/legacy/9/postgresql-7.3.9-0.90.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/ http://www.infostrategique.com/linuxrpms/legacy/1/postgresql-7.3.9-1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCKS6SLMAs/0C4zNoRAjcqAJ9nILDm/+M2coeRkEjK+rEjWUUiqwCgqgLk a6GSNfMt+cTj3Gb2v0O15Uw= =woD9 -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-03-04 21:18:22 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh - source integrity OK - spec file changes minimal for the first two, rather extensive for FC1, but should be OK as they come from RHEL - patches verified to come from upstream +PUBLISH RHL73,RHL9,FC1 80dae0c7d7ec83e8a9b1336a8c227476abb40fec postgresql-7.2.7-1.1.legacy.src.rpm c37014555636ea849776d7ba0db03637b98c4d2a postgresql-7.3.9-0.90.1.legacy.src.rpm 5af81a7a9e798be0d5d48fbe23c292ede00fab25 postgresql-7.3.9-1.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCKV0qGHbTkzxSL7QRAmvXAJ0bxi/zpTWCgLELYpDt5afRNzmsJwCcDiaM MLw76nb7Rza/NQzNni6u2/Y= =33XR -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-03-07 17:22:58 ---- packages were pushed to updates-testing ------- Bug moved to this database by dkl 2005-03-30 18:29 ------- This bug previously known as bug 2260 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2260 Originally filed under the Fedora Legacy product and Package request component. Attachments: Notes: on postgresql-7.2.x patches (for Red Hat Linux 7.3). https://bugzilla.fedora.us/attachment.cgi?action=view&id=999 Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". The original reporter of this bug does not have an account here. Reassigning to the person who moved it here, dkl. Previous reporter was fedora-legacy-bugzilla-2004. Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY RHL 7.3 sha1sums: d31c189c8a7deff6956075bf77e2b1d65ec5c4a7 postgresql-7.2.7-1.2.legacy.i386.rpm 3c8ca3b49b600ee328d376509ba2fa81178bc785 postgresql-devel-7.2.7-1.2.legacy.i386.rpm 0aef7d8c5eaa0f9acbbf6bbdb9aa325ff993094c postgresql-jdbc-7.2.7-1.2.legacy.i386.rpm 4ddd20835495bf19a00665136b3e7634e3e29da4 postgresql-libs-7.2.7-1.2.legacy.i386.rpm 022b23b4f4f7942220a8ca069b739089873685b2 postgresql-server-7.2.7-1.2.legacy.i386.rpm I installed the above RPMs from updates-testing on 4 production servers. No problems yet, although I just finished installing it on the busiest server. I checked that Horde preferences worked. My address book seems to have survived the upgrade. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCszSuJL4A+ldA7asRAukgAJ9qHPE88ldzT9MGa1HIR4DxWuHImwCeMLtA uxSKODkgvjfxtuSdd8rYCP0= =46u2 -----END PGP SIGNATURE-----
4 week timeout over.
Packages were released to updates.