152844 – CAN-2004-0977, CAN-2005-0227,0244-0247 PostgreSQL multiple issues

Bug 152844 - CAN-2004-0977, CAN-2005-0227,0244-0247 PostgreSQL multiple issues

Summary: CAN-2004-0977, CAN-2005-0227,0244-0247 PostgreSQL multiple issues

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora Legacy
Classification:	Retired
Component:	postgresql
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Fedora Legacy Bugs
QA Contact:
Docs Contact:
URL:	http://secunia.com/advisories/12860/
Whiteboard:	1, LEGACY, rh73, rh90
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-11-09 02:20 UTC by David Lawrence
Modified:	2007-04-18 17:22 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-07-16 16:21:44 UTC
Embargoed:

Attachments	(Terms of Use)

Description David Lawrence 2005-03-30 23:29:26 UTC

http://secunia.com/advisories/12860/

A vulnerability has been reported in PostgreSQL, which can be exploited by
malicious, local users to perform certain actions on a vulnerable system with
escalated privileges.

The vulnerability is caused due to the "make_oidjoins_check" script creating
temporary files insecurely. This can be exploited via symlink attacks to create
or overwrite arbitrary files with the privileges of the user executing the script.

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0977

Red Hat Bugzilla: 
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136300



------- Additional Comments From marcdeslauriers 2005-02-10 14:27:23 ----

Also:
CAN-2005-0227

and:

A permission checking flaw in PostgreSQL was discovered.  A local user
could bypass the EXECUTE permission check for functions by using the
CREATE AGGREGATE command.  The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2005-0244 to this issue.

Multiple buffer overflows were found in PL/PgSQL.  A database user who
has permissions to create plpgsql functions could trigger this flaw
which could lead to arbitrary code execution, gaining the privileges
of the PostgreSQL server. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the names CAN-2005-0245 and
CAN-2005-0247 to these issues.

A flaw in the integer aggregator (intagg) contrib module for
PostgreSQL was found.  A user could create carefully crafted arrays
and cause a denial of service (crash).  The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2005-0246
to this issue.

See:

https://bugzilla.redhat.com/beta/show_bug.cgi?id=147442
https://bugzilla.redhat.com/beta/show_bug.cgi?id=147703




------- Additional Comments From pekkas 2005-02-15 07:09:48 ----

Now the RHEL updates are out:
https://rhn.redhat.com/errata/RHSA-2005-141.html
https://rhn.redhat.com/errata/RHSA-2004-489.html (older one for -0977)

so, we need packages, but luckily enough this isn't high priority job.




------- Additional Comments From sheltren.edu 2005-02-16 09:22:21 ----

There is a patch for the 2.1 verion (which is what 7.3 uses) in the 2.1AS updates:

ftp://ftp.redhat.com/pub/redhat/linux/updates/enterprise/2.1AS/en/os/SRPMS/postgresql-7.1.3-6.rhel2.1AS.src.rpm

The patch is here:
http://www.cs.ucsb.edu/~jeff/postgresql-7.1.3-update.patch
37be4240781c7bf845aeb91c7f2cde273f635661  postgresql-7.1.3-update.patch

RH9 and FC1 both use postgresql-7.3.x and it looks like RH has not bothered to
backport patches for the 7.3.x package, but rather they used the 7.3.9 source
from upstream - that may be what we should do as well.  Opinions?



------- Additional Comments From marcdeslauriers 2005-02-16 11:34:21 ----

I'd go for 7.3.9, but not just a rebuild of the rhel packages...



------- Additional Comments From deisenst 2005-02-16 16:26:32 ----

Why not a rebuild of RHEL 3 srpms, Marc?



------- Additional Comments From marcdeslauriers 2005-02-16 17:34:35 ----

All I meant was to check if the same options/patches/etc apply to rh9 and fc1
before rebuilding the rhel packages intact.



------- Additional Comments From deisenst 2005-02-17 02:53:43 ----

Created an attachment (id=999)
Notes:	on postgresql-7.2.x patches (for Red Hat Linux 7.3).


Just to bring us up to a little more speed, some info here.  I am also
enclosing as an attachment some sundry notes (pointers to patches &c) for
the RH 7.3 version of PostgreSQL gleaned from the upstream CVS.

----------------------- CAN-2004-0977 & CAN-2005-0227 ---------------------

Further info on CAN-2004-0977:

   * From:  RHSA-2004-489  (2004/12/20) 
     <http://rhn.redhat.com/errata/RHSA-2004-489.html>

     "Trustix has identified improper temporary file usage in the
     make_oidjoins_check script.  It is possible that an attacker could
     overwrite arbitrary file contents as the user running the
     make_oidjoins_check script.  This script has been removed from the 
     RPM file since it has no use to ordinary users.  The Common Vulner-
     abilities and Exposures project (cve.mitre.org) has assigned the 
     name CAN-2004-0977 to this issue."

     According to Red Hat Bugzilla # 136300, this issue does not affect
     RHEL 2.1.	I don't yet know whether this affects RH 7.3.  This issue
     likely affects RH9 and FC1.

Further info on CAN-2005-0227:

   * From:  dsa-668  (2005/02/04)
     <http://www.debian.org/security/2005/dsa-668>
     "John Heasman and others discovered a bug in the PostgreSQL engine
     which would allow any user load an arbitrary local library into it."

   * From:  RHSA-2005-141  (2005/02/14)
     <http://rhn.redhat.com/errata/RHSA-2005-141.html>

     "A flaw in the LOAD command in PostgreSQL was discovered.	A local user
     could use this flaw to load arbitrary shared librarys [sic] and there-
     fore execute arbitrary code, gaining the privileges of the PostgreSQL
     server. The Common Vulnerabilities and Exposures project (cve.mitre
     .org) has assigned the name CAN-2005-0227 to this issue."	(RHEL 3).


----------------------------------  RH 7.3  -------------------------------
With regards to Red Hat 7.3, please correct me if I am wrong, but AFAICS
RH7.3 uses the 7.2.x version of PostgreSQL (base RH7.3 using version
7.2.1-5 with the last update from Red Hat being postgresql-7.2.4-5.73, 
dated 11-Nov-2003).  Doesn't look like RH 7.3 uses postgresql-7.1.3-xx 
like RHEL 2.1 does.

Other sundry points:

  *  There is a new upstream version of postgresql-7.2.x, dated 31-Jan-2005
     19:50, available.	
	<http://www.postgresql.org/ftp/source/v7.2.7/>

  *  <http://www.postgresql.org/about/news.281>, PostgreSQL's own announce-
     ment, says that the 7.2.7 version of postgresql is fixed.	I can fairly
     confidently confirm that it's fixed, at least for CAN-2005-0227 (LOAD
     command issue).  It probably also fixes at least a portion of CAN-2005-
     0245.  We would still need patches for CAN-2005-0247.

  *  Postgresql-7.2.x does not appear vulnerable to CAN-2005-0244 and
     CAN-2005-0246.  Researching on PostgreSQL's CVS, I found that the
     code that these two CVE's fix was not yet implemented in 7.2.x.




------- Additional Comments From marcdeslauriers 2005-03-04 17:59:49 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

The fc1 package is simply a rebuild RHEL package with the "fedora" spec
switch set as they share the same codebase. The RHEL packages could
not be used to build 7.3 and 9 as the changes are too extensive.

I decided to upgrade 7.3 and 9 to the latest version in their series as
it seemed to be the best solution. The changes are mainly security
fixes and small bug fixes so there shouldn't be significant problems
doing this. It seems to be the approach Red Hat uses also.

7.3 Changelog:
* Fri Mar 04 2005 Marc Deslauriers <marcdeslauriers> 7.2.7-1.1.legacy
- - Update to 7.2.7 to fix multiple security issues (CAN-2005-0227,
  CAN-2005-0245, and other issues)
- - Patch additional buffer overruns in plpgsql (CAN-2005-0247)
- - Remove contrib/oidjoins stuff from installed fileset; it's of no use
  to ordinary users and has a security issue (RH bugs 136300, 136301)

9 Changelog:
* Fri Mar 04 2005 Marc Deslauriers <marcdeslauriers> 7.3.9-1.1.legacy
- - Update to PostgreSQL 7.3.9 (fixes CAN-2005-0227, CAN-2005-0244,
  CAN-2005-0245, CAN-2005-0246, CAN-2004-0977 and other issues).
- - Patch additional buffer overruns in plpgsql (CAN-2005-0247)
- - Remove contrib/oidjoins stuff from installed fileset; it's of no use
  to ordinary users and has a security issue (RH bugs 136300, 136301)

fc1 Changelog:
* Fri Mar 04 2005 Marc Deslauriers <marcdeslauriers> 7.3.9-1.1.legacy
- - Rebuilt as Fedora Legacy security update for FC1

* Tue Feb 08 2005 Tom Lane <tgl> 7.3.9-2
- - Patch additional buffer overruns in plpgsql (CAN-2005-0247)

* Mon Feb 07 2005 Tom Lane <tgl> 7.3.9-1
- - Update to PostgreSQL 7.3.9 (fixes CAN-2005-0227, CAN-2005-0244,
  CAN-2005-0245, CAN-2005-0246, and other issues).

1ed4472cb307a6376eabfd4eb318b828c1aba565  7.3/postgresql-7.2.7-1.1.legacy.i386.rpm
80dae0c7d7ec83e8a9b1336a8c227476abb40fec  7.3/postgresql-7.2.7-1.1.legacy.src.rpm
2859cb183caaa8d6124e01b96dbdb0b16dfeb608 
7.3/postgresql-contrib-7.2.7-1.1.legacy.i386.rpm
346490d1cc80fbda732349810e47f875cc2f500a 
7.3/postgresql-devel-7.2.7-1.1.legacy.i386.rpm
dae7232ae9f3f45a828be751b63913af5d5133a3 
7.3/postgresql-docs-7.2.7-1.1.legacy.i386.rpm
9083a22690039048914650e4ff5a09e0bc64a82d 
7.3/postgresql-jdbc-7.2.7-1.1.legacy.i386.rpm
da4483907fcb71b1386cf4f6e5761135ce1e2190 
7.3/postgresql-libs-7.2.7-1.1.legacy.i386.rpm
dc1f21457f7bde40bed498f828d992fcddbfd0bb 
7.3/postgresql-odbc-7.2.7-1.1.legacy.i386.rpm
d308455eefece49a2fcddad52fa2b81a58221ab4 
7.3/postgresql-perl-7.2.7-1.1.legacy.i386.rpm
b56af3f702833c335f9b35098e86f6807e11c10a 
7.3/postgresql-python-7.2.7-1.1.legacy.i386.rpm
da28149a955cf02791e07572818239f0d181ec66 
7.3/postgresql-server-7.2.7-1.1.legacy.i386.rpm
5fdb456353c3333ab4d262db9e87ae21f78d6158 
7.3/postgresql-tcl-7.2.7-1.1.legacy.i386.rpm
244a1fe3e39ddeb4166aeace0e5e12b13f943b04 
7.3/postgresql-test-7.2.7-1.1.legacy.i386.rpm
dc326bab605eafc814131bee5e2a3dec3ebe5519 
7.3/postgresql-tk-7.2.7-1.1.legacy.i386.rpm
e20fbf6f8e1d8fe8028d746df3b6cb29ce1b27c4  9/postgresql-7.3.9-0.90.1.legacy.i386.rpm
c37014555636ea849776d7ba0db03637b98c4d2a  9/postgresql-7.3.9-0.90.1.legacy.src.rpm
f0fa3df81c5e4948782eaf20b43d5a1370867664 
9/postgresql-contrib-7.3.9-0.90.1.legacy.i386.rpm
7e40b566772b74c2551e9060662c9c8c63eecb3e 
9/postgresql-devel-7.3.9-0.90.1.legacy.i386.rpm
5f6a0a303ddab7c56f88db47d88a92bb62268036 
9/postgresql-docs-7.3.9-0.90.1.legacy.i386.rpm
6a9696a9f31818983aa4ed06f13caf39a15db8b1 
9/postgresql-jdbc-7.3.9-0.90.1.legacy.i386.rpm
571b86829e3cd3bb3bf8b1f758ee35f63f44e14a 
9/postgresql-libs-7.3.9-0.90.1.legacy.i386.rpm
d0a96bc6b43295665c2ae5495bf038c0b32530b6 
9/postgresql-pl-7.3.9-0.90.1.legacy.i386.rpm
0ab37f659bfa8f0b2d4ab476ccc9c86fadb6d35e 
9/postgresql-python-7.3.9-0.90.1.legacy.i386.rpm
a423eae088ff5610973aeabe0359d6cb7b3c840a 
9/postgresql-server-7.3.9-0.90.1.legacy.i386.rpm
58b13d609cc005485b7fecdf04eb88f083f6dd13 
9/postgresql-tcl-7.3.9-0.90.1.legacy.i386.rpm
fd3cfeef0fd397d4a356d30535c958781b68ac68 
9/postgresql-test-7.3.9-0.90.1.legacy.i386.rpm
c54ca7a120ad264b9c8b436f20d42a3e022358f1  1/postgresql-7.3.9-1.1.legacy.i386.rpm
5af81a7a9e798be0d5d48fbe23c292ede00fab25  1/postgresql-7.3.9-1.1.legacy.src.rpm
3ca12e39ca74ff212764fc5ea1573932bc46ad9e 
1/postgresql-contrib-7.3.9-1.1.legacy.i386.rpm
d6fbcc3bc8a397cd7d716c2e1ad571f5e319fd55 
1/postgresql-devel-7.3.9-1.1.legacy.i386.rpm
6e459e28db9ad96e05e06c4aeaaa5060bbe0960f 
1/postgresql-docs-7.3.9-1.1.legacy.i386.rpm
69eba87a0549cc892363c6fa335f51a2b9408952 
1/postgresql-jdbc-7.3.9-1.1.legacy.i386.rpm
eb8119b508f312b3906464419f2244ac5fe04007 
1/postgresql-libs-7.3.9-1.1.legacy.i386.rpm
ecc677a90a8b959558badf3e4cf98da0e35fddc3  1/postgresql-pl-7.3.9-1.1.legacy.i386.rpm
8de531394b0e24f63a1108553f402aecbf51bdc1 
1/postgresql-python-7.3.9-1.1.legacy.i386.rpm
928c96a8e4f573857057cf831258f2623ed4e0fc 
1/postgresql-server-7.3.9-1.1.legacy.i386.rpm
866bb62b91c78ad9b90bf6a224b102b57aa11c4c  1/postgresql-tcl-7.3.9-1.1.legacy.i386.rpm
e610200482e9880a2229d6fc8035cf08127730f1 
1/postgresql-test-7.3.9-1.1.legacy.i386.rpm

Downloads:
http://www.infostrategique.com/linuxrpms/legacy/7.3/postgresql-7.2.7-1.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/

http://www.infostrategique.com/linuxrpms/legacy/9/postgresql-7.3.9-0.90.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/

http://www.infostrategique.com/linuxrpms/legacy/1/postgresql-7.3.9-1.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCKS6SLMAs/0C4zNoRAjcqAJ9nILDm/+M2coeRkEjK+rEjWUUiqwCgqgLk
a6GSNfMt+cTj3Gb2v0O15Uw=
=woD9
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2005-03-04 21:18:22 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh
 - source integrity OK
 - spec file changes minimal for the first two, rather extensive for FC1, 
   but should be OK as they come from RHEL
 - patches verified to come from upstream

+PUBLISH RHL73,RHL9,FC1

80dae0c7d7ec83e8a9b1336a8c227476abb40fec  postgresql-7.2.7-1.1.legacy.src.rpm
c37014555636ea849776d7ba0db03637b98c4d2a  postgresql-7.3.9-0.90.1.legacy.src.rpm
5af81a7a9e798be0d5d48fbe23c292ede00fab25  postgresql-7.3.9-1.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCKV0qGHbTkzxSL7QRAmvXAJ0bxi/zpTWCgLELYpDt5afRNzmsJwCcDiaM
MLw76nb7Rza/NQzNni6u2/Y=
=33XR
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2005-03-07 17:22:58 ----

packages were pushed to updates-testing



------- Bug moved to this database by dkl 2005-03-30 18:29 -------

This bug previously known as bug 2260 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2260
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
Notes:  on postgresql-7.2.x patches (for Red Hat Linux 7.3).
https://bugzilla.fedora.us/attachment.cgi?action=view&id=999

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was fedora-legacy-bugzilla-2004.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 John Dalbec 2005-06-17 20:41:30 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFY RHL 7.3

sha1sums:
d31c189c8a7deff6956075bf77e2b1d65ec5c4a7  postgresql-7.2.7-1.2.legacy.i386.rpm
3c8ca3b49b600ee328d376509ba2fa81178bc785
postgresql-devel-7.2.7-1.2.legacy.i386.rpm
0aef7d8c5eaa0f9acbbf6bbdb9aa325ff993094c
postgresql-jdbc-7.2.7-1.2.legacy.i386.rpm
4ddd20835495bf19a00665136b3e7634e3e29da4
postgresql-libs-7.2.7-1.2.legacy.i386.rpm
022b23b4f4f7942220a8ca069b739089873685b2
postgresql-server-7.2.7-1.2.legacy.i386.rpm

I installed the above RPMs from updates-testing on 4 production servers.
No problems yet, although I just finished installing it on the busiest server.
I checked that Horde preferences worked.  My address book seems to have
survived the upgrade.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCszSuJL4A+ldA7asRAukgAJ9qHPE88ldzT9MGa1HIR4DxWuHImwCeMLtA
uxSKODkgvjfxtuSdd8rYCP0=
=46u2
-----END PGP SIGNATURE-----

Comment 2 Pekka Savola 2005-07-16 03:59:09 UTC

4 week timeout over.

Comment 3 Marc Deslauriers 2005-07-16 16:21:44 UTC

Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.