Bug 522085 (CVE-2009-3230) - CVE-2009-3230 postgresql: SQL privilege escalation, incomplete fix for CVE-2007-6600
Summary: CVE-2009-3230 postgresql: SQL privilege escalation, incomplete fix for CVE-20...
Status: CLOSED ERRATA
Alias: CVE-2009-3230
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,source=internet,publi...
Keywords: Security
: 522822 (view as bug list)
Depends On: 522222 525282 525283 525284 525285 525322 812238
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-09 13:10 UTC by Tomas Hoger
Modified: 2019-06-08 12:49 UTC (History)
10 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-10-25 18:51:04 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1461 normal SHIPPED_LIVE Important: Red Hat Application Stack v2.4 security and enhancement update 2009-09-23 21:38:40 UTC
Red Hat Product Errata RHSA-2009:1484 normal SHIPPED_LIVE Moderate: postgresql security update 2009-10-07 16:22:44 UTC
Red Hat Product Errata RHSA-2009:1485 normal SHIPPED_LIVE Moderate: postgresql security update 2009-10-07 16:26:49 UTC

Description Tomas Hoger 2009-09-09 13:10:30 UTC
Quoting upstream PostgreSQL security page:
  http://www.postgresql.org/support/security.html

  The fix for issue CVE-2007-2138 (below) failed to include protection
  against misuse of RESET SESSION AUTHORIZATION.

Affected versions: 8.4, 8.3, 8.2, 8.1, 8.0, 7.4
  (note: this may affect previous 7.x versions too, but upstream does not
   support pre-7.4 versions any more)

Fixed in versions: 8.4.1, 8.3.8, 8.2.14, 8.1.18, 8.0.22, 7.4.26

Severity: C - A vulnerabilty that is exploitable for privilege escalation, but requiring a valid prior login.

CVE-2007-2138 was previously tracked via bug #237680 and bug #237682, more info on the updates addressing this flaw is available at:
  https://www.redhat.com/security/data/cve/CVE-2007-2138.html

Comment 1 Tom Lane 2009-09-09 13:24:46 UTC
The above is incorrect --- the related prior CVE is CVE-2007-6600.

Comment 2 Tomas Hoger 2009-09-09 13:41:40 UTC
CVE-2007-6600 was bug #427127
  https://www.redhat.com/security/data/cve/CVE-2007-6600.html

Is upstream already correcting this?

Comment 3 Tomas Hoger 2009-09-09 14:25:31 UTC
(In reply to comment #2)
> Is upstream already correcting this?  

http://archives.postgresql.org/pgsql-www/2009-09/msg00023.php

Comment 4 Tom Lane 2009-09-09 14:31:09 UTC
I'm told it is fixed, just hasn't propagated yet.

Comment 5 Fedora Update System 2009-09-09 18:14:54 UTC
postgresql-8.3.8-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/postgresql-8.3.8-1.fc11

Comment 6 Fedora Update System 2009-09-09 18:15:08 UTC
postgresql-8.3.8-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/postgresql-8.3.8-1.fc10

Comment 8 Tom Lane 2009-09-11 16:41:20 UTC
*** Bug 522822 has been marked as a duplicate of this bug. ***

Comment 9 Fedora Update System 2009-09-11 23:21:01 UTC
postgresql-8.3.8-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2009-09-11 23:21:36 UTC
postgresql-8.3.8-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Jan Lieskovsky 2009-09-17 08:30:06 UTC
MITRE's CVE-2009-3230 record:
-----------------------------

The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before
8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and
7.4 before 7.4.26 does not use the appropriate privileges for the (1)
RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, which
allows remote authenticated users to gain privileges.  NOTE: this is
due to an incomplete fix for CVE-2007-6600.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230
http://archives.postgresql.org/pgsql-www/2009-09/msg00024.php
http://www.postgresql.org/docs/8.3/static/release-8-3-8.html
http://www.postgresql.org/support/security.html
https://bugzilla.redhat.com/show_bug.cgi?id=522085
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00305.html
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00307.html
http://www.securityfocus.com/bid/36314
http://secunia.com/advisories/36660
http://secunia.com/advisories/36695
http://secunia.com/advisories/36727
http://www.vupen.com/english/advisories/2009/2602

Comment 13 errata-xmlrpc 2009-09-23 21:38:53 UTC
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:1461 https://rhn.redhat.com/errata/RHSA-2009-1461.html

Comment 15 errata-xmlrpc 2009-10-07 16:22:49 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1484 https://rhn.redhat.com/errata/RHSA-2009-1484.html

Comment 16 errata-xmlrpc 2009-10-07 16:26:53 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1485 https://rhn.redhat.com/errata/RHSA-2009-1485.html

Comment 17 Kurt Seifried 2011-10-25 18:51:04 UTC
This issue has been addressed in the following RHSAs:

Red Hat Application Stack v2 for Enterprise Linux (v.5) 	RHSA-2009:1461	
Red Hat Enterprise Linux version 4 (postgresql)	RHSA-2009:1484
Red Hat Enterprise Linux version 5 (postgresql)	RHSA-2009:1484
Red Hat Enterprise Linux version 3 (rh-postgresql)	RHSA-2009:1485


Note You need to log in before you can comment on or make changes to this bug.