Bug 522085 - (CVE-2009-3230) CVE-2009-3230 postgresql: SQL privilege escalation, incomplete fix for CVE-2007-6600
CVE-2009-3230 postgresql: SQL privilege escalation, incomplete fix for CVE-20...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=internet,publi...
: Security
: 522822 (view as bug list)
Depends On: 522222 525282 525283 525284 525285 525322 812238
Blocks:
  Show dependency treegraph
 
Reported: 2009-09-09 09:10 EDT by Tomas Hoger
Modified: 2012-04-13 04:11 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-10-25 14:51:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2009-09-09 09:10:30 EDT
Quoting upstream PostgreSQL security page:
  http://www.postgresql.org/support/security.html

  The fix for issue CVE-2007-2138 (below) failed to include protection
  against misuse of RESET SESSION AUTHORIZATION.

Affected versions: 8.4, 8.3, 8.2, 8.1, 8.0, 7.4
  (note: this may affect previous 7.x versions too, but upstream does not
   support pre-7.4 versions any more)

Fixed in versions: 8.4.1, 8.3.8, 8.2.14, 8.1.18, 8.0.22, 7.4.26

Severity: C - A vulnerabilty that is exploitable for privilege escalation, but requiring a valid prior login.

CVE-2007-2138 was previously tracked via bug #237680 and bug #237682, more info on the updates addressing this flaw is available at:
  https://www.redhat.com/security/data/cve/CVE-2007-2138.html
Comment 1 Tom Lane 2009-09-09 09:24:46 EDT
The above is incorrect --- the related prior CVE is CVE-2007-6600.
Comment 2 Tomas Hoger 2009-09-09 09:41:40 EDT
CVE-2007-6600 was bug #427127
  https://www.redhat.com/security/data/cve/CVE-2007-6600.html

Is upstream already correcting this?
Comment 3 Tomas Hoger 2009-09-09 10:25:31 EDT
(In reply to comment #2)
> Is upstream already correcting this?  

http://archives.postgresql.org/pgsql-www/2009-09/msg00023.php
Comment 4 Tom Lane 2009-09-09 10:31:09 EDT
I'm told it is fixed, just hasn't propagated yet.
Comment 5 Fedora Update System 2009-09-09 14:14:54 EDT
postgresql-8.3.8-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/postgresql-8.3.8-1.fc11
Comment 6 Fedora Update System 2009-09-09 14:15:08 EDT
postgresql-8.3.8-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/postgresql-8.3.8-1.fc10
Comment 8 Tom Lane 2009-09-11 12:41:20 EDT
*** Bug 522822 has been marked as a duplicate of this bug. ***
Comment 9 Fedora Update System 2009-09-11 19:21:01 EDT
postgresql-8.3.8-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2009-09-11 19:21:36 EDT
postgresql-8.3.8-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Jan Lieskovsky 2009-09-17 04:30:06 EDT
MITRE's CVE-2009-3230 record:
-----------------------------

The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before
8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and
7.4 before 7.4.26 does not use the appropriate privileges for the (1)
RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, which
allows remote authenticated users to gain privileges.  NOTE: this is
due to an incomplete fix for CVE-2007-6600.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230
http://archives.postgresql.org/pgsql-www/2009-09/msg00024.php
http://www.postgresql.org/docs/8.3/static/release-8-3-8.html
http://www.postgresql.org/support/security.html
https://bugzilla.redhat.com/show_bug.cgi?id=522085
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00305.html
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00307.html
http://www.securityfocus.com/bid/36314
http://secunia.com/advisories/36660
http://secunia.com/advisories/36695
http://secunia.com/advisories/36727
http://www.vupen.com/english/advisories/2009/2602
Comment 13 errata-xmlrpc 2009-09-23 17:38:53 EDT
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:1461 https://rhn.redhat.com/errata/RHSA-2009-1461.html
Comment 15 errata-xmlrpc 2009-10-07 12:22:49 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1484 https://rhn.redhat.com/errata/RHSA-2009-1484.html
Comment 16 errata-xmlrpc 2009-10-07 12:26:53 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1485 https://rhn.redhat.com/errata/RHSA-2009-1485.html
Comment 17 Kurt Seifried 2011-10-25 14:51:04 EDT
This issue has been addressed in the following RHSAs:

Red Hat Application Stack v2 for Enterprise Linux (v.5) 	RHSA-2009:1461	
Red Hat Enterprise Linux version 4 (postgresql)	RHSA-2009:1484
Red Hat Enterprise Linux version 5 (postgresql)	RHSA-2009:1484
Red Hat Enterprise Linux version 3 (rh-postgresql)	RHSA-2009:1485

Note You need to log in before you can comment on or make changes to this bug.