Debian: DSA-2865-1: postgresql-9.1 security update

    Date20 Feb 2014
    CategoryDebian
    147
    Posted ByLinuxSecurity Advisories
    Various vulnerabilities were discovered in PostgreSQL: * Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - -------------------------------------------------------------------------
    Debian Security Advisory DSA-2865-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                        Moritz Muehlenhoff
    February 20, 2014                      http://www.debian.org/security/faq
    - -------------------------------------------------------------------------
    
    Package        : postgresql-9.1
    Vulnerability  : several
    CVE ID         : CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 
                     CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0067
    
    Various vulnerabilities were discovered in PostgreSQL:
    
     * Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)
    
       Granting a role without ADMIN OPTION is supposed to prevent the grantee
       from adding or removing members from the granted role, but this
       restriction was easily bypassed by doing SET ROLE first. The security
       impact is mostly that a role member can revoke the access of others,
       contrary to the wishes of his grantor. Unapproved role member additions
       are a lesser concern, since an uncooperative role member could provide
       most of his rights to others anyway by creating views or SECURITY
       DEFINER functions. (CVE-2014-0060)
    
     * Prevent privilege escalation via manual calls to PL validator functions
       (Andres Freund)
    
       The primary role of PL validator functions is to be called implicitly
       during CREATE FUNCTION, but they are also normal SQL functions that a
       user can call explicitly. Calling a validator on a function actually
       written in some other language was not checked for and could be
       exploited for privilege-escalation purposes. The fix involves adding a
       call to a privilege-checking function in each validator function.
       Non-core procedural languages will also need to make this change to
       their own validator functions, if any. (CVE-2014-0061)
    
     * Avoid multiple name lookups during table and index DDL (Robert Haas,
       Andres Freund)
    
       If the name lookups come to different conclusions due to concurrent
       activity, we might perform some parts of the DDL on a different table
       than other parts. At least in the case of CREATE INDEX, this can be used
       to cause the permissions checks to be performed against a different
       table than the index creation, allowing for a privilege escalation
       attack. (CVE-2014-0062)
    
     * Prevent buffer overrun with long datetime strings (Noah Misch)
    
       The MAXDATELEN constant was too small for the longest possible value of
       type interval, allowing a buffer overrun in interval_out(). Although the
       datetime input functions were more careful about avoiding buffer
       overrun, the limit was short enough to cause them to reject some valid
       inputs, such as input containing a very long timezone name. The ecpg
       library contained these vulnerabilities along with some of its own.
       (CVE-2014-0063)
    
     * Prevent buffer overrun due to integer overflow in size calculations
       (Noah Misch, Heikki Linnakangas)
    
       Several functions, mostly type input functions, calculated an allocation
       size without checking for overflow. If overflow did occur, a too-small
       buffer would be allocated and then written past. (CVE-2014-0064)
    
     * Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)
    
       Use strlcpy() and related functions to provide a clear guarantee that
       fixed-size buffers are not overrun. Unlike the preceding items, it is
       unclear whether these cases really represent live issues, since in most
       cases there appear to be previous constraints on the size of the input
       string. Nonetheless it seems prudent to silence all Coverity warnings of
       this type. (CVE-2014-0065)
    
     * Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian)
    
       There are relatively few scenarios in which crypt() could return NULL,
       but contrib/chkpass would crash if it did. One practical case in which
       this could be an issue is if libc is configured to refuse to execute
       unapproved hashing algorithms (e.g., "FIPS mode"). (CVE-2014-0066)
    
     * Document risks of make check in the regression testing instructions
       (Noah Misch, Tom Lane)
    
       Since the temporary server started by make check uses "trust"
       authentication, another user on the same machine could connect to it as
       database superuser, and then potentially exploit the privileges of the
       operating-system user who started the tests. A future release will
       probably incorporate changes in the testing procedure to prevent this
       risk, but some public discussion is needed first. So for the moment,
       just warn people against using make check when there are untrusted users
       on the same machine. (CVE-2014-0067)
    
    For the stable distribution (wheezy), these problems have been fixed in
    version 9.1_9.1.12-0wheezy1.
    
    For the unstable distribution (sid), these problems have been fixed in
    version 9.3.3-1 of the postgresql-9.3 package.
    
    We recommend that you upgrade your postgresql-9.1 packages.
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    Do you read our distribution advisories on a regular basis?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    23
    radio
    [{"id":"84","title":"Yes, for a single distribution","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"85","title":"Yes, for multiple distributions","votes":"6","type":"x","order":"2","pct":60,"resources":[]},{"id":"86","title":"No","votes":"4","type":"x","order":"3","pct":40,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.