Bug 17744

Summary: postgresql new security issues fixed in 9.3.11 and 9.4.6 (CVE-2016-0766, CVE-2016-0773)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/675372/
Whiteboard: has_procedure advisory MGA5-64-OK
Source RPM: postgresql9.3, postgresql9.4 CVE:
Status comment:

Description David Walser 2016-02-12 19:58:05 CET 
Upstream has released new versions on February 11:
http://www.postgresql.org/about/news/1644/

Ubuntu has issued an advisory for this on February 11:
http://www.ubuntu.com/usn/usn-2894-1/

Reproducible: 

Steps to Reproduce:
David Walser 2016-02-12 19:58:11 CET

Whiteboard: (none) => MGA5TOO

David Walser 2016-02-27 16:39:02 CET

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 1 David Walser 2016-02-27 22:22:26 CET 
Updated packages uploaded by Oden.

Advisory:
========================

Updated postgresql packages fix security vulnerabilities:

PostgreSQL 9.3.x before 9.3.11 and 9.4.x before 9.4.6 does not properly
restrict access to unspecified custom configuration settings (GUCS) for
PL/Java, which allows attackers to gain privileges via unspecified vectors
(CVE-2016-0766).

PostgreSQL 9.3.x before 9.3.11 and 9.4.x before 9.4.6 allows remote attackers
to cause a denial of service (infinite loop or buffer overflow and crash) via
a large Unicode character range in a regular expression (CVE-2016-0773).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0766
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0773
http://www.ubuntu.com/usn/usn-2894-1/
========================

Updated packages in core/updates_testing:
========================
postgresql9.3-9.3.11-1.mga5
libpq9.3_5.6-9.3.11-1.mga5
libecpg9.3_6-9.3.11-1.mga5
postgresql9.3-server-9.3.11-1.mga5
postgresql9.3-docs-9.3.11-1.mga5
postgresql9.3-contrib-9.3.11-1.mga5
postgresql9.3-devel-9.3.11-1.mga5
postgresql9.3-pl-9.3.11-1.mga5
postgresql9.3-plpython-9.3.11-1.mga5
postgresql9.3-plperl-9.3.11-1.mga5
postgresql9.3-pltcl-9.3.11-1.mga5
postgresql9.3-plpgsql-9.3.11-1.mga5
postgresql9.4-9.4.6-1.mga5
libpq5-9.4.6-1.mga5
libecpg9.4_6-9.4.6-1.mga5
postgresql9.4-server-9.4.6-1.mga5
postgresql9.4-docs-9.4.6-1.mga5
postgresql9.4-contrib-9.4.6-1.mga5
postgresql9.4-devel-9.4.6-1.mga5
postgresql9.4-pl-9.4.6-1.mga5
postgresql9.4-plpython-9.4.6-1.mga5
postgresql9.4-plperl-9.4.6-1.mga5
postgresql9.4-pltcl-9.4.6-1.mga5
postgresql9.4-plpgsql-9.4.6-1.mga5

from SRPMS:
postgresql9.3-9.3.11-1.mga5.src.rpm
postgresql9.4-9.4.6-1.mga5.src.rpm

Assignee: cjw => qa-bugs

Comment 2 claire robinson 2016-03-01 19:56:54 CET 
Advisory uploaded.

Procedure: https://bugs.mageia.org/show_bug.cgi?id=8997#c1

Whiteboard: (none) => has_procedure advisory

Comment 3 Lewis Smith 2016-03-02 11:20:33 CET 
Testing M5 x64

For starters, note that the so-called 'test procedure' link above is essentially a single text file 'world.sql' containing a large amount of data interspersed with the necessary SQL commands to create 3 tables (city, country, countrylanguage) & populate them.

I set it up from Postgres itself:
 $ psql -U postgres             [asks for Postgres password]
 postgres=#
Open the 'world.sql' file in a graphical text editor, and carefully use X copy/paste (mouse drag to select, middle-button click to paste) into the terminal window postgres prompt to execute each SQL command in turn, likewise for the interspersed data - some of which is vast. But it works. The 3 tables are created in the heirarchy:-
 postgres - schemas - public - tables

Once you have done that, it is up to you to invent SQL to play with it.
I used Phppgadmin to view the tables and show their structure; also to launch very basic searches, both templated & raw. Worth brushing up your SQL!
In addition, I summarily used Bugzilla, Drupal, MediaWiki all with PosgreSQL on my system.

I have an unfortunate mixture, mostly 9.3, of Postgres versions. After the update they were:
 lib64ecpg9.3_6-9.3.11-1.mga5
 lib64pq5-9.4.6-1.mga5
 lib64pq9.3_5.6-9.3.11-1.mga5
 postgresql9.3-9.3.11-1.mga5
 postgresql-jdbc-9.4.1200-1.mga5
 postgresql9.3-server-9.3.11-1.mga5
 postgresql9.3-plpgsql-9.3.11-1.mga5
 postgresql9.3-devel-9.3.11-1.mga5

No apparent problems, so OK.

CC: (none) => lewyssmith
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK

Comment 4 Herman Viaene 2016-03-02 11:28:41 CET 
MGA5-64 on Lenovo B50 KDE.
Choose 9.3 packages plus phppgadmin, no installation issues.
I  could run the server, create a user and made this one the owner of a new database and create a table in it.
So OK for that version.

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2016-03-02 12:42:37 CET 
MGA5-64 on Lenovo B50 KDE.
Removed 9.3 and tried to install the 9.4, went OK after deleting the old database.
I  could run the server, create a user and made this one the owner of a new database and create a table in it.
So OK for that version.
Comment 6 claire robinson 2016-03-02 18:18:46 CET 
Well done guys. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2016-03-02 19:30:02 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0085.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED