Bug 21496

Summary: postgresql new security issues CVE-2017-754[6-8]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, herman.viaene, lewyssmith, sysadmin-bugs
Version: 6Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO has_procedure MGA5-32-OK mga5-64-ok mga6-64-ok mga6-32-ok advisory
Source RPM: postgresql9.3, postgresql9.4, postgresql9.6 CVE:
Status comment:

Description David Walser 2017-08-11 04:41:15 CEST 
Upstream has released new versions today (August 10):
https://www.postgresql.org/about/news/1772/

The issues are fixed in 9.3.18, 9.4.13, and 9.6.4.

Mageia 5 is also affected.

Updated packages uploaded for Mageia 5 and Mageia 6.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=18103#c6

Advisory:
========================

Updated postgresql packages fix security vulnerabilities:

libpq, and by extension any connection driver that utilizes libpq, ignores
empty passwords and does not transmit them to the server. When using libpq or
a libpq-based connection driver to perform password-based authentication
methods, it would appear that setting an empty password would be the
equivalent of disabling password login. However, using a non-libpq based
connection driver could allow a client with an empty password to log in
(CVE-2017-7546).

A user had access to see the options in pg_user_mappings even if the user did
not have the USAGE permission on the associated foreign server. This meant
that a user could see details such as a password that might have been set by
the server administrator rather than the user (CVE-2017-7547).

The lo_put() function should require the same permissions as lowrite(), but
there was a missing permission check which would allow any user to change the
data in a large object (CVE-2017-7548).

Note: the CVE-2017-7547 issue requires manual intervention to fix on affected
systems.  See the references for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7546
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7548
http://www.postgresql.org/docs/current/static/release-9-3-18.html
http://www.postgresql.org/docs/current/static/release-9-4-13.html
https://www.postgresql.org/docs/current/static/release-9-6-4.html
https://www.postgresql.org/about/news/1772/
========================

Updated packages in core/updates_testing:
========================
postgresql9.3-9.3.18-1.mga5
libpq9.3_5.6-9.3.18-1.mga5
libecpg9.3_6-9.3.18-1.mga5
postgresql9.3-server-9.3.18-1.mga5
postgresql9.3-docs-9.3.18-1.mga5
postgresql9.3-contrib-9.3.18-1.mga5
postgresql9.3-devel-9.3.18-1.mga5
postgresql9.3-pl-9.3.18-1.mga5
postgresql9.3-plpython-9.3.18-1.mga5
postgresql9.3-plperl-9.3.18-1.mga5
postgresql9.3-pltcl-9.3.18-1.mga5
postgresql9.3-plpgsql-9.3.18-1.mga5
postgresql9.4-9.4.13-1.mga5
libpq5-9.4.13-1.mga5
libecpg9.4_6-9.4.13-1.mga5
postgresql9.4-server-9.4.13-1.mga5
postgresql9.4-docs-9.4.13-1.mga5
postgresql9.4-contrib-9.4.13-1.mga5
postgresql9.4-devel-9.4.13-1.mga5
postgresql9.4-pl-9.4.13-1.mga5
postgresql9.4-plpython-9.4.13-1.mga5
postgresql9.4-plperl-9.4.13-1.mga5
postgresql9.4-pltcl-9.4.13-1.mga5
postgresql9.4-plpgsql-9.4.13-1.mga5
postgresql9.4-9.4.13-1.mga6
libpq5.7-9.4.13-1.mga6
libecpg9.4_6-9.4.13-1.mga6
postgresql9.4-server-9.4.13-1.mga6
postgresql9.4-docs-9.4.13-1.mga6
postgresql9.4-contrib-9.4.13-1.mga6
postgresql9.4-devel-9.4.13-1.mga6
postgresql9.4-pl-9.4.13-1.mga6
postgresql9.4-plpython-9.4.13-1.mga6
postgresql9.4-plperl-9.4.13-1.mga6
postgresql9.4-pltcl-9.4.13-1.mga6
postgresql9.4-plpgsql-9.4.13-1.mga6
postgresql9.6-9.6.4-1.mga6
libpq5-9.6.4-1.mga6
libecpg9.6_6-9.6.4-1.mga6
postgresql9.6-server-9.6.4-1.mga6
postgresql9.6-docs-9.6.4-1.mga6
postgresql9.6-contrib-9.6.4-1.mga6
postgresql9.6-devel-9.6.4-1.mga6
postgresql9.6-pl-9.6.4-1.mga6
postgresql9.6-plpython-9.6.4-1.mga6
postgresql9.6-plperl-9.6.4-1.mga6
postgresql9.6-pltcl-9.6.4-1.mga6
postgresql9.6-plpgsql-9.6.4-1.mga6

from SRPMS:
postgresql9.3-9.3.18-1.mga5.src.rpm
postgresql9.4-9.4.13-1.mga5.src.rpm
postgresql9.4-9.4.13-1.mga6.src.rpm
postgresql9.6-9.6.4-1.mga6.src.rpm
David Walser 2017-08-11 04:41:27 CEST

Whiteboard: (none) => MGA5TOO has_procedure

Comment 1 Herman Viaene 2017-08-13 14:13:47 CEST 
MGA5-32 on Asus A6000VM Xfce
First installed 9.3, used phppgadmin to create a new database, new schema and new table. Seems OK. Proceeding now to 9.4

CC: (none) => herman.viaene

Comment 2 Herman Viaene 2017-08-13 14:54:03 CEST 
Trying to install 9.4 even after removing all 9.3 packages drops into bug 14975.
Comment 3 Herman Viaene 2017-08-13 15:08:28 CEST 
Solution is to delete /var/lib/pgsql/data/ content. And then start all over again.
Thus created same database, schema and table All seems OK.

Whiteboard: MGA5TOO has_procedure => MGA5TOO has_procedure MGA5-32-OK

Lewis Smith 2017-08-13 20:26:48 CEST

Whiteboard: MGA5TOO has_procedure MGA5-32-OK => MGA5TOO has_procedure MGA5-32-OK advisory
CC: (none) => lewyssmith

Comment 4 Lewis Smith 2017-08-20 10:04:37 CEST 
This looks a bit complicated. I will try it for 64-bit. #14975 seems to matter.
Comment 5 Brian Rockwell 2017-08-27 16:16:54 CEST 
9.3.18

The following 17 packages are going to be installed:

- glibc-devel-2.20-25.mga5.x86_64
- kernel-userspace-headers-4.4.82-1.mga5.x86_64
- lib64ecpg9.3_6-9.3.18-1.mga5.x86_64
- lib64openssl-devel-1.0.2k-1.mga5.x86_64
- lib64ossp_uuid16-1.6.2-12.mga5.x86_64
- lib64pq9.3_5.6-9.3.18-1.mga5.x86_64
- lib64zlib-devel-1.2.8-7.1.mga5.x86_64
- postgresql9.3-9.3.18-1.mga5.x86_64
- postgresql9.3-contrib-9.3.18-1.mga5.x86_64
- postgresql9.3-devel-9.3.18-1.mga5.x86_64
- postgresql9.3-docs-9.3.18-1.mga5.noarch
- postgresql9.3-pl-9.3.18-1.mga5.x86_64
- postgresql9.3-plperl-9.3.18-1.mga5.x86_64
- postgresql9.3-plpgsql-9.3.18-1.mga5.x86_64
- postgresql9.3-plpython-9.3.18-1.mga5.x86_64
- postgresql9.3-pltcl-9.3.18-1.mga5.x86_64
- postgresql9.3-server-9.3.18-1.mga5.x86_64

58MB of additional disk space will be used.

13MB of packages will be retrieved.

Is it ok to continue?



Testing

$ ps -ef | grep post
postgres  2053     1  0 08:54 ?        00:00:00 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
postgres  2067  2053  0 08:54 ?        00:00:00 postgres: checkpointer process   
postgres  2068  2053  0 08:54 ?        00:00:00 postgres: writer process   
postgres  2069  2053  0 08:54 ?        00:00:00 postgres: wal writer process   
postgres  2070  2053  0 08:54 ?        00:00:00 postgres: autovacuum launcher process   
postgres  2071  2053  0 08:54 ?        00:00:00 postgres: stats collector process 

The server is up


now set up admin info

$ su
Password: 
[root@localhost brian]# su - postgres
gpg-agent[3261]: directory `/var/lib/pgsql/.gnupg' created
gpg-agent[3261]: directory `/var/lib/pgsql/.gnupg/private-keys-v1.d' created
gpg-agent[3262]: gpg-agent (GnuPG) 2.0.27 started
[postgres@localhost ~]$ psql
psql (9.3.18)
Type "help" for help.

Now I quit by going back to command prompt using the \q command inside of psql

# \q

from command prompt create mydb

[postgres@localhost ~]$ createdb mydb

now connect to postgres and the newly created database mydb

[postgres@localhost ~]$ psql mydb
psql (9.3.18)
Type "help" for help.

mydb=# create table brian (name varchar(20));
CREATE TABLE

insert some data

mydb=# insert into brian values ('briansname');
INSERT 0 1
mydb=# insert into brian values ('postgressql is awesome');
ERROR:  value too long for type character varying(20)
mydb=# insert into brian values ('postgres is awesome');
INSERT 0 1
mydb=# insert into brian values ('psql is awesome');
INSERT 0 1
mydb=# select * from brian;
        name         
---------------------
 briansname
 postgres is awesome
 psql is awesome
(3 rows)

mydb=#

----------- update a row

mydb=# update brian
set name = 'mageia'
where name = 'briansname';
UPDATE 1

--------- confirm update

mydb=# select * from brian;
        name         
---------------------
 postgres is awesome
 psql is awesome
 mageia
(3 rows)

mydb=# 

---- clean up after yourself

mydb=# drop table brian;
DROP TABLE
mydb=# \q
[postgres@localhost ~]$

[postgres@localhost ~]$ dropdb mydb 


9.3.18 working as designed

CC: (none) => brtians1

Comment 6 Brian Rockwell 2017-08-27 16:49:45 CEST 
The following 17 packages are going to be installed:

- glibc-devel-2.20-25.mga5.x86_64
- kernel-userspace-headers-4.4.82-1.mga5.x86_64
- lib64ecpg9.4_6-9.4.13-1.mga5.x86_64
- lib64openssl-devel-1.0.2k-1.mga5.x86_64
- lib64ossp_uuid16-1.6.2-12.mga5.x86_64
- lib64pq5-9.4.13-1.mga5.x86_64
- lib64zlib-devel-1.2.8-7.1.mga5.x86_64
- postgresql9.4-9.4.13-1.mga5.x86_64
- postgresql9.4-contrib-9.4.13-1.mga5.x86_64
- postgresql9.4-devel-9.4.13-1.mga5.x86_64
- postgresql9.4-docs-9.4.13-1.mga5.noarch
- postgresql9.4-pl-9.4.13-1.mga5.x86_64
- postgresql9.4-plperl-9.4.13-1.mga5.x86_64
- postgresql9.4-plpgsql-9.4.13-1.mga5.x86_64
- postgresql9.4-plpython-9.4.13-1.mga5.x86_64
- postgresql9.4-pltcl-9.4.13-1.mga5.x86_64
- postgresql9.4-server-9.4.13-1.mga5.x86_64

60MB of additional disk space will be used.

13MB of packages will be retrieved.

Is it ok to continue?


testing
--
$ ps -ef | grep post
postgres  2073     1  0 09:38 ?        00:00:00 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
postgres  2075  2073  0 09:38 ?        00:00:00 postgres: checkpointer process   
postgres  2076  2073  0 09:38 ?        00:00:00 postgres: writer process   
postgres  2077  2073  0 09:38 ?        00:00:00 postgres: wal writer process   
postgres  2078  2073  0 09:38 ?        00:00:00 postgres: autovacuum launcher process   
postgres  2079  2073  0 09:38 ?        00:00:00 postgres: stats collector process   

server is up

–

[brian@localhost ~]$ su
Password: 
[root@localhost brian]# su - postgres
gpg-agent[2981]: directory `/var/lib/pgsql/.gnupg' created
gpg-agent[2981]: directory `/var/lib/pgsql/.gnupg/private-keys-v1.d' created
gpg-agent[2982]: gpg-agent (GnuPG) 2.0.27 started
[postgres@localhost ~]$ 

[postgres@localhost ~]$ createdb mydb
[postgres@localhost ~]$ psql mydb
psql (9.4.13)
Type "help" for help.

mydb=#  create table brian (name varchar(20));
CREATE TABLE

mydb=# create table brian (name varchar(20));
CREATE TABLE
mydb=# insert into brian values ('zname');
INSERT 0 1
mydb=# insert into brian values ('is');
INSERT 0 1
mydb=# insert into brian values ('awesome');
INSERT 0 1
mydb=# select * from brian desc;
ERROR:  syntax error at or near "desc"
LINE 1: select * from brian desc;
                            ^
mydb=# select * from brian order by name desc;
  name   
---------
 zname
 is
 awesome
(3 rows)

mydb=# 

mydb=# update brian set name = 'mageia' where name = 'zname';
UPDATE 1

mydb=# select * from brian order by name desc;
  name   
---------
 mageia
 is
 awesome
(3 rows)

mydb=# 

mydb=# \q
[postgres@localhost ~]$ dropdb mydb

9.4.13 is working on 64-bit
Brian Rockwell 2017-08-27 16:49:59 CEST

Whiteboard: MGA5TOO has_procedure MGA5-32-OK advisory => MGA5TOO has_procedure MGA5-32-OK mga5-64-ok advisory

Comment 7 Brian Rockwell 2017-08-27 19:30:28 CEST 
The following 17 packages are going to be installed:

- glibc-devel-2.22-25.mga6.x86_64
- kernel-userspace-headers-4.9.43-1.mga6.x86_64
- lib64ecpg9.6_6-9.6.4-1.mga6.x86_64
- lib64openssl-devel-1.0.2l-1.mga6.x86_64
- lib64ossp_uuid16-1.6.2-16.mga6.x86_64
- lib64pq5-9.6.4-1.mga6.x86_64
- lib64zlib-devel-1.2.11-4.mga6.x86_64
- postgresql9.6-9.6.4-1.mga6.x86_64
- postgresql9.6-contrib-9.6.4-1.mga6.x86_64
- postgresql9.6-devel-9.6.4-1.mga6.x86_64
- postgresql9.6-docs-9.6.4-1.mga6.noarch
- postgresql9.6-pl-9.6.4-1.mga6.x86_64
- postgresql9.6-plperl-9.6.4-1.mga6.x86_64
- postgresql9.6-plpgsql-9.6.4-1.mga6.x86_64
- postgresql9.6-plpython-9.6.4-1.mga6.x86_64
- postgresql9.6-pltcl-9.6.4-1.mga6.x86_64
- postgresql9.6-server-9.6.4-1.mga6.x86_64

67MB of additional disk space will be used.

15MB of packages will be retrieved.

Is it ok to continue?

–

$ ps -ef | grep post
postgres  1965     1  0 10:26 ?        00:00:00 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
postgres  1968  1965  0 10:26 ?        00:00:00 postgres: checkpointer process   
postgres  1969  1965  0 10:26 ?        00:00:00 postgres: writer process   
postgres  1970  1965  0 10:26 ?        00:00:00 postgres: wal writer process   
postgres  1971  1965  0 10:26 ?        00:00:00 postgres: autovacuum launcher process   
postgres  1972  1965  0 10:26 ?        00:00:00 postgres: stats collector process

[brian@localhost ~]$ su
Password: 
su: Authentication failure
[brian@localhost ~]$ su
Password: 
[root@localhost brian]# su - postgres
[postgres@localhost ~]$ createdb mydb
[postgres@localhost ~]$ psql mydb
psql (9.6.4)
Type "help" for help.

mydb=# create table brian (name varchar(20));
CREATE TABLE
mydb=# insert into brian values ('zname');
INSERT 0 1
mydb=# insert into brian values ('is');
INSERT 0 1
mydb=# insert into brian values ('awesome');
INSERT 0 1
mydb=# select * from brian order by name desc;
  name   
---------
 zname
 is
 awesome
(3 rows)

mydb=# update brian set name = 'mageia' where name = 'zname';
UPDATE 1
mydb=# select * from brian order by name desc;
  name   
---------
 mageia
 is
 awesome
(3 rows)

mydb=# 

mydb=# \q
[postgres@localhost ~]$ dropdb mydb
[postgres@localhost ~]$ 

9.6.4 is working as designed
Comment 8 Brian Rockwell 2017-08-27 20:18:50 CEST 
The following 17 packages are going to be installed:

- glibc-devel-2.22-25.mga6.x86_64
- kernel-userspace-headers-4.9.43-1.mga6.x86_64
- lib64ecpg9.4_6-9.4.13-1.mga6.x86_64
- lib64openssl-devel-1.0.2l-1.mga6.x86_64
- lib64ossp_uuid16-1.6.2-16.mga6.x86_64
- lib64pq5.7-9.4.13-1.mga6.x86_64
- lib64zlib-devel-1.2.11-4.mga6.x86_64
- postgresql9.4-9.4.13-1.mga6.x86_64
- postgresql9.4-contrib-9.4.13-1.mga6.x86_64
- postgresql9.4-devel-9.4.13-1.mga6.x86_64
- postgresql9.4-docs-9.4.13-1.mga6.noarch
- postgresql9.4-pl-9.4.13-1.mga6.x86_64
- postgresql9.4-plperl-9.4.13-1.mga6.x86_64
- postgresql9.4-plpgsql-9.4.13-1.mga6.x86_64
- postgresql9.4-plpython-9.4.13-1.mga6.x86_64
- postgresql9.4-pltcl-9.4.13-1.mga6.x86_64
- postgresql9.4-server-9.4.13-1.mga6.x86_64

61MB of additional disk space will be used.

14MB of packages will be retrieved.

Is it ok to continue?

–

reboot

–

[brian@localhost ~]$ uname -a
Linux localhost 4.9.43-desktop-1.mga6 #1 SMP Sun Aug 13 15:52:35 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[brian@localhost ~]$ ps -ef | grep post
postgres  1991     1  0 13:07 ?        00:00:00 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
postgres  1993  1991  0 13:07 ?        00:00:00 postgres: checkpointer process   
postgres  1994  1991  0 13:07 ?        00:00:00 postgres: writer process   
postgres  1995  1991  0 13:07 ?        00:00:00 postgres: wal writer process   
postgres  1996  1991  0 13:07 ?        00:00:00 postgres: autovacuum launcher process   
postgres  1997  1991  0 13:07 ?        00:00:00 postgres: stats collector process   
brian     2577  2506  0 13:07 pts/0    00:00:00 grep --color post


–



repeated 

[root@localhost brian]# su - postgres
[postgres@localhost ~]$ psql mydb
psql (9.4.13)
Type "help" for help.

mydb=# select * from brian;
  name   
---------
 zname
 is
 awesome
(3 rows)


working as designed.  mga6-64-ok

Whiteboard: MGA5TOO has_procedure MGA5-32-OK mga5-64-ok advisory => MGA5TOO has_procedure MGA5-32-OK mga5-64-ok mga6-64-ok advisory

Comment 9 Lewis Smith 2017-08-27 20:30:39 CEST 
@BrianR : Thanks for all your tests.
Validating as this has 3/4 OKs, more than enough for present policy.
Lewis Smith 2017-08-27 20:31:05 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Brian Rockwell 2017-08-27 20:52:19 CEST 
verified mga6-32-ok on 9.6

[root@localhost brian]# su - postgres
[postgres@localhost ~]$ createdb mydb
[postgres@localhost ~]$ psql mydb
psql (9.4.13)
Type "help" for help.

mydb=# create table b2(name varchar(20));
CREATE TABLE
mydb=# insert into b2 values ('postgres is awesome');
INSERT 0 1
mydb=# select * from b2;
        name         
---------------------
 postgres is awesome
(1 row)

Whiteboard: MGA5TOO has_procedure MGA5-32-OK mga5-64-ok mga6-64-ok advisory => MGA5TOO has_procedure MGA5-32-OK mga5-64-ok mga6-64-ok mga6-32-ok advisory

Comment 11 Mageia Robot 2017-08-28 10:15:21 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0316.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED