Bug 22556

Summary: postgresql new security issue CVE-2018-1053
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK MGA6-64-OK
Source RPM: postgresql9.4, postgresql9.6 CVE:
Status comment:

Description David Walser 2018-02-10 20:55:15 CET 
PostgreSQL has released new versions on February 8:
https://www.postgresql.org/about/news/1829/

The issues are fixed in 9.3.21, 9.4.16, and 9.6.7.

Mageia 5 is also affected.

Updated packages uploaded for Mageia 6 and Cauldron.

Advisory:
========================

Updated postgresql packages fix security vulnerabilities:

In postgresql 9.4.x before 9.4.16 and 9.6.x before 9.6.7, pg_upgrade creates
file in current working directory containing the output of `pg_dumpall -g`
under umask which was in effect when the user invoked pg_upgrade, and not
under 0077 which is normally used for other temporary files. This can allow an
authenticated attacker to read or modify the one file, which may contain
encrypted or unencrypted database passwords. The attack is infeasible if a
directory mode blocks the attacker searching the current working directory or
if the prevailing umask blocks the attacker opening the file (CVE-2018-1053).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1053
https://www.postgresql.org/docs/9.4/static/release-9-4-16.html
https://www.postgresql.org/docs/9.6/static/release-9-6-7.html
https://www.postgresql.org/about/news/1829/
========================

Updated packages in core/updates_testing:
========================
postgresql9.4-9.4.16-1.mga6
libpq5.7-9.4.16-1.mga6
libecpg9.4_6-9.4.16-1.mga6
postgresql9.4-server-9.4.16-1.mga6
postgresql9.4-docs-9.4.16-1.mga6
postgresql9.4-contrib-9.4.16-1.mga6
postgresql9.4-devel-9.4.16-1.mga6
postgresql9.4-pl-9.4.16-1.mga6
postgresql9.4-plpython-9.4.16-1.mga6
postgresql9.4-plperl-9.4.16-1.mga6
postgresql9.4-pltcl-9.4.16-1.mga6
postgresql9.4-plpgsql-9.4.16-1.mga6
postgresql9.6-9.6.7-1.mga6
libpq5-9.6.7-1.mga6
libecpg9.6_6-9.6.7-1.mga6
postgresql9.6-server-9.6.7-1.mga6
postgresql9.6-docs-9.6.7-1.mga6
postgresql9.6-contrib-9.6.7-1.mga6
postgresql9.6-devel-9.6.7-1.mga6
postgresql9.6-pl-9.6.7-1.mga6
postgresql9.6-plpython-9.6.7-1.mga6
postgresql9.6-plperl-9.6.7-1.mga6
postgresql9.6-pltcl-9.6.7-1.mga6
postgresql9.6-plpgsql-9.6.7-1.mga6

from SRPMS:
postgresql9.4-9.4.16-1.mga6.src.rpm
postgresql9.6-9.6.7-1.mga6.src.rpm
David Walser 2018-02-10 20:55:32 CET

Keywords: (none) => has_procedure

Comment 1 David Walser 2018-02-11 01:57:25 CET 
So I found out that our Bugzilla runs on postgresql9.4, so I am *only* updating that for Mageia 5, not postgresql9.3.

Advisory addendum:

Note that on Mageia 5, only the postgresql9.4 update is being provided.  Users
of the postgresql9.3 package should migrate to 9.4.

postgresql9.4-9.4.16-1.mga5
libpq5-9.4.16-1.mga5
libecpg9.4_6-9.4.16-1.mga5
postgresql9.4-server-9.4.16-1.mga5
postgresql9.4-docs-9.4.16-1.mga5
postgresql9.4-contrib-9.4.16-1.mga5
postgresql9.4-devel-9.4.16-1.mga5
postgresql9.4-pl-9.4.16-1.mga5
postgresql9.4-plpython-9.4.16-1.mga5
postgresql9.4-plperl-9.4.16-1.mga5
postgresql9.4-pltcl-9.4.16-1.mga5
postgresql9.4-plpgsql-9.4.16-1.mga5

from postgresql9.4-9.4.16-1.mga5.src.rpm

Whiteboard: (none) => MGA5TOO

Comment 2 Herman Viaene 2018-02-11 14:46:33 CET 
MGA5-32 on Dell Latitude D600 Xfce
No installation issues.
Installation over existing 9.4.15.
Ref to bug 22556 Comment 6: Using phppgadmin first threw "Login disallowed for security reasons."
Setting $conf['extra_login_security'] = false; in /etc/phppgadmin/conf.inc.php solved this.
Created new schema, new table , all OK.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 3 Herman Viaene 2018-02-15 14:46:40 CET 
MGA6-32 on Dell Latitude D600
No installation issues for 9.6. did not have a previous version.
Used pgadmin3 to test. This one warns that different options have not been installed. Continuing.
Able to define a new database, a new login role, a new schema and a new table in it. Added columns to the table, and added a primary and unique key to it.
During this last two operations, warning windows came up, but allowed to continue. I was able to finish all operations with success.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK

Comment 4 claire robinson 2018-02-15 20:23:40 CET 
This just needs a 9.4 test for mga6
Dave Hodgins 2018-02-22 20:44:30 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Dave Hodgins 2018-02-24 19:58:26 CET 
9.4 tested on m6 using pgadmin3 to create a login role, a db, etc.

Whiteboard: MGA5TOO MGA5-32-OK MGA6-32-OK => MGA5TOO MGA5-32-OK MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2018-02-25 00:26:19 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0137.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED