Bug 30739

Summary: postgresql new security issue CVE-2022-2625
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, davidwhodgins, herman.viaene, joequant, mageia, marja11, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: postgresql11, postgresql13, postgresql14 CVE: CVE-2022-1552 CVE-2022-2625
Status comment: Fixed upstream in 11.17, 13.8, and 14.5

Description David Walser 2022-08-12 18:30:34 CEST 
PostgreSQL has released new versions on August 11:
https://www.postgresql.org/about/news/postgresql-145-138-1212-1117-1022-and-15-beta-3-released-2496/

The issues are fixed upstream in 11.17, 13.8, and 14.5.

Cauldron and Mageia 8 are affected.

For some reason the postgresql11 SRPM still exists in Cauldron even though multiple attempts have been made to remove it.
David Walser 2022-08-12 18:30:53 CEST

Status comment: (none) => Fixed upstream in 11.17, 13.8, and 14.5
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2022-08-12 23:03:44 CEST 
Three maintainers :-)

Assigning to ns80, because he pushes postgresql* most often.

CC'ing joequant and mokraemer.

Assignee: bugsquad => nicolas.salguero
CC: (none) => joequant, mageia, marja11

Comment 2 Marc Krämer 2022-08-15 19:41:37 CEST 
currently building the packages.
Comment 3 Marc Krämer 2022-08-16 19:56:49 CEST 
This update brings both postgresql 11 and 13 to the latest update.

As usual, you can find improvements and fixes in this update.
There are also two severe security issues in this update.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1552
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2625
https://www.postgresql.org/about/news/postgresql-145-138-1212-1117-1022-and-15-beta-3-released-2496/
========================

Updated packages in core/updates_testing:
========================
postgresql11-pl-11.17-1.mga8
postgresql11-pltcl-11.17-1.mga8
postgresql11-plperl-11.17-1.mga8
postgresql11-plpgsql-11.17-1.mga8
postgresql11-plpython3-11.17-1.mga8
lib64ecpg11_6-11.17-1.mga8
postgresql11-pltcl-debuginfo-11.17-1.mga8
lib64pq5.11-11.17-1.mga8
postgresql11-plpython3-debuginfo-11.17-1.mga8
postgresql11-plperl-debuginfo-11.17-1.mga8
postgresql11-plpgsql-debuginfo-11.17-1.mga8
lib64ecpg11_6-debuginfo-11.17-1.mga8
lib64pq5.11-debuginfo-11.17-1.mga8
postgresql11-contrib-11.17-1.mga8
postgresql11-devel-debuginfo-11.17-1.mga8
postgresql11-debuginfo-11.17-1.mga8
postgresql11-11.17-1.mga8
postgresql11-contrib-debuginfo-11.17-1.mga8
postgresql11-devel-11.17-1.mga8
postgresql11-docs-11.17-1.mga8
postgresql11-server-11.17-1.mga8
postgresql11-server-debuginfo-11.17-1.mga8
postgresql11-debugsource-11.17-1.mga8



postgresql13-pl-13.8-1.mga8
postgresql13-pltcl-13.8-1.mga8
postgresql13-plperl-13.8-1.mga8
postgresql13-pltcl-debuginfo-13.8-1.mga8
postgresql13-plpython3-13.8-1.mga8
lib64pq5-13.8-1.mga8
postgresql13-plpgsql-13.8-1.mga8
lib64ecpg13_6-13.8-1.mga8
postgresql13-plpython3-debuginfo-13.8-1.mga8
postgresql13-plperl-debuginfo-13.8-1.mga8
lib64pq5-debuginfo-13.8-1.mga8
postgresql13-plpgsql-debuginfo-13.8-1.mga8
lib64ecpg13_6-debuginfo-13.8-1.mga8
postgresql13-contrib-13.8-1.mga8
postgresql13-devel-debuginfo-13.8-1.mga8
postgresql13-debuginfo-13.8-1.mga8
postgresql13-13.8-1.mga8
postgresql13-contrib-debuginfo-13.8-1.mga8
postgresql13-devel-13.8-1.mga8
postgresql13-docs-13.8-1.mga8
postgresql13-server-13.8-1.mga8
postgresql13-server-debuginfo-13.8-1.mga8
postgresql13-debugsource-13.8-1.mga8

Source RPMs: 
postgresql11-11.17-1.mga8.src.rpm
postgresql13-13.8-1.mga8.src.rpm

CVE: (none) => CVE-2022-1552 CVE-2022-2625
Assignee: nicolas.salguero => qa-bugs

Thomas Backlund 2022-08-17 21:24:47 CEST

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 4 Brian Rockwell 2022-08-21 02:00:50 CEST 
MGA8-64, GNOME


The following 16 packages are going to be installed:

- lib64ecpg11_6-11.17-1.mga8.x86_64
- lib64openssl-devel-1.1.1q-1.mga8.x86_64
- lib64pq5.11-11.17-1.mga8.x86_64
- lib64zlib-devel-1.2.12-1.2.mga8.x86_64
- lib64zlib1-1.2.12-1.2.mga8.x86_64
- multiarch-utils-1.0.14-3.mga8.noarch
- postgresql11-11.17-1.mga8.x86_64
- postgresql11-contrib-11.17-1.mga8.x86_64
- postgresql11-devel-11.17-1.mga8.x86_64
- postgresql11-docs-11.17-1.mga8.noarch
- postgresql11-pl-11.17-1.mga8.x86_64
- postgresql11-plperl-11.17-1.mga8.x86_64
- postgresql11-plpgsql-11.17-1.mga8.x86_64
- postgresql11-plpython3-11.17-1.mga8.x86_64
- postgresql11-pltcl-11.17-1.mga8.x86_64
- postgresql11-server-11.17-1.mga8.x86_64

postgres=# create database brian;
CREATE DATABASE

ostgres=# \c brian;
You are now connected to database "brian" as user "postgres".
brian=# create table mageia (vername varchar(50), verdate date);
CREATE TABLE
brian=# insert into mageia values ('MAGEIA 8', '7-Jul-2020');
INSERT 0 1
brian=# insert into mageia values ('MAGEIA 7', '8-Sep-2018');
INSERT 0 1
brian=# insert into mageia values ('MAGEIA 6', '8-May-2016');
INSERT 0 1
brian=# select * from MAGEIA;
 vername  |  verdate   
----------+------------
 MAGEIA 8 | 2020-07-07
 MAGEIA 7 | 2018-09-08
 MAGEIA 6 | 2016-05-08
(3 rows)

brian=# \dt
         List of relations
 Schema |  Name  | Type  |  Owner   
--------+--------+-------+----------
 public | mageia | table | postgres
(1 row)

brian=# \d mageia
                      Table "public.mageia"
 Column  |         Type          | Collation | Nullable | Default 
---------+-----------------------+-----------+----------+---------
 vername | character varying(50) |           |          | 
 verdate | date                  |           |          | 

brian=# create index mgaidx on mageia(vername);
CREATE INDEX
brian=# \d mageia
                      Table "public.mageia"
 Column  |         Type          | Collation | Nullable | Default 
---------+-----------------------+-----------+----------+---------
 vername | character varying(50) |           |          | 
 verdate | date                  |           |          | 
Indexes:
    "mgaidx" btree (vername)

brian=# select * from MAGEIA;
 vername  |  verdate   
----------+------------
 MAGEIA 8 | 2020-07-07
 MAGEIA 7 | 2018-09-08
 MAGEIA 6 | 2016-05-08
(3 rows)

brian=# insert into mageia values ('MAGEIA 5', '21-Feb-2014');
INSERT 0 1
brian=# select * from MAGEIA;
 vername  |  verdate   
----------+------------
 MAGEIA 8 | 2020-07-07
 MAGEIA 7 | 2018-09-08
 MAGEIA 6 | 2016-05-08
 MAGEIA 5 | 2014-02-21
(4 rows)

brian=# insert into mageia values ('debian', '21-Feb-2014');               
INSERT 0 1
brian=# select * from mageia;
 vername  |  verdate   
----------+------------
 MAGEIA 8 | 2020-07-07
 MAGEIA 7 | 2018-09-08
 MAGEIA 6 | 2016-05-08
 MAGEIA 5 | 2014-02-21
 debian   | 2014-02-21
(5 rows)

brian=# delete from mageia where vername = 'debian';
DELETE 1
brian=# select * from mageia;
 vername  |  verdate   
----------+------------
 MAGEIA 8 | 2020-07-07
 MAGEIA 7 | 2018-09-08
 MAGEIA 6 | 2016-05-08
 MAGEIA 5 | 2014-02-21
(4 rows)

brian=# 


works for me and don't hold me to the release dates

CC: (none) => brtians1

Comment 5 Brian Rockwell 2022-08-21 04:56:50 CEST 
MGA8-64, GNOME

new build

The following 16 packages are going to be installed:

- lib64ecpg13_6-13.8-1.mga8.x86_64
- lib64openssl-devel-1.1.1q-1.mga8.x86_64
- lib64pq5-13.8-1.mga8.x86_64
- lib64zlib-devel-1.2.12-1.2.mga8.x86_64
- lib64zlib1-1.2.12-1.2.mga8.x86_64
- multiarch-utils-1.0.14-3.mga8.noarch
- postgresql13-13.8-1.mga8.x86_64
- postgresql13-contrib-13.8-1.mga8.x86_64
- postgresql13-devel-13.8-1.mga8.x86_64
- postgresql13-docs-13.8-1.mga8.noarch
- postgresql13-pl-13.8-1.mga8.x86_64
- postgresql13-plperl-13.8-1.mga8.x86_64
- postgresql13-plpgsql-13.8-1.mga8.x86_64
- postgresql13-plpython3-13.8-1.mga8.x86_64
- postgresql13-pltcl-13.8-1.mga8.x86_64
- postgresql13-server-13.8-1.mga8.x86_64

started postgres service

postgres=# create database mageia;
CREATE DATABASE
postgres=# \c mageia
You are now connected to database "mageia" as user "postgres".
mageia=# create table mageia (vername varchar(255), verdate date);
CREATE TABLE
mageia=# insert into mageia values ('MAGEIA 8', '7-Jul-2020');
INSERT 0 1
mageia=# insert into mageia values ('MAGEIA 7', '10-sep-2018');
INSERT 0 1
mageia=# insert into mageia values ('MAGEIA 6', '8-may-2016');
INSERT 0 1
mageia=# select * from mageia;
 vername  |  verdate   
----------+------------
 MAGEIA 8 | 2020-07-07
 MAGEIA 7 | 2018-09-10
 MAGEIA 6 | 2016-05-08
(3 rows)

mageia=# create index mgaidx on mageia(vername);
CREATE INDEX
mageia=# \d mageia
                       Table "public.mageia"
 Column  |          Type          | Collation | Nullable | Default 
---------+------------------------+-----------+----------+---------
 vername | character varying(255) |           |          | 
 verdate | date                   |           |          | 
Indexes:
    "mgaidx" btree (vername)

mageia=# insert into mageia values ('MAGEIA 5', '21-feb-2014');
INSERT 0 1
mageia=# insert into mageia values ('MAGEIA 4', '2-jan-2013');
INSERT 0 1
mageia=# insert into mageia values ('manjaro', '5-jan-2018');
INSERT 0 1
mageia=# select * from mageia;
 vername  |  verdate   
----------+------------
 MAGEIA 8 | 2020-07-07
 MAGEIA 7 | 2018-09-10
 MAGEIA 6 | 2016-05-08
 MAGEIA 5 | 2014-02-21
 MAGEIA 4 | 2013-01-02
 manjaro  | 2018-01-05
(6 rows)

mageia=# update mageia 
mageia-# set vername = 'oops'
mageia-# where vername = 'manjaro';
UPDATE 1
mageia=# select * from mageia;
 vername  |  verdate   
----------+------------
 MAGEIA 8 | 2020-07-07
 MAGEIA 7 | 2018-09-10
 MAGEIA 6 | 2016-05-08
 MAGEIA 5 | 2014-02-21
 MAGEIA 4 | 2013-01-02
 oops     | 2018-01-05
(6 rows)

mageia=# delete from table mageia where vername = 'oops';
ERROR:  syntax error at or near "table"
LINE 1: delete from table mageia where vername = 'oops';
                    ^
mageia=# delete from  mageia where vername = 'oops';
DELETE 1
mageia=# select * from mageia;
 vername  |  verdate   
----------+------------
 MAGEIA 8 | 2020-07-07
 MAGEIA 7 | 2018-09-10
 MAGEIA 6 | 2016-05-08
 MAGEIA 5 | 2014-02-21
 MAGEIA 4 | 2013-01-02
(5 rows)

mageia=# drop database mageia;
ERROR:  cannot drop the currently open database



working for me.
Comment 6 Herman Viaene 2022-08-24 16:36:14 CEST 
MGA8-64 Plasma on Acer Aspire 5253
Installed over an existing 13.7 database, went OK
Used pgadmin4 to create another new database and a table with constraints in it, works OK.
Will there be a version 14 as suggested by the title? If so, I would like to test teh transition of the existing 13 database to 14.

CC: (none) => herman.viaene

Comment 7 Marc Krämer 2022-08-24 18:41:17 CEST 
I think we'll keep 14 for cauldron. But I'm just helping out to get the cve fixed. I hope joe will do the regular updates.
Comment 8 Herman Viaene 2022-08-26 10:45:46 CEST 
Then I see no reason to let this update hang, taking Brian's testing into account.

Whiteboard: (none) => MGA8-64-OK

Comment 9 Thomas Andrews 2022-08-26 14:12:55 CEST 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-08-29 00:07:30 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 10 Mageia Robot 2022-08-29 07:09:09 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0313.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED