Bug 32514

Summary: postgresql new security issues CVE-2023-586[89] and CVE-2023-5870
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, joequant, joequant, mageia, marja11, nicolas.salguero, pkg-bugs, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Source RPM: postgresql15, postgresql13, postgresql11 CVE:
Status comment:

Description Nicolas Salguero 2023-11-13 17:49:47 CET 
PostgreSQL has released new versions on November 9:
https://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/

The issues are fixed upstream in 11.22, 13.13 and 15.5.

Cauldron, Mageia ç and Mageia 8 are affected (postgresql15, postgresql13 and postgresql11).
Nicolas Salguero 2023-11-13 17:50:02 CET

Whiteboard: (none) => MGA9TOO, MGA8TOO
Source RPM: (none) => postgresql15, postgresql13, postgresql11
CC: (none) => nicolas.salguero

Comment 1 Nicolas Salguero 2023-11-13 17:50:43 CET 
Oops:
Cauldron, Mageia 9 and Mageia 8 are affected (postgresql15, postgresql13 and postgresql11).
Comment 2 Marja Van Waes 2023-11-13 18:51:08 CET 
postgresql15 is maintained by you (ns80)
postgresql13 is maintained by joequant
and postgresql11 by nobody.

I don't know whom to assign to, will CC joequant and all packagers.

CC: (none) => joequant, joequant, marja11, pkg-bugs

Comment 3 Lewis Smith 2023-11-13 21:20:05 CET 
It looks like Nicolas is the main current committer for both v13 & v15, so assigning to you for those.
For v11, I do not see it, but MaintDB shows MarcK for 11.1, so CC'ing him.

Assignee: bugsquad => nicolas.salguero
CC: nicolas.salguero => mageia

Comment 4 Nicolas Salguero 2023-11-14 12:47:34 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Memory disclosure in aggregate function calls. (CVE-2023-5868)

Buffer overrun from integer overflow in array modification. (CVE-2023-5869)

Role pg_signal_backend can signal certain superuser processes. (CVE-2023-5870)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5868
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5869
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5870
https://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/
========================

Updated packages in 8/core/updates_testing:
========================
lib(64)ecpg13_6-13.13-1.mga8
lib(64)pq5-13.13-1.mga8
postgresql13-13.13-1.mga8
postgresql13-contrib-13.13-1.mga8
postgresql13-devel-13.13-1.mga8
postgresql13-docs-13.13-1.mga8
postgresql13-pl-13.13-1.mga8
postgresql13-plperl-13.13-1.mga8
postgresql13-plpgsql-13.13-1.mga8
postgresql13-plpython3-13.13-1.mga8
postgresql13-pltcl-13.13-1.mga8
postgresql13-server-13.13-1.mga8

lib(64)ecpg11_6-11.22-1.mga8
lib(64)pq5.11-11.22-1.mga8
postgresql11-11.22-1.mga8
postgresql11-contrib-11.22-1.mga8
postgresql11-devel-11.22-1.mga8
postgresql11-docs-11.22-1.mga8
postgresql11-pl-11.22-1.mga8
postgresql11-plperl-11.22-1.mga8
postgresql11-plpgsql-11.22-1.mga8
postgresql11-plpython3-11.22-1.mga8
postgresql11-pltcl-11.22-1.mga8
postgresql11-server-11.22-1.mga8

from SRPMS:
postgresql13-13.13-1.mga8.src.rpm
postgresql11-11.22-1.mga8.src.rpm

Updated packages in 9/core/updates_testing:
========================
lib(64)ecpg15_6-15.5-1.mga9
lib(64)pq5-15.5-1.mga9
postgresql15-15.5-1.mga9
postgresql15-contrib-15.5-1.mga9
postgresql15-devel-15.5-1.mga9
postgresql15-docs-15.5-1.mga9
postgresql15-pl-15.5-1.mga9
postgresql15-plperl-15.5-1.mga9
postgresql15-plpgsql-15.5-1.mga9
postgresql15-plpython3-15.5-1.mga9
postgresql15-pltcl-15.5-1.mga9
postgresql15-server-15.5-1.mga9

lib(64)ecpg13_6-13.13-1.mga9
lib(64)pq5.13-13.13-1.mga9
postgresql13-13.13-1.mga9
postgresql13-contrib-13.13-1.mga9
postgresql13-devel-13.13-1.mga9
postgresql13-docs-13.13-1.mga9
postgresql13-pl-13.13-1.mga9
postgresql13-plperl-13.13-1.mga9
postgresql13-plpgsql-13.13-1.mga9
postgresql13-plpython3-13.13-1.mga9
postgresql13-pltcl-13.13-1.mga9
postgresql13-server-13.13-1.mga9

from SRPMS:
postgresql15-15.5-1.mga9.src.rpm
postgresql13-13.13-1.mga9.src.rpm

Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
CC: (none) => nicolas.salguero
Version: Cauldron => 9

Comment 5 Marja Van Waes 2023-11-14 15:27:11 CET 
Advisory from comment 4 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

Comment 6 Herman Viaene 2023-11-16 16:46:06 CET 
MGA8-64 Xfce on Acer Aspire 5253.
First installed the 11 series
# systemctl start postgresql
# systemctl -l status postgresql
● postgresql.service - PostgreSQL database server
     Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2023-11-16 14:02:04 CET; 15s ago
    Process: 19101 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (code=exited, status=0/SUCCESS)
    Process: 19125 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPORT} -w -t 300 (code=exited, status=0/SUCCESS)
   Main PID: 19127 (postgres)
      Tasks: 7 (limit: 4364)
     Memory: 59.5M
        CPU: 4.834s
     CGroup: /system.slice/postgresql.service
             ├─19127 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
             ├─19129 postgres: checkpointer
             ├─19130 postgres: background writer
             ├─19131 postgres: walwriter
             ├─19132 postgres: autovacuum launcher
             ├─19133 postgres: stats collector
             └─19134 postgres: logical replication launcher

Nov 16 14:01:58 mach7.hviaene.thuis systemd[1]: Starting PostgreSQL database server...
Nov 16 14:02:04 mach7.hviaene.thuis pg_ctl[19127]: 2023-11-16 14:02:04.581 CET [19127] LOG:  listening on IPv6 address "::1", port 5432
Nov 16 14:02:04 mach7.hviaene.thuis pg_ctl[19127]: 2023-11-16 14:02:04.583 CET [19127] LOG:  listening on IPv4 address "127.0.0.1", po>
Nov 16 14:02:04 mach7.hviaene.thuis pg_ctl[19127]: 2023-11-16 14:02:04.613 CET [19127] LOG:  listening on Unix socket "/tmp/.s.PGSQL.5>
Nov 16 14:02:04 mach7.hviaene.thuis pg_ctl[19128]: 2023-11-16 14:02:04.785 CET [19128] LOG:  database system was shut down at 2023-11->
Nov 16 14:02:04 mach7.hviaene.thuis pg_ctl[19127]: 2023-11-16 14:02:04.834 CET [19127] LOG:  database system is ready to accept connec>
Nov 16 14:02:04 mach7.hviaene.thuis systemd[1]: Started PostgreSQL database server.
Then started pgdmin4, created a new connection to localhost, created a new database, a new table in it with a primary and unique key, inserted two rows of data, and created a backup of this database. So far so good.
Now continuing with the 13 series

CC: (none) => herman.viaene

Comment 7 Herman Viaene 2023-11-16 17:25:32 CET 
Installed 13 series, checked that this replaced the 11-series completely.
# systemctl start postgresql
[root@mach7 ~]# systemctl -l status postgresql
● postgresql.service - PostgreSQL database server
     Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2023-11-16 16:00:31 CET; 3s ago
    Process: 36621 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (code=exited, status=0/SUCCESS)
    Process: 36622 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPORT} -w -t 300 (code=exited, status=0/SUCCESS)
   Main PID: 36624 (postgres)
      Tasks: 7 (limit: 4364)
     Memory: 14.1M
        CPU: 151ms
     CGroup: /system.slice/postgresql.service
             ├─36624 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
             ├─36627 postgres: checkpointer
             ├─36628 postgres: background writer
             ├─36629 postgres: walwriter
             ├─36630 postgres: autovacuum launcher
             ├─36631 postgres: stats collector
             └─36632 postgres: logical replication launcher

Nov 16 16:00:29 mach7.hviaene.thuis systemd[1]: Starting PostgreSQL database server...
Nov 16 16:00:30 mach7.hviaene.thuis pg_ctl[36624]: 2023-11-16 16:00:30.970 CET [36624] LOG:  listening on IPv6 address "::1", port 5432
Nov 16 16:00:30 mach7.hviaene.thuis pg_ctl[36624]: 2023-11-16 16:00:30.970 CET [36624] LOG:  listening on IPv4 address "127.0.0.1", po>
Nov 16 16:00:31 mach7.hviaene.thuis pg_ctl[36624]: 2023-11-16 16:00:31.014 CET [36624] LOG:  listening on Unix socket "/tmp/.s.PGSQL.5>
Nov 16 16:00:31 mach7.hviaene.thuis pg_ctl[36626]: 2023-11-16 16:00:31.229 CET [36626] LOG:  database system was shut down at 2023-11->
Nov 16 16:00:31 mach7.hviaene.thuis pg_ctl[36624]: 2023-11-16 16:00:31.279 CET [36624] LOG:  database system is ready to accept connec>
Nov 16 16:00:31 mach7.hviaene.thuis systemd[1]: Started PostgreSQL database server.
Then used pgadmin4 again to open the testdatabase, looked OK. Created a new table with a.o. a foreign key to the first table above. Inserted values and created a query SQL joining the two tables. Works like a charm for M8.
Good enough for me unless someone else has more ideas.

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 8 Herman Viaene 2023-11-20 15:55:32 CET 
MGA9-64 Xfce on Acer Aspire 5253.
First installed the 13 series
# systemctl start postgresql
[root@mach7 beelden]# systemctl -l status postgresql
● postgresql.service - PostgreSQL database server
     Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled; pres>
     Active: active (running) since Mon 2023-11-20 14:30:25 CET; 16s ago
    Process: 6779 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (cod>
    Process: 6780 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPOR>
   Main PID: 6782 (postgres)
      Tasks: 7 (limit: 4317)
     Memory: 21.2M
        CPU: 270ms
     CGroup: /system.slice/postgresql.service
             ├─6782 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
             ├─6788 "postgres: checkpointer "
             ├─6789 "postgres: background writer "
             ├─6790 "postgres: walwriter "
             ├─6791 "postgres: autovacuum launcher "
             ├─6792 "postgres: stats collector "
             └─6793 "postgres: logical replication launcher "

Nov 20 14:30:24 mach7.hviaene.thuis systemd[1]: Starting postgresql.service...
Nov 20 14:30:24 mach7.hviaene.thuis pg_ctl[6782]: 2023-11-20 14:30:24.875 CET [>
Nov 20 14:30:24 mach7.hviaene.thuis pg_ctl[6782]: 2023-11-20 14:30:24.887 CET [>
Nov 20 14:30:24 mach7.hviaene.thuis pg_ctl[6782]: 2023-11-20 14:30:24.896 CET [>
Nov 20 14:30:24 mach7.hviaene.thuis pg_ctl[6782]: 2023-11-20 14:30:24.940 CET [>

As pgAdmin4 is not available anymore in M9, installed from upstream the rpm for DBeaver 23.2.5
Connected to the postgres and did same test as described in Comment 6 above. Works OK.
Comment 9 Herman Viaene 2023-11-20 16:26:41 CET 
MGA9-64 Xfce on Acer Aspire 5253.
Installed 15 version over existing 13, no problem.
# systemctl start postgresql
# systemctl -l status postgresql
● postgresql.service - PostgreSQL database server
     Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled; preset: disabled)
     Active: active (running) since Mon 2023-11-20 15:14:42 CET; 2s ago
    Process: 55944 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (code=exited, status=0/SUCCESS)
    Process: 55949 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPORT} -w -t 300 (code=exited, status=0/>
   Main PID: 55953 (postgres)
      Tasks: 7 (limit: 4317)
     Memory: 15.1M
        CPU: 207ms
     CGroup: /system.slice/postgresql.service
             ├─55953 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
             ├─55984 "postgres: checkpointer "
             ├─55985 "postgres: background writer "
             ├─55986 "postgres: walwriter "
             ├─55987 "postgres: autovacuum launcher "
             ├─55988 "postgres: stats collector "
             └─55989 "postgres: logical replication launcher "

Nov 20 15:14:42 mach7.hviaene.thuis systemd[1]: Starting postgresql.service...
Nov 20 15:14:42 mach7.hviaene.thuis pg_ctl[55953]: 2023-11-20 15:14:42.492 CET [55953] LOG:  starting PostgreSQL 13.>
Nov 20 15:14:42 mach7.hviaene.thuis pg_ctl[55953]: 2023-11-20 15:14:42.523 CET [55953] LOG:  listening on IPv4 addre>
Nov 20 15:14:42 mach7.hviaene.thuis pg_ctl[55953]: 2023-11-20 15:14:42.537 CET [55953] LOG:  could not create IPv6 s>
Nov 20 15:14:42 mach7.hviaene.thuis pg_ctl[55953]: 2023-11-20 15:14:42.568 CET [55953] LOG:  listening on Unix socke>
Nov 20 15:14:42 mach7.hviaene.thuis pg_ctl[55982]: 2023-11-20 15:14:42.681 CET [55982] LOG:  database system was shu>
Nov 20 15:14:42 mach7.hviaene.thuis pg_ctl[55953]: 2023-11-20 15:14:42.747 CET [55953] LOG:  database system is read>
Nov 20 15:14:42 mach7.hviaene.thuis systemd[1]: Started postgresql.service.
Deleted table created in Comment 8, created a similar new one and populated with some data. All works OK.

Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK

Comment 10 Thomas Andrews 2023-11-21 04:37:05 CET 
Many thanks, Herman. Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 11 Mageia Robot 2023-11-22 03:51:53 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0324.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED