Bug 33217

Summary: postgresql new security issue CVE-2024-4317
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: postgresql15, postgresql13 CVE: CVE-2024-4317
Status comment:

Description Nicolas Salguero 2024-05-15 15:53:12 CEST 
PostgreSQL has released new versions on May 9:
https://www.postgresql.org/about/news/postgresql-163-157-1412-1315-and-1219-released-2858/

The issues is fixed upstream in 13.15 and 15.7.

Mageia 9 is also affected.
Nicolas Salguero 2024-05-15 15:53:58 CEST

Source RPM: (none) => postgresql15, postgresql13
CVE: (none) => CVE-2024-4317
Status comment: (none) => Fixed upstream in 13.15 and 15.7
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2024-05-15 18:14:41 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner. (CVE-2024-4317)

References:
https://www.postgresql.org/about/news/postgresql-163-157-1412-1315-and-1219-released-2858/
========================

Updated packages in core/updates_testing:
========================
lib(64)ecpg15_6-15.7-1.mga9
lib(64)pq5-15.7-1.mga9
postgresql15-15.7-1.mga9
postgresql15-contrib-15.7-1.mga9
postgresql15-devel-15.7-1.mga9
postgresql15-docs-15.7-1.mga9
postgresql15-pl-15.7-1.mga9
postgresql15-plperl-15.7-1.mga9
postgresql15-plpgsql-15.7-1.mga9
postgresql15-plpython3-15.7-1.mga9
postgresql15-pltcl-15.7-1.mga9
postgresql15-server-15.7-1.mga9

lib(64)ecpg13_6-13.15-1.mga9
lib(64)pq5.13-13.15-1.mga9
postgresql13-13.15-1.mga9
postgresql13-contrib-13.15-1.mga9
postgresql13-devel-13.15-1.mga9
postgresql13-docs-13.15-1.mga9
postgresql13-pl-13.15-1.mga9
postgresql13-plperl-13.15-1.mga9
postgresql13-plpgsql-13.15-1.mga9
postgresql13-plpython3-13.15-1.mga9
postgresql13-pltcl-13.15-1.mga9
postgresql13-server-13.15-1.mga9

from SRPMS:
postgresql15-15.7-1.mga9.src.rpm
postgresql13-13.15-1.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status comment: Fixed upstream in 13.15 and 15.7 => (none)

katnatek 2024-05-16 04:29:12 CEST

Keywords: (none) => advisory

Comment 2 Herman Viaene 2024-05-16 15:00:32 CEST 
MGA9-64 Plasma Wayland on HP-Pavillion
Ref to bugs 32823 and 32514
First installed the 13 series
# systemctl start postgresql
# systemctl -l status postgresql
● postgresql.service - PostgreSQL database server
     Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled; preset: disabled)
     Active: active (running) since Thu 2024-05-16 14:29:51 CEST; 30s ago
    Process: 115805 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (code=exited, status=0/SUCCESS)
    Process: 116305 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPORT} -w -t 300 (code=exited, status=0/SUCCESS)
   Main PID: 116319 (postgres)
      Tasks: 7 (limit: 4495)
     Memory: 60.7M
        CPU: 2.360s
     CGroup: /system.slice/postgresql.service
             ├─116319 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
             ├─116368 "postgres: checkpointer "
             ├─116369 "postgres: background writer "
             ├─116370 "postgres: walwriter "
             ├─116372 "postgres: autovacuum launcher "
             ├─116374 "postgres: stats collector "
             └─116375 "postgres: logical replication launcher "

May 16 14:29:47 mach4.hviaene.thuis systemd[1]: Starting postgresql.service...
May 16 14:29:51 mach4.hviaene.thuis pg_ctl[116319]: 2024-05-16 14:29:51.303 CEST [116319] LOG:  starting PostgreSQL 13.15 on x86_64-mage>
May 16 14:29:51 mach4.hviaene.thuis pg_ctl[116319]: 2024-05-16 14:29:51.322 CEST [116319] LOG:  listening on IPv6 address "::1", port 54>
May 16 14:29:51 mach4.hviaene.thuis pg_ctl[116319]: 2024-05-16 14:29:51.322 CEST [116319] LOG:  listening on IPv4 address "127.0.0.1", p>
May 16 14:29:51 mach4.hviaene.thuis pg_ctl[116319]: 2024-05-16 14:29:51.358 CEST [116319] LOG:  listening on Unix socket "/tmp/.s.PGSQL.>
May 16 14:29:51 mach4.hviaene.thuis pg_ctl[116359]: 2024-05-16 14:29:51.426 CEST [116359] LOG:  database system was shut down at 2024-05>
May 16 14:29:51 mach4.hviaene.thuis pg_ctl[116319]: 2024-05-16 14:29:51.489 CEST [116319] LOG:  database system is ready to accept conne>
May 16 14:29:51 mach4.hviaene.thuis systemd[1]: Started postgresql.service.
# systemctl enable postgresql
Created symlink /etc/systemd/system/multi-user.target.wants/postgresql.service → /usr/lib/systemd/system/postgresql.service.
# systemctl restart postgresql
# systemctl -l status postgresql
● postgresql.service - PostgreSQL database server
     Loaded: loaded (/usr/lib/systemd/system/postgresql.service; enabled; preset: disabled)
     Active: active (running) since Thu 2024-05-16 14:31:30 CEST; 6s ago
    Process: 131210 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (code=exited, status=0/SUCCESS)
    Process: 131222 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPORT} -w -t 300 (code=exited, status=0/SUCCESS)
   Main PID: 131226 (postgres)
      Tasks: 7 (limit: 4495)
     Memory: 15.0M
        CPU: 135ms
     CGroup: /system.slice/postgresql.service
             ├─131226 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
             ├─131260 "postgres: checkpointer "
             ├─131261 "postgres: background writer "
             ├─131262 "postgres: walwriter "
             ├─131263 "postgres: autovacuum launcher "
             ├─131264 "postgres: stats collector "
             └─131265 "postgres: logical replication launcher "

May 16 14:31:30 mach4.hviaene.thuis systemd[1]: Starting postgresql.service...
May 16 14:31:30 mach4.hviaene.thuis pg_ctl[131226]: 2024-05-16 14:31:30.701 CEST [131226] LOG:  starting PostgreSQL 13.15 on x86_64-mage>
May 16 14:31:30 mach4.hviaene.thuis pg_ctl[131226]: 2024-05-16 14:31:30.703 CEST [131226] LOG:  listening on IPv6 address "::1", port 54>
May 16 14:31:30 mach4.hviaene.thuis pg_ctl[131226]: 2024-05-16 14:31:30.703 CEST [131226] LOG:  listening on IPv4 address "127.0.0.1", p>
May 16 14:31:30 mach4.hviaene.thuis pg_ctl[131226]: 2024-05-16 14:31:30.745 CEST [131226] LOG:  listening on Unix socket "/tmp/.s.PGSQL.>
May 16 14:31:30 mach4.hviaene.thuis pg_ctl[131253]: 2024-05-16 14:31:30.837 CEST [131253] LOG:  database system was shut down at 2024-05>
May 16 14:31:30 mach4.hviaene.thuis pg_ctl[131226]: 2024-05-16 14:31:30.899 CEST [131226] LOG:  database system is ready to accept conne>
May 16 14:31:30 mach4.hviaene.thuis systemd[1]: Started postgresql.service.
[root@mach4 ~]# systemctl start httpd
Then as normal user:
$ psql -U postgres
psql (13.15)
Type "help" for help.

postgres=# create database mageia;
CREATE DATABASE
postgres=# \c mageia;
You are now connected to database "mageia" as user "postgres".
mageia=# create table mag_versions (name varchar(12), cr_date date);
CREATE TABLE
mageia=# create index magidx on mag_versions(name);
CREATE INDEX
mageia=# insert into mag_versions values ('9', '26-Aug-2023');
INSERT 0 1
mageia=# insert into mag_versions values ('8', '2-Feb-2021');
INSERT 0 1
mageia=# select * from mag_versions;
 name |  cr_date   
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
(2 rows)

mageia=# insert into mag_versions values ('10', '2-Jan-2025');
INSERT 0 1

I will no take bets on it !!!!
mageia=# select * from mag_versions;
 name |  cr_date   
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
 10   | 2025-01-02
(3 rows)

mageia=# delete from mag_versions where name = '10';
DELETE 1
mageia=# select * from mag_versions; 
 name |  cr_date   
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
(2 rows)

And what happened to my dear pgadmin4??? So handy, I miss it dearly

CC: (none) => herman.viaene

Comment 3 Herman Viaene 2024-05-16 15:27:46 CEST 
Uninstalled postgresql13 completely, installed 15, but getting nowhere.
on the sysctl commands I get :
Warning: The unit file, source configuration file or drop-ins of postgresql.service changed on disk. Run 'systemctl daemon-reload' to reload units.
postgresql.service is not active, cannot reload.
I  cannot start or reload or whatever......
Comment 4 katnatek 2024-05-19 20:10:40 CEST 
(In reply to Herman Viaene from comment #3)
> Uninstalled postgresql13 completely, installed 15, but getting nowhere.
> on the sysctl commands I get :
> Warning: The unit file, source configuration file or drop-ins of
> postgresql.service changed on disk. Run 'systemctl daemon-reload' to reload
> units.
> postgresql.service is not active, cannot reload.
> I  cannot start or reload or whatever......

Make sure the service is stoped and as root run the command suggested

systemctl daemon-reload

Then try to start the service
Comment 5 Herman Viaene 2024-05-20 10:29:03 CEST 
That's what I did, but the daemon-reload triggers te same error, just as everything else I try thereafter.
I'll give it another try later on the day.
Comment 6 Herman Viaene 2024-05-20 15:14:02 CEST 
Deleted everything postgres on the laptop (including /var/lib/pgsql) and reinstalled postgres15.
Now I get along, can start postgresql and get
# systemctl -l status postgresql
● postgresql.service - PostgreSQL database server
     Loaded: loaded (/usr/lib/systemd/system/postgresql.service; enabled; preset: disabled)
     Active: active (running) since Mon 2024-05-20 14:41:24 CEST; 29min ago
    Process: 87251 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (code=exited, status=0/SUCCESS)
    Process: 87833 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPORT} -w -t 300 (code=exited, status=0/SUCCESS)
   Main PID: 87851 (postgres)
      Tasks: 7 (limit: 4495)
     Memory: 68.8M
        CPU: 3.723s
     CGroup: /system.slice/postgresql.service
etc ......

As normal user repeat the test above:
$ psql -U postgres
psql (15.7)
Type "help" for help.

postgres=# create database mageia;
CREATE DATABASE
postgres=# \c mageia;
You are now connected to database "mageia" as user "postgres".
mageia=# create table mag_versions (name varchar(12), cr_date date);
CREATE TABLE
mageia=# create index magidx on mag_versions(name);
CREATE INDEX
mageia=# insert into mag_versions values ('9', '26-Aug-2023');
INSERT 0 1
mageia=# insert into mag_versions values ('8', '2-Feb-2021');
INSERT 0 1
mageia=# select * from mag_versions;
 name |  cr_date   
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
(2 rows)

mageia=# insert into mag_versions values ('10', '2-Jan-2025');
INSERT 0 1
mageia=# select * from mag_versions;
 name |  cr_date   
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
 10   | 2025-01-02
(3 rows)

mageia=# delete from mag_versions where name = '10';
DELETE 1
mageia=# select * from mag_versions; 
 name |  cr_date   
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
(2 rows)

So it works OK now, but I would be more confident if someone could test the installation over an existing previous version.
Comment 7 katnatek 2024-05-20 19:30:20 CEST 
(In reply to Herman Viaene from comment #6)
> So it works OK now, but I would be more confident if someone could test the
> installation over an existing previous version.

As I can see you did the same test as Brian in bug#32823
That is good for me

As always Thomas have the last word

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 8 Thomas Andrews 2024-05-21 02:06:27 CEST 
This is not one of my areas of expertise, but...

It reads like a case of 15 not liking the old 13 config. I think that if 13 is updated from and old 13, or 15 updated from an old 15, the problem would not occur. Brian's test from bug 32823 didn't update over an old version, either.

I'm letting it go. Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 9 Mageia Robot 2024-05-22 01:18:17 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0184.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED