Bug 18103 - postgresql new security issues CVE-2016-2193 and CVE-2016-3065
Summary: postgresql new security issues CVE-2016-2193 and CVE-2016-3065
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/683853/
Whiteboard: has_procedure advisory MGA5-64-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-03-31 21:03 CEST by David Walser
Modified: 2016-04-14 18:10 CEST (History)
7 users (show)

See Also:
Source RPM: postgresql9.3, postgresql9.4, postgresql9.5
CVE:
Status comment:


Attachments

Description David Walser 2016-03-31 21:03:01 CEST
Upstream has released new versions today (March 31):
http://www.postgresql.org/about/news/1656/

Versions 9.3.12, 9.4.7, and 9.5.2 fix two security issues.
David Walser 2016-03-31 21:03:33 CEST

CC: (none) => cjw, fundawang, oe
Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-04-04 01:52:40 CEST
Fixed for Cauldron by Christiaan.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 2 Christiaan Welvaart 2016-04-05 09:13:46 CEST
The postgresql9.3 9.3.12 and postgresql9.4 9.4.7 packages in updates_testing passed very basic testing using pgbench on mga5 i586 and x86-64. I'll see if I can write an advisory later this week
Comment 3 David Walser 2016-04-05 16:22:55 CEST
Thanks Christiaan!  I'll take care of the advisory.

Advisory:
========================

Updated postgresql packages fix security vulnerabilities:

A vulnerability in PostgreSQL 9.3.x before 9.3.12 and 9.4.x before 9.4.7 leads
to potentially incorrect policies being applied in cases where role-specific
policies are used and a given query is planned under one role and then executed
under other roles, which could happen under security definer functions or when
a common user and query is planned initially and then re-used across multiple
SET ROLEs. Applying an incorrect policy may permit a user to complete
otherwise-forbidden reads and modifications. This affects only databases that
have used CREATE POLICY to define a row security policy (CVE-2016-2193).

A vulnerability was found in a way PostgreSQL 9.3.x before 9.3.12 and 9.4.x
before 9.4.7 uses pageinspect functions. Certain function arguments crashed
the server or disclosed a few bytes of server memory. The viability of attacks
that arrange for presence of confidential information in the disclosed bytes
was not ruled out. This affects only databases that have used "CREATE
EXTENSION pageinspect" (CVE-2016-3065).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2193
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3065
http://www.postgresql.org/docs/current/static/release-9-3-12.html
http://www.postgresql.org/docs/current/static/release-9-4-7.html
http://www.postgresql.org/about/news/1656/
========================

Updated packages in core/updates_testing:
========================
postgresql9.3-9.3.12-1.mga5
libpq9.3_5.6-9.3.12-1.mga5
libecpg9.3_6-9.3.12-1.mga5
postgresql9.3-server-9.3.12-1.mga5
postgresql9.3-docs-9.3.12-1.mga5
postgresql9.3-contrib-9.3.12-1.mga5
postgresql9.3-devel-9.3.12-1.mga5
postgresql9.3-pl-9.3.12-1.mga5
postgresql9.3-plpython-9.3.12-1.mga5
postgresql9.3-plperl-9.3.12-1.mga5
postgresql9.3-pltcl-9.3.12-1.mga5
postgresql9.3-plpgsql-9.3.12-1.mga5
postgresql9.4-9.4.7-1.mga5
libpq5-9.4.7-1.mga5
libecpg9.4_6-9.4.7-1.mga5
postgresql9.4-server-9.4.7-1.mga5
postgresql9.4-docs-9.4.7-1.mga5
postgresql9.4-contrib-9.4.7-1.mga5
postgresql9.4-devel-9.4.7-1.mga5
postgresql9.4-pl-9.4.7-1.mga5
postgresql9.4-plpython-9.4.7-1.mga5
postgresql9.4-plperl-9.4.7-1.mga5
postgresql9.4-pltcl-9.4.7-1.mga5
postgresql9.4-plpgsql-9.4.7-1.mga5

from SRPMS:
postgresql9.3-9.3.12-1.mga5.src.rpm
postgresql9.4-9.4.7-1.mga5.src.rpm

Assignee: bugsquad => qa-bugs

Comment 4 David Walser 2016-04-05 16:23:16 CEST
Testing Procedure:
https://bugs.mageia.org/show_bug.cgi?id=8997#c1

Whiteboard: (none) => has_procedure

David Walser 2016-04-05 16:23:30 CEST

Severity: normal => major

Comment 5 William Kenney 2016-04-05 17:13:25 CEST
(In reply to David Walser from comment #4)

> Testing Procedure:
> https://bugs.mageia.org/show_bug.cgi?id=8997#c1

Use webmin to run the sql from
http://pgfoundry.org/frs/download.php/527/world-1.0.tar.gz
to create the tables, and view the data.

Webpage no longer exists. Got another?

CC: (none) => wilcal.int

Comment 6 David Walser 2016-04-05 17:18:18 CEST
(In reply to William Kenney from comment #5)
> (In reply to David Walser from comment #4)
> 
> > Testing Procedure:
> > https://bugs.mageia.org/show_bug.cgi?id=8997#c1
> 
> Use webmin to run the sql from
> http://pgfoundry.org/frs/download.php/527/world-1.0.tar.gz
> to create the tables, and view the data.
> 
> Webpage no longer exists. Got another?

Apparently that website periodically disappears.  You can download it from here:
https://ftp.postgresql.org/pub/projects/pgFoundry/dbsamples/world/world-1.0/
Comment 7 Lewis Smith 2016-04-08 21:15:11 CEST
Testing M5 x64 Postgres 9.3

Updated to:
 lib64pq9.3_5.6-9.3.12-1.mga5
 lib64ecpg9.3_6-9.3.12-1.mga5
 postgresql9.3-server-9.3.12-1.mga5
 postgresql9.3-devel-9.3.12-1.mga5
 postgresql9.3-plpgsql-9.3.12-1.mga5
 postgresql9.3-9.3.12-1.mga5
Played with (all using PostgreSQL): Bugzilla, Drupal, MediaWiki, PHPpgAdmin
No problems here. OK.
But it would be nice if somebody could confirm version 9.4 update.

CC: (none) => lewyssmith
Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 8 Brian Rockwell 2016-04-13 17:32:46 CEST
Testing M5 x32 Postgres 9.3

[brian@localhost ~]$ psql mydb
psql (9.3.12)
Type "help" for help.

mydb=> 

mydb=>  
select version();
                                     version                                    
 
--------------------------------------------------------------------------------
-
 PostgreSQL 9.3.12 on i586-mageia-linux-gnu, compiled by gcc (GCC) 4.9.2, 32-bit
(1 row)


mydb=> create table brian (name varchar(20));
CREATE TABLE

mydb=> insert into brian values ('briansname');
INSERT 0 1
mydb=> select * from brian;
    name    
------------
 briansname


Seems to be working as designed.

CC: (none) => brtians1

Brian Rockwell 2016-04-13 17:33:05 CEST

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK

Brian Rockwell 2016-04-13 17:34:31 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 claire robinson 2016-04-13 18:39:11 CEST
Useful procedure Brian, well done.

Advisory uploaded.

Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

Comment 10 Mageia Robot 2016-04-13 19:39:58 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0136.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-04-14 18:10:41 CEST

URL: (none) => http://lwn.net/Vulnerabilities/683853/


Note You need to log in before you can comment on or make changes to this bug.