Bug 22687 - postgresql new security issues CVE-2018-1058, CVE-2018-1115, CVE-2018-109[12]5
Summary: postgresql new security issues CVE-2018-1058, CVE-2018-1115, CVE-2018-109[12]5
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-03 13:38 CET by David Walser
Modified: 2018-11-15 23:05 CET (History)
12 users (show)

See Also:
Source RPM: postgresql9.4, postgresql9.6
CVE:
Status comment: Fixed upstream in 9.4.19 and 9.6.10


Attachments

Description David Walser 2018-03-03 13:38:52 CET
PostgreSQL has released new versions on March 1:
https://www.postgresql.org/about/news/1834/

The issues are fixed in 9.3.22, 9.4.17, and 9.6.8.

Mageia 5 and Mageia 6 are also affected.

If our Bugzilla is running Mageia 6 now, I don't plan on updating Mageia 5 again.
David Walser 2018-03-03 13:39:05 CET

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-03-03 13:41:33 CET
It sounds like it was primarily a documentation update to address this issue and mitigating the security issue requires manual intervention.  That should be made clear in the advisory.
Comment 2 Thomas Backlund 2018-03-03 13:43:57 CET
(In reply to David Walser from comment #0)
> PostgreSQL has released new versions on March 1:


> If our Bugzilla is running Mageia 6 now, I don't plan on updating Mageia 5
> again.


Yep, the whole mga infra is running on mga6

CC: (none) => tmb

Comment 3 David Walser 2018-03-03 13:49:25 CET
(In reply to Thomas Backlund from comment #2)
> Yep, the whole mga infra is running on mga6

OK, cool.  Just to be clear I just meant for this package, but this will further limit what other packages I might update as well.

Also, since this bug report hasn't made it clear, postgresql9.4 is only for Mageia 6, postgresql9.6 is in Mageia 6 and Cauldron.
Comment 4 Marja Van Waes 2018-03-03 19:58:29 CET
(In reply to David Walser from comment #3)

> 
> Also, since this bug report hasn't made it clear, postgresql9.4 is only for
> Mageia 6, postgresql9.6 is in Mageia 6 and Cauldron.

Assigning to the registered postgresql9.6 maintainer and CC'ing the postgresql9.4 maintainer.

Assignee: bugsquad => joequant
CC: (none) => cjw, marja11

Comment 5 David Walser 2018-03-11 15:06:53 CET
Ubuntu has issued an advisory for this on March 6:
https://usn.ubuntu.com/3589-1/
David Walser 2018-03-11 16:09:50 CET

Status comment: (none) => Fixed upstream in 9.4.17 and 9.6.8

Comment 6 David Walser 2018-05-12 21:55:41 CEST
PostgreSQL has released new versions on May 10:
https://www.postgresql.org/about/news/1851/

The new security issue only affected 9.6.x (fixed in 9.6.9).  9.4.18 is a bugfix release.  Fully dealing with the security issue again requires manual intervention, which should be mentioned in our advisory.

Status comment: Fixed upstream in 9.4.17 and 9.6.8 => Fixed upstream in 9.4.17 and 9.6.9
Summary: postgresql new security issue CVE-2018-1058 => postgresql new security issues CVE-2018-1058 and CVE-2018-1115

Comment 7 David Walser 2018-06-18 22:43:47 CEST
openSUSE has issued an advisory for the newer issue on June 16:
https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00029.html
Comment 8 David Walser 2018-08-10 00:27:58 CEST
PostgreSQL has released new versions today (August 9):
https://www.postgresql.org/about/news/1878/

The issues are fixed in 9.3.24, 9.4.19, and 9.6.10.

Status comment: Fixed upstream in 9.4.17 and 9.6.9 => Fixed upstream in 9.4.19 and 9.6.10
Summary: postgresql new security issues CVE-2018-1058 and CVE-2018-1115 => postgresql new security issues CVE-2018-1058, CVE-2018-1115, CVE-2018-109[12]5

Comment 9 David Walser 2018-08-13 23:13:15 CEST
Debian has issued an advisory on August 10 for the new issues:
https://www.debian.org/security/2018/dsa-4269
Comment 10 Renaud Michel 2018-10-09 17:52:50 CEST
Another reason to upgrade PostgreSQL, is that the dump format of pg_dump has been incremented to fix CVE-2018-1058.
So if you try to import in mageia a dump (other than plain SQL) made by an up to date pg_dump, you get the error:

pg_restore: [archiver] unsupported version (1.13) in file header

see
https://stackoverflow.com/q/49064209

CC: (none) => r.h.michel+mageia

Comment 11 Bruno Cornec 2018-10-17 01:14:27 CEST
There is something weird with postgresql9.6 for mga6:
I made an update of the spec to bump the tag (as we had version 9.6.7 as package, while 9.6.10 is in svn), but I still build the 9.6.7 version, not the 9.6.10 one:


[bruno@bf3bda9aa9dd postgresql9.6]$ svn ci -m 'SILENT: bump tag'
Sending        SPECS/postgresql9.6.spec
Transmitting file data .done
Committing transaction...
Committed revision 1321232.
[bruno@bf3bda9aa9dd postgresql9.6]$ mgarepo submit 6/postgresql9.6 --define section=core/updates_testing -t 6
Fetching revision...
URL: svn+ssh://svn.mageia.org/svn/packages/updates/6/postgresql9.6
Commit: 1200213 | luigiwalser | 9.6.7 (fixes CVE-2018-1052 and CVE-2018-1053)
Package submitted!

Whereas it should submit revision 1321232 instead.
Anybody knows what happens here ?

CC: (none) => bruno

Comment 12 David Walser 2018-10-17 01:17:38 CEST
Check your checkout.  You might have accidentally checked out the Cauldron SVN branch.
Comment 13 Bruno Cornec 2018-10-17 01:24:13 CEST
Of course, you're right :-(

Back to the update then...

Status: NEW => ASSIGNED

Bruno Cornec 2018-10-17 01:24:37 CEST

Assignee: joequant => bruno

Comment 14 Bruno Cornec 2018-10-17 01:56:26 CEST
cauldron is already updated with 9.6.10
Bruno Cornec 2018-10-17 01:56:42 CEST

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 15 Bruno Cornec 2018-10-17 02:03:27 CEST
mga6 is also now updated with 9.6.10 (postgresql9.6-9.6.10-3.mga6.src.rpm)

Assignee: bruno => qa-bugs

Comment 16 David Walser 2018-10-17 20:30:21 CEST
We're not even close.

postgresql10 is packaged totally incorrectly in Cauldron and looks like it was based on Fedora's postgresql packages instead of ours, so it needs to be redone, and in doing so postgresql9.6 was incorrectly removed, so it needs to be restored, this update was built with 3 instead of 1 as the release tag (although we can potentially live with that), and postgresql9.4 hasn't been updated.

Version: 6 => Cauldron
CC: (none) => qa-bugs
Assignee: qa-bugs => bruno

David Walser 2018-10-17 20:30:30 CEST

Whiteboard: (none) => MGA6TOO

Comment 17 Bruno Cornec 2018-10-18 21:12:01 CEST
I thought postgresql9.4 was for mga5 but I now realize it's also provided for mga6 and cauldron :-( Will try to upgrade these as well.

I've submitted again 9.6 into cauldron. Wrt 10 I've not worked on it so can't comment.
Comment 18 Bruno Cornec 2018-10-18 21:17:43 CEST
Hummmm, for cauldron:
$ mgarepo co postgresql9.4
svn: E170000: URL 'svn+ssh://svn.mageia.org/svn/packages/cauldron/postgresql9.4/current' doesn't exist

I was thinking it was provided as I had remaining packages in my mirror:
/pub/mageia/distrib/cauldron/x86_64/media/debug/core/release/postgresql9.4-server-debuginfo-9.4.15-2.mga7.x86_64.rpm
[...]

So I guess we removed support of that version for cauldron/mga7 and that these packages will be cleaned up one day. Will work on mga6 then.
Comment 19 David Walser 2018-10-18 21:36:23 CEST
Whoa, careful there :o)  postgresql9.4 is only for Mageia 6 and has been removed from Cauldron.  It was removed by task-obsolete, but a mistake was made in the library major, so a couple libraries haven't been deleted yet (so the SRPM hasn't been either), but the next time task-obsolete is pushed it should take care of that.

I believe postgresql10 in Cauldron was done by Joseph Wang who frequently violates our packaging policies and incorrectly imports things without modification from Fedora.

Thanks for re-pushing postgresql9.6, but postgresql10 will need to be fixed.
Comment 20 David Walser 2018-10-19 00:54:27 CEST
(In reply to Bruno Cornec from comment #17)
> I've submitted again 9.6 into cauldron. Wrt 10 I've not worked on it so
> can't comment.

Didn't work, upload rejected.  I just remembered the reason is that the packaging of postgresql9.6 also needs to be adapted (like 9.4 in mga6 for instance) for the fact that it's no longer the primary postgresql package.
Comment 21 Bruno Cornec 2018-10-19 15:40:18 CEST
Ok, will look at that for 9.6

Meanwhile Jospeh answered for 10 on the dev ML and I've pushed 9.4.19 to mga6.
Comment 22 David Walser 2018-10-19 22:55:55 CEST
According to tmb, PostgreSQL 11 is out, so it should be imported (correctly this time, based on Mageia's packaging) and replace 10.

Thanks for your work on this.

Advisory:
========================

Updated postgresql packages fix security vulnerabilities:

A flaw was found in the way Postgresql allowed a user to modify the behavior
of a query for other users. An attacker with a user account could use this
flaw to execute code with the permissions of superuser in the database
(CVE-2018-1058).

Andrew Krasichkov discovered that libpq did not reset all its connection state
during reconnects (CVE-2018-10915).

It was discovered that some "CREATE TABLE" statements could disclose server
memory (CVE-2018-10925).

Fully fixing these security issues requires manual intervention.  See the
upstream advisories for details.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1058
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1115
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10915
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10925
https://www.postgresql.org/docs/9.4/static/release-9-4-17.html
https://www.postgresql.org/docs/9.4/static/release-9-4-18.html
https://www.postgresql.org/docs/9.4/static/release-9-4-19.html
https://www.postgresql.org/docs/9.6/static/release-9-6-8.html
https://www.postgresql.org/docs/9.6/static/release-9-6-9.html
https://www.postgresql.org/docs/9.6/static/release-9-6-10.html
https://www.postgresql.org/about/news/1834/
https://www.postgresql.org/about/news/1851/
https://www.postgresql.org/about/news/1878/
https://www.debian.org/security/2018/dsa-4269
========================

Updated packages in core/updates_testing:
========================
postgresql9.4-9.4.19-1.mga6
libpq5.7-9.4.19-1.mga6
libecpg9.4_6-9.4.19-1.mga6
postgresql9.4-server-9.4.19-1.mga6
postgresql9.4-docs-9.4.19-1.mga6
postgresql9.4-contrib-9.4.19-1.mga6
postgresql9.4-devel-9.4.19-1.mga6
postgresql9.4-pl-9.4.19-1.mga6
postgresql9.4-plpython-9.4.19-1.mga6
postgresql9.4-plperl-9.4.19-1.mga6
postgresql9.4-pltcl-9.4.19-1.mga6
postgresql9.4-plpgsql-9.4.19-1.mga6
postgresql9.6-9.6.10-3.mga6
lib64pq5-9.6.10-3.mga6
lib64ecpg9.6_6-9.6.10-3.mga6
postgresql9.6-server-9.6.10-3.mga6
postgresql9.6-docs-9.6.10-3.mga6
postgresql9.6-contrib-9.6.10-3.mga6
postgresql9.6-devel-9.6.10-3.mga6
postgresql9.6-pl-9.6.10-3.mga6
postgresql9.6-plpython-9.6.10-3.mga6
postgresql9.6-plperl-9.6.10-3.mga6
postgresql9.6-pltcl-9.6.10-3.mga6
postgresql9.6-plpgsql-9.6.10-3.mga6

from SRPMS:
postgresql9.4-9.4.19-1.mga6.src.rpm
postgresql9.6-9.6.10-3.mga6.src.rpm

CC: qa-bugs => (none)
Assignee: bruno => qa-bugs
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 23 Bruno Cornec 2018-10-20 00:31:10 CEST
So to recap:

9.6.10 is now uploaded into mga6 and cauldron (for it I made the same adaptations as what was done for 9.4 as it's not the main version anymore)


9.4.19 is now uploaded into mga6

Wrt pg10, I think it's worth a separate BR, as this one is only on the security of the 2 previous versions, and that should not interfere with our ability to provide the quickest security updates we can.
Comment 24 Bruno Cornec 2018-10-20 00:32:07 CEST
So as David mentioned, let's integrate pg11 (not necessarily me !) and split that from this BR.
Comment 25 David Walser 2018-10-20 00:33:26 CEST
Bug 23732 for pg10/11.
Comment 26 Herman Viaene 2018-11-01 13:54:23 CET
MGA6-64 Plasma on LenovoB50
Installed postgres9.6.10without issues ove pevious versions.
Postgrres runs OK, I coulld access my test databaase, createanew table in it and delete a previous test table.
Seems OK.

CC: (none) => herman.viaene

Comment 27 Brian Rockwell 2018-11-12 00:19:15 CET
$ uname -a
Linux localhost 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:41:16 UTC 2018 i686 i686 i686 GNU/Linux

The following 15 packages are going to be installed:

- libecpg9.4_6-9.4.19-1.mga6.i586
- libopenssl-devel-1.0.2p-1.mga6.i586
- libossp_uuid16-1.6.2-16.mga6.i586
- libpq5.7-9.4.19-1.mga6.i586
- libzlib-devel-1.2.11-4.1.mga6.i586
- postgresql9.4-9.4.19-1.mga6.i586
- postgresql9.4-contrib-9.4.19-1.mga6.i586
- postgresql9.4-devel-9.4.19-1.mga6.i586
- postgresql9.4-docs-9.4.19-1.mga6.noarch
- postgresql9.4-pl-9.4.19-1.mga6.i586
- postgresql9.4-plperl-9.4.19-1.mga6.i586
- postgresql9.4-plpgsql-9.4.19-1.mga6.i586
- postgresql9.4-plpython-9.4.19-1.mga6.i586
- postgresql9.4-pltcl-9.4.19-1.mga6.i586
- postgresql9.4-server-9.4.19-1.mga6.i586

51MB of additional disk space will be used.

Rebooted

su'd into postgres ID from root

Created database using the command $ createdb mydb


logged into database

$ psql mydb

created a table

mydb=# create table mga (vname varchar(65), version float);

inserted some rows with the command:

mydb=# insert into mga values ('Mageia', 1);

selected some rows

mydb=# select * from mga;
  vname   | version 
----------+---------
 Mageia   |       1
 Ubuntu   |    6.06
 Mandrake |     100
 Debian   |      12
(4 rows)

created an index on the table

mydb=# create index mgai on mga (vname);

Did another select.

9.4.9.4.19-1 Seems to be working as designed

CC: (none) => brtians1

Comment 28 Len Lawrence 2018-11-12 00:32:44 CET
@Brian, comment #27.  Good work Brian.  Thanks.  You should add the 64-bit OK.  
Doing it for you just now.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 29 Brian Rockwell 2018-11-12 03:23:53 CET
$ uname -a
Linux localhost 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:41:16 UTC 2018 i686 i686 i686 GNU/Linux

The following 16 packages are going to be installed:

- glibc-devel-2.22-29.mga6.i586
- kernel-userspace-headers-4.14.78-1.mga6.i586
- libecpg9.6_6-9.6.10-3.mga6.i586
- libopenssl-devel-1.0.2p-1.mga6.i586
- libpq5-9.6.10-3.mga6.i586
- libzlib-devel-1.2.11-4.1.mga6.i586
- postgresql9.6-9.6.10-3.mga6.i586
- postgresql9.6-contrib-9.6.10-3.mga6.i586
- postgresql9.6-devel-9.6.10-3.mga6.i586
- postgresql9.6-docs-9.6.10-3.mga6.noarch
- postgresql9.6-pl-9.6.10-3.mga6.i586
- postgresql9.6-plperl-9.6.10-3.mga6.i586
- postgresql9.6-plpgsql-9.6.10-3.mga6.i586
- postgresql9.6-plpython-9.6.10-3.mga6.i586
- postgresql9.6-pltcl-9.6.10-3.mga6.i586
- postgresql9.6-server-9.6.10-3.mga6.i586

67MB of additional disk space will be used.


Followed  the same scenario as before.  Working as designed for mga6-32 and postgres 9.6

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Comment 30 Thomas Andrews 2018-11-12 04:02:05 CET
Thanks, Brian, Len, Herman. Validating. Advisory in Comment 22. (I think)

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 31 Lewis Smith 2018-11-14 20:14:31 CET
Advisory from comment 22; but, @ David:
 the description does not mention CVE-2018-1115.

Keywords: (none) => advisory
CC: (none) => lewyssmith

Comment 32 David Walser 2018-11-14 21:09:34 CET
Yeah lemme fix that.  I'll repost later.
Comment 33 David Walser 2018-11-14 23:38:34 CET
Advisory:
========================

Updated postgresql packages fix security vulnerabilities:

A flaw was found in the way Postgresql allowed a user to modify the behavior
of a query for other users. An attacker with a user account could use this
flaw to execute code with the permissions of superuser in the database
(CVE-2018-1058).

Postgresql 9.6.x before 9.6.9 is vulnerable in the adminpack extension, the
pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs than
pg_rorate_logfile. If the adminpack is added to a database, an attacker able
to connect to it could exploit this to force log rotation (CVE-2018-1115).

Andrew Krasichkov discovered that libpq did not reset all its connection state
during reconnects (CVE-2018-10915).

It was discovered that some "CREATE TABLE" statements could disclose server
memory (CVE-2018-10925).

Fully fixing these security issues requires manual intervention.  See the
upstream advisories for details.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1058
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1115
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10915
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10925
https://www.postgresql.org/docs/9.4/static/release-9-4-17.html
https://www.postgresql.org/docs/9.4/static/release-9-4-18.html
https://www.postgresql.org/docs/9.4/static/release-9-4-19.html
https://www.postgresql.org/docs/9.6/static/release-9-6-8.html
https://www.postgresql.org/docs/9.6/static/release-9-6-9.html
https://www.postgresql.org/docs/9.6/static/release-9-6-10.html
https://www.postgresql.org/about/news/1834/
https://www.postgresql.org/about/news/1851/
https://www.postgresql.org/about/news/1878/
https://www.debian.org/security/2018/dsa-4269

Keywords: advisory => (none)

Dave Hodgins 2018-11-15 20:58:25 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 34 Mageia Robot 2018-11-15 23:05:34 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0446.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.