Bug 24996 - postgresql new security issue CVE-2019-10164
Summary: postgresql new security issue CVE-2019-10164
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-06-23 19:09 CEST by David Walser
Modified: 2019-12-04 13:14 CET (History)
5 users (show)

See Also:
Source RPM: postgresql11
CVE:
Status comment:


Attachments

Description David Walser 2019-06-23 19:09:28 CEST
PostgreSQL has released new versions on June 20:
https://www.postgresql.org/about/news/1949/

11.4 fixes an issue deemed critical enough that they made these releases ahead of schedule.
David Walser 2019-06-23 19:09:41 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Marja Van Waes 2019-06-23 19:13:23 CEST
Assigning to our registered postgresql11 maintainer.

Assignee: bugsquad => mageia
CC: (none) => marja11

Comment 2 Marc Krämer 2019-06-24 11:45:09 CEST
Suggested advisory:
========================
Updated psotgresql11 packages fix security vulnerabilities:
An authenticated user could create a stack-based buffer overflow by changing their own password to a purpose-crafted value. In addition to the ability to crash the PostgreSQL server, this could be further exploited to execute arbitrary code as the PostgreSQL operating system account.

Additionally, a rogue server could send a specifically crafted message during the SCRAM authentication process and cause a libpq-enabled client to either crash or execute arbitrary code as the client's operating system account. [1]

More than 25 other bugs have been fixed too. [2]

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10164
[2] https://www.postgresql.org/about/news/1949/
========================

Updated packages in core/updates_testing:
========================
postgresql11-11.4-1.mga7
lib64pq5-11.4-1.mga7
lib64ecpg11_6-11.4-1.mga7
postgresql11-server-11.4-1.mga7
postgresql11-docs-11.4-1.mga7
postgresql11-contrib-11.4-1.mga7
postgresql11-devel-11.4-1.mga7
postgresql11-pl-11.4-1.mga7
postgresql11-plpython-11.4-1.mga7
postgresql11-plpython3-11.4-1.mga7
postgresql11-plperl-11.4-1.mga7
postgresql11-pltcl-11.4-1.mga7
postgresql11-plpgsql-11.4-1.mga7
postgresql11-debugsource-11.4-1.mga7
postgresql11-debuginfo-11.4-1.mga7
lib64pq5-debuginfo-11.4-1.mga7
lib64ecpg11_6-debuginfo-11.4-1.mga7
postgresql11-server-debuginfo-11.4-1.mga7
postgresql11-contrib-debuginfo-11.4-1.mga7
postgresql11-devel-debuginfo-11.4-1.mga7
postgresql11-plpython-debuginfo-11.4-1.mga7
postgresql11-plpython3-debuginfo-11.4-1.mga7
postgresql11-plperl-debuginfo-11.4-1.mga7
postgresql11-pltcl-debuginfo-11.4-1.mga7
postgresql11-plpgsql-debuginfo-11.4-1.mga7

SRPM:
postgresql11-11.4-1.mga7.src.rpm

Assignee: mageia => qa-bugs

Thomas Backlund 2019-07-02 12:46:43 CEST

Version: Cauldron => 7
CC: (none) => tmb
Whiteboard: MGA7TOO => (none)

Comment 3 Brian Rockwell 2019-07-06 20:15:20 CEST
$ uname -a
Linux linux.local 5.1.14-desktop-1.mga7 #1 SMP Sat Jun 22 10:35:14 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux


The following 20 packages are going to be installed:

- glibc-devel-2.29-13.mga7.x86_64
- kernel-userspace-headers-5.1.16-1.mga7.x86_64
- lib64ecpg11_6-11.4-1.mga7.x86_64
- lib64openssl-devel-1.1.0j-1.mga7.x86_64
- lib64pq5-11.4-1.mga7.x86_64
- lib64xcrypt-devel-4.4.6-1.mga7.x86_64
- lib64zlib-devel-1.2.11-7.mga7.x86_64
- meta-task-7-1.1.mga7.noarch
- multiarch-utils-1.0.14-2.mga7.noarch
- postgresql11-11.4-1.mga7.x86_64
- postgresql11-contrib-11.4-1.mga7.x86_64
- postgresql11-devel-11.4-1.mga7.x86_64
- postgresql11-docs-11.4-1.mga7.noarch
- postgresql11-pl-11.4-1.mga7.x86_64
- postgresql11-plperl-11.4-1.mga7.x86_64
- postgresql11-plpgsql-11.4-1.mga7.x86_64
- postgresql11-plpython-11.4-1.mga7.x86_64
- postgresql11-plpython3-11.4-1.mga7.x86_64
- postgresql11-pltcl-11.4-1.mga7.x86_64
- postgresql11-server-11.4-1.mga7.x86_64

After the install I rebooted the VM.

$ ps -ef | grep post

returned nothing but this command.  So I had to start postgresql

# systemctl start postgresql

(Note the above command may take a minute to finish - don't panic at the disco).

Now I'm seeing activity

[root@linux brian]# ps -ef | grep post
postgres  2158     1  0 09:09 ?        00:00:00 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
postgres  2160  2158  0 09:09 ?        00:00:00 postgres: checkpointer   
postgres  2161  2158  0 09:09 ?        00:00:00 postgres: background writer   
postgres  2162  2158  0 09:09 ?        00:00:00 postgres: walwriter   
postgres  2163  2158  0 09:09 ?        00:00:00 postgres: autovacuum launcher   
postgres  2164  2158  0 09:09 ?        00:00:00 postgres: stats collector   
postgres  2165  2158  0 09:09 ?        00:00:00 postgres: logical replication launcher   

From root user I su over to postgres user:
# su postgres
[postgres@linux brian]$

I start by creating a db 

postgres@linux home]$ createdb magdb

(note you may get an error that it postgres doesn't have permission to write a file.  That's a log file.)

I now connect to the database I created:

$ psql magdb
psql (11.4)


magdb=# select version();
                                                       version                  
                                     
--------------------------------------------------------------------------------
-------------------------------------
 PostgreSQL 11.4 on x86_64-mageia-linux-gnu, compiled by gcc (Mageia 8.3.1-0.201
90524.1.mga7) 8.3.1 20190524, 64-bit


It seems happy enough.

Now I'll go install nextcloud


After installing nextcloud and all associated services (make sure you include the postgres connector)

# systemctl start httpd

In your favorite browner:  127.0.0.1/nextcloud

Pick out postgresql as the database (if it is not available you either didn't start it or you did not pick the proper nextcloud driver.

Note default postgres database user is postgres and the password is <blank>


I was able to complete the installation and add documents to nextcloud.

Looks like postgres is working as designed.

CC: (none) => brtians1
Whiteboard: (none) => MGA7-64-OK

Comment 4 Rémi Verschelde 2019-07-10 11:52:07 CEST
Advisory uploaded, validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2019-07-10 12:45:45 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0204.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Craig Hamill 2019-12-04 09:23:01 CET

CC: (none) => tomwalterszz0809


Note You need to log in before you can comment on or make changes to this bug.