Bug 28373 - postgresql new security issues CVE-2021-20229 and CVE-2021-3393
Summary: postgresql new security issues CVE-2021-20229 and CVE-2021-3393
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA8-64-OK MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-02-18 12:02 CET by Nicolas Salguero
Modified: 2021-03-12 02:27 CET (History)
8 users (show)

See Also:
Source RPM: postgresql9.6, postgresql11, postgresql13
CVE: CVE-2021-20229, CVE-2021-3393
Status comment:


Attachments

Description Nicolas Salguero 2021-02-18 12:02:09 CET
PostgreSQL has released new versions on February 11:
https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/

The issues are fixed in 11.11, and 13.2.

Cauldron and Mageia 8 are affected (postgresql13 and postgresql11).
Mageia 7 is also affected (postgresql11).

CVE-2021-20229 only affects postgresql13.

The two CVEs do not affect 9.6 but 9.6.21 contains other bug fixes.
Nicolas Salguero 2021-02-18 12:02:52 CET

Whiteboard: (none) => MGA8TOO, MGA7TOO
Source RPM: (none) => postgresql9.6, postgresql11, postgresql13
CVE: (none) => CVE-2021-20229, CVE-2021-3393

Comment 1 Lewis Smith 2021-02-18 20:48:37 CET
Various packagers are involved, who are CC'd while nominally assigning this globally.

Assignee: bugsquad => pkg-bugs
CC: (none) => joequant, mageia, nicolas.salguero

Marc Krämer 2021-02-19 12:53:00 CET

CC: mageia => (none)

Comment 2 David Walser 2021-02-26 19:15:29 CET
Ubuntu has issued an advisory for this on February 15:
https://ubuntu.com/security/notices/USN-4735-1

Severity: normal => major

Comment 3 Nicolas Lécureuil 2021-02-27 18:49:04 CET
src:

   - mageia 7
        - postgresql9.6-9.6.21-1.mga7
        - postgresql11-11.11-1.mga7

   - mageia 8 
        - postgresql11-11.11-1.mga8
        - postgresql13-13.2-1.mga8

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
CC: (none) => mageia
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 8

Comment 4 David Walser 2021-02-27 23:41:26 CET
RPMS list:
postgresql9.6-9.6.21-1.mga7
libpq5.9-9.6.21-1.mga7
libecpg9.6_6-9.6.21-1.mga7
postgresql9.6-server-9.6.21-1.mga7
postgresql9.6-docs-9.6.21-1.mga7
postgresql9.6-contrib-9.6.21-1.mga7
postgresql9.6-devel-9.6.21-1.mga7
postgresql9.6-pl-9.6.21-1.mga7
postgresql9.6-plpython-9.6.21-1.mga7
postgresql9.6-plperl-9.6.21-1.mga7
postgresql9.6-pltcl-9.6.21-1.mga7
postgresql9.6-plpgsql-9.6.21-1.mga7
postgresql11-11.11-1.mga7
libpq5-11.11-1.mga7
libecpg11_6-11.11-1.mga7
postgresql11-server-11.11-1.mga7
postgresql11-docs-11.11-1.mga7
postgresql11-contrib-11.11-1.mga7
postgresql11-devel-11.11-1.mga7
postgresql11-pl-11.11-1.mga7
postgresql11-plpython-11.11-1.mga7
postgresql11-plpython3-11.11-1.mga7
postgresql11-plperl-11.11-1.mga7
postgresql11-pltcl-11.11-1.mga7
postgresql11-plpgsql-11.11-1.mga7
postgresql11-docs-11.11-1.mga8
postgresql11-11.11-1.mga8
postgresql11-devel-11.11-1.mga8
postgresql11-contrib-11.11-1.mga8
libpq5.11-11.11-1.mga8
postgresql11-plpgsql-11.11-1.mga8
libecpg11_6-11.11-1.mga8
postgresql11-plpython3-11.11-1.mga8
postgresql11-server-11.11-1.mga8
postgresql11-pl-11.11-1.mga8
postgresql11-pltcl-11.11-1.mga8
postgresql11-plperl-11.11-1.mga8
postgresql13-docs-13.2-1.mga8
postgresql13-13.2-1.mga8
postgresql13-devel-13.2-1.mga8
postgresql13-contrib-13.2-1.mga8
postgresql13-server-13.2-1.mga8
libpq5-13.2-1.mga8
libecpg13_6-13.2-1.mga8
postgresql13-plpgsql-13.2-1.mga8
postgresql13-plpython3-13.2-1.mga8
postgresql13-plperl-13.2-1.mga8
postgresql13-pl-13.2-1.mga8
postgresql13-pltcl-13.2-1.mga8
Comment 5 David Walser 2021-03-03 01:16:37 CET
Advisory:
========================

Updated postgresql packages fix security vulnerabilities:

A user having an UPDATE privilege on a partitioned table but lacking the SELECT
privilege on some column may be able to acquire denied-column values from an
error message (CVE-2021-3393).

A user having a SELECT privilege on an individual column can craft a special
query that returns all columns of the table. Additionally, a stored view that
uses column-level privileges will have incomplete column-usage bitmaps. In
installations that depend on column-level permissions for security, it is
recommended to execute CREATE OR REPLACE on all user-defined views to force
them to be re-parsed (CVE-2021-20229).

PostgreSQL 11 was only affected by CVE-2021-3393 and both PostgreSQL 11 and 13
were affected by CVE-2021-20229.  PostgreSQL 9.6 was updated to fix bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3393
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20229
https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/
Comment 6 Herman Viaene 2021-03-04 16:12:21 CET
MGA7-64 MATE on Peaq C1011
No installation issues for 9.6
# systemctl -l status postgresql
● postgresql.service - PostgreSQL database server
   Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

# systemctl -l start postgresql

# systemctl -l status postgresql
● postgresql.service - PostgreSQL database server
   Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-03-04 16:10:15 CET; 6s ago
  Process: 12435 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (code=exited, status=0/SUCCESS)
  Process: 12450 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPORT} -w -t 300 (code=exited, status=0/SUCCESS)
 Main PID: 12452 (postgres)
    Tasks: 6 (limit: 2285)
   Memory: 70.0M
   CGroup: /system.slice/postgresql.service
           ├─12452 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
           ├─12455 postgres: checkpointer process   
           ├─12456 postgres: writer process   
           ├─12457 postgres: wal writer process   
           ├─12458 postgres: autovacuum launcher process   
           └─12459 postgres: stats collector process   

Mar 04 16:10:09 mach7.hviaene.thuis systemd[1]: Starting PostgreSQL database server...
Mar 04 16:10:14 mach7.hviaene.thuis pg_ctl[12450]: LOG:  database system was shut down at 2021-03-04 16:10:13 CET
Mar 04 16:10:14 mach7.hviaene.thuis pg_ctl[12450]: LOG:  MultiXact member wraparound protections are now enabled
Mar 04 16:10:14 mach7.hviaene.thuis pg_ctl[12450]: LOG:  database system is ready to accept connections
Mar 04 16:10:14 mach7.hviaene.thuis pg_ctl[12450]: LOG:  autovacuum launcher started
Mar 04 16:10:15 mach7.hviaene.thuis systemd[1]: Started PostgreSQL database server.
Continuing testing ......

CC: (none) => herman.viaene

Comment 7 Herman Viaene 2021-03-04 16:25:23 CET
Using pgadmin3, I have been able to connect to localhost, create a new database, a
Comment 8 Herman Viaene 2021-03-04 16:28:01 CET
fingertrouble!!!! Continuing
create a new schema, create a new table with fout columns with a PK and an index.
Looks good for this version.
Will try upgrading to version 11
Comment 9 Herman Viaene 2021-03-04 17:40:07 CET
Installed version 11, this bumps out most - or all of the 9.6 packages.
This stops the database, and restarting fails with error
pg_ctl[17013]: /usr/bin/pg_ctl: error while loading shared libraries: libpq.so.5.9: cannot open shared object file: No such file or directory
This file is from a 9.6 package, reinstalling lib64pq5.9 solves the problem.
# systemctl -l start postgresql
# systemctl -l status postgresql
● postgresql.service - PostgreSQL database server
   Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-03-04 17:10:16 CET; 12s ago
  Process: 17342 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (code=exited, status=0/SUCCESS)
  Process: 17343 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPORT} -w -t 300 (code=exited, status=0/SUCCESS)
 Main PID: 17346 (postgres)
    Tasks: 6 (limit: 2285)
   Memory: 14.7M
Once there I coiuld open the database created with 9.6, delete the table, schema and database. And create new ones.
This problem could occur on a fresh install of version 11, as removing this package again, does not seem to harm the database manipulation in pgadmin3, but the database cannot be restarted afterwards.
Otherwise the database is OK.
Comment 10 Brian Rockwell 2021-03-08 00:21:35 CET
MGA7 - Vbox

$ uname -a
Linux linux.local 5.10.19-desktop-1.mga7 #1 SMP Fri Feb 26 23:48:09 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux


The following 12 packages are going to be installed:

- lib64ecpg9.6_6-9.6.21-1.mga7.x86_64
- lib64pq5.9-9.6.21-1.mga7.x86_64
- postgresql9.6-9.6.21-1.mga7.x86_64
- postgresql9.6-contrib-9.6.21-1.mga7.x86_64
- postgresql9.6-devel-9.6.21-1.mga7.x86_64
- postgresql9.6-docs-9.6.21-1.mga7.noarch
- postgresql9.6-pl-9.6.21-1.mga7.x86_64
- postgresql9.6-plperl-9.6.21-1.mga7.x86_64
- postgresql9.6-plpgsql-9.6.21-1.mga7.x86_64
- postgresql9.6-plpython-9.6.21-1.mga7.x86_64
- postgresql9.6-pltcl-9.6.21-1.mga7.x86_64
- postgresql9.6-server-9.6.21-1.mga7.x86_64


using command line psql I was able to create user, create database, create table, insert data and select data.


postgres=# create database mydb;
create user test with password 'xx';
postgres=# grant all privileges on database mydb to test;
postgres=# \q

now as user test I can connect to mydb using the command:

$ psql mydb

mydb=> create table if not exists books (
book_name varchar(255),
pages integer);

mydb=> insert into books values ('Delta-V', 355);
mydb=> select * from books;
mydb=> create index bindex on brian (books_name);


to describe the table

mydb=> \d books


update and delete worked as well.

mydb=> \q   to quit



works for me.










Seems to work for me.

CC: (none) => brtians1

Comment 11 Brian Rockwell 2021-03-08 01:51:01 CET
MGA8 64bit gnome

$ uname -a
Linux localhost 5.10.20-desktop-2.mga8 #1 SMP Fri Mar 5 18:23:13 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

The following 15 packages are going to be installed:

- lib64ecpg13_6-13.2-1.mga8.x86_64
- lib64openssl-devel-1.1.1j-1.mga8.x86_64
- lib64pq5-13.2-1.mga8.x86_64
- lib64zlib-devel-1.2.11-9.mga8.x86_64
- multiarch-utils-1.0.14-3.mga8.noarch
- postgresql13-13.2-1.mga8.x86_64
- postgresql13-contrib-13.2-1.mga8.x86_64
- postgresql13-devel-13.2-1.mga8.x86_64
- postgresql13-docs-13.2-1.mga8.noarch
- postgresql13-pl-13.2-1.mga8.x86_64
- postgresql13-plperl-13.2-1.mga8.x86_64
- postgresql13-plpgsql-13.2-1.mga8.x86_64
- postgresql13-plpython3-13.2-1.mga8.x86_64
- postgresql13-pltcl-13.2-1.mga8.x86_64
- postgresql13-server-13.2-1.mga8.x86_64


-- i started services

repeated test system working as best I can tell.

Herman - anything hold this up for approval?
Comment 12 Brian Rockwell 2021-03-10 20:02:48 CET
no additional comments updating MGA8 and MGA7 as Herman and I tested both

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK MGA7-64-OK

Comment 13 Thomas Andrews 2021-03-11 00:10:24 CET
Validating. Advisory in Comment 5.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 14 Aurelien Oudelet 2021-03-11 22:20:08 CET
Advisory committed to svn.

Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 15 Mageia Robot 2021-03-12 02:27:28 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0121.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.