Bug 33503 - postgresql new security issue CVE-2024-7348
Summary: postgresql new security issue CVE-2024-7348
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK MGA9-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-09-02 10:52 CEST by Nicolas Salguero
Modified: 2024-09-16 19:45 CEST (History)
5 users (show)

See Also:
Source RPM: postgresql15, postgresql13
CVE: CVE-2024-7348
Status comment:


Attachments

Description Nicolas Salguero 2024-09-02 10:52:19 CEST
PostgreSQL has released new versions on August 8:
https://www.postgresql.org/about/news/postgresql-164-158-1413-1316-1220-and-17-beta-3-released-2910/

The issues is fixed upstream in 13.16 and 15.8.

For Cauldron, we should switch to postgresql17 and postgresql15 in place of postgresql15 and postgresql13.

Mageia 9 is also affected.
Nicolas Salguero 2024-09-02 10:53:09 CEST

Source RPM: (none) => postgresql15, postgresql13
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-7348

Comment 1 Marja Van Waes 2024-09-04 08:54:15 CEST
Assigning to yourself, since you're the registered maintainer of postgresql15.

CC'ing the registered maintainer of postgresql13

Assignee: bugsquad => nicolas.salguero
CC: (none) => joequant, marja11

Comment 2 Nicolas Salguero 2024-09-09 11:38:34 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. (CVE-2024-7348)

References:
https://www.postgresql.org/about/news/postgresql-164-158-1413-1316-1220-and-17-beta-3-released-2910/
https://www.postgresql.org/support/security/CVE-2024-7348/
========================

Updated packages in core/updates_testing:
========================
lib(64)ecpg15_6-15.8-1.mga9
lib(64)pq5-15.8-1.mga9
postgresql15-15.8-1.mga9
postgresql15-contrib-15.8-1.mga9
postgresql15-devel-15.8-1.mga9
postgresql15-docs-15.8-1.mga9
postgresql15-pl-15.8-1.mga9
postgresql15-plperl-15.8-1.mga9
postgresql15-plpgsql-15.8-1.mga9
postgresql15-plpython3-15.8-1.mga9
postgresql15-pltcl-15.8-1.mga9
postgresql15-server-15.8-1.mga9

lib(64)ecpg13_6-13.16-1.mga9
lib(64)pq5.13-13.16-1.mga9
postgresql13-13.16-1.mga9
postgresql13-contrib-13.16-1.mga9
postgresql13-devel-13.16-1.mga9
postgresql13-docs-13.16-1.mga9
postgresql13-pl-13.16-1.mga9
postgresql13-plperl-13.16-1.mga9
postgresql13-plpgsql-13.16-1.mga9
postgresql13-plpython3-13.16-1.mga9
postgresql13-pltcl-13.16-1.mga9
postgresql13-server-13.16-1.mga9

from SRPMS:
postgresql15-15.8-1.mga9.src.rpm
postgresql13-13.16-1.mga9.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)
Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 9

katnatek 2024-09-09 19:04:54 CEST

Keywords: (none) => advisory

Comment 3 Brian Rockwell 2024-09-15 23:17:59 CEST
MGA9-64, Xfce

The following 5 packages are going to be installed:

- lib64pq5-15.8-1.mga9.x86_64
- postgresql15-15.8-1.mga9.x86_64
- postgresql15-docs-15.8-1.mga9.noarch
- postgresql15-plpgsql-15.8-1.mga9.x86_64
- postgresql15-server-15.8-1.mga9.x86_64

71MB of additional disk space will be used.


-- started postgresql service

su'd to postgres ID

$ psql
psql (15.8)
Type "help" for help.

postgres=# create database mageia;
CREATE DATABASE
postgres=# \c mageia
You are now connected to database "mageia" as user "postgres".
mageia=# create table mag_versions (name varchar(12), cr_date date);
CREATE TABLE

mageia=# insert into mag_versions values ('9', '26-Aug-2023');
INSERT 0 1
mageia=# insert into mag_versions values ('8', '2-Feb-2021');
INSERT 0 1
mageia=# select * from mag_versions;
 name |  cr_date   
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
(2 rows)

mageia=# create index magidx on mag_versions(name);
CREATE INDEX
mageia=# insert into mag_versions values ('7', '2-Mar-2019');
INSERT 0 1
mageia=# select * from mag_versions;
 name |  cr_date   
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
 7    | 2019-03-02
(3 rows)

mageia=# 

\q


minor testing, but working as expected.

CC: (none) => brtians1

Comment 4 Brian Rockwell 2024-09-15 23:42:18 CEST
MGA9-64

The following 10 packages are going to be installed:

- lib64pq5.13-13.16-1.mga9.x86_64
- postgresql13-13.16-1.mga9.x86_64
- postgresql13-contrib-13.16-1.mga9.x86_64
- postgresql13-docs-13.16-1.mga9.noarch
- postgresql13-pl-13.16-1.mga9.x86_64
- postgresql13-plperl-13.16-1.mga9.x86_64
- postgresql13-plpgsql-13.16-1.mga9.x86_64
- postgresql13-plpython3-13.16-1.mga9.x86_64
- postgresql13-pltcl-13.16-1.mga9.x86_64
- postgresql13-server-13.16-1.mga9.x86_64

68MB of additional disk space will be used.

-- rebooted and started services

$ psql
psql (13.16)
Type "help" for help.

postgres=# create database mageia;
CREATE DATABASE
postgres=# \c mageia
You are now connected to database "mageia" as user "postgres".
mageia=# create table mag_versions (name varchar(12), cr_date date);
CREATE TABLE
mageia=# create index magidx on mag_versions(name);
CREATE INDEX
mageia=# insert into mag_versions values ('9', '26-Aug-2023');
INSERT 0 1
mageia=# insert into mag_versions values ('Mageia 8', '2-Sep-2021');
INSERT 0 1
mageia=# insert into mag_versions values ('Mageia 2029', '2-Sep-2029');
INSERT 0 1
mageia=# 

mageia=# select * from mag_versions;
    name     |  cr_date   
-------------+------------
 9           | 2023-08-26
 Mageia 8    | 2021-09-02
 Mageia 2029 | 2029-09-02
(3 rows)

working as expected.
Brian Rockwell 2024-09-15 23:42:40 CEST

Whiteboard: (none) => MGA9-64-OK

Comment 5 Brian Rockwell 2024-09-16 00:11:20 CEST
MGA9-32

The following 5 packages are going to be installed:

- libpq5-15.8-1.mga9.i586
- postgresql15-15.8-1.mga9.i586
- postgresql15-contrib-15.8-1.mga9.i586
- postgresql15-plpgsql-15.8-1.mga9.i586
- postgresql15-server-15.8-1.mga9.i586

59MB of additional disk space will be used.


- repeated the same tests - it worked.
Comment 6 Brian Rockwell 2024-09-16 00:24:21 CEST
MGA9-32

The following 6 packages are going to be installed:

- libpq5.13-13.16-1.mga9.i586
- postgresql13-13.16-1.mga9.i586
- postgresql13-contrib-13.16-1.mga9.i586
- postgresql13-plpgsql-13.16-1.mga9.i586
- postgresql13-pltcl-13.16-1.mga9.i586
- postgresql13-server-13.16-1.mga9.i586

54MB of additional disk space will be used.

-- started services

$ psql
could not change directory to "/home/brian": Permission denied
psql (13.16)
Type "help" for help.

postgres=# 


and the rest of steps.  Working for me

Whiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OK

katnatek 2024-09-16 00:40:51 CEST

CC: (none) => andrewsfarm

Comment 7 Thomas Andrews 2024-09-16 02:19:44 CEST
Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Mageia Robot 2024-09-16 19:45:35 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0301.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.