34265 – postgresql new security issue CVE-2025-4207

Bug 34265 - postgresql new security issue CVE-2025-4207

Summary: postgresql new security issue CVE-2025-4207

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-05-11 09:35 CEST by Nicolas Salguero
Modified:	2025-05-13 21:42 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	postgresql15, postgresql13
CVE:	CVE-2025-4207
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-05-11 09:35:44 CEST

PostgreSQL has released new versions on May 8:
https://www.postgresql.org/about/news/postgresql-175-169-1513-1418-and-1321-released-3072/

Nicolas Salguero 2025-05-11 09:36:11 CEST

Source RPM: (none) => postgresql17, postgresql15, postgresql13
CVE: (none) => CVE-2025-4207
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2025-05-11 21:27:05 CEST

13: var
15: ns80 new version 15.x for CVE-2025-x (mga#x)
17: ns80 new version 17.x for CVE-2025-x (mga#x)
Assigning globally for 13;
for 15 & 17 NicolasS has done version updates for CVEs, so hoping you will do those this time (& see this comment).

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2025-05-12 11:24:12 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation. (CVE-2025-4207)

References:
https://www.postgresql.org/about/news/postgresql-175-169-1513-1418-and-1321-released-3072/
========================

Updated packages in core/updates_testing:
========================
lib(64)ecpg15_6-15.13-1.mga9
lib(64)pq5-15.13-1.mga9
postgresql15-15.13-1.mga9
postgresql15-contrib-15.13-1.mga9
postgresql15-devel-15.13-1.mga9
postgresql15-docs-15.13-1.mga9
postgresql15-pl-15.13-1.mga9
postgresql15-plperl-15.13-1.mga9
postgresql15-plpgsql-15.13-1.mga9
postgresql15-plpython3-15.13-1.mga9
postgresql15-pltcl-15.13-1.mga9
postgresql15-server-15.13-1.mga9

lib(64)ecpg13_6-13.21-1.mga9
lib(64)pq5.13-13.21-1.mga9
postgresql13-13.21-1.mga9
postgresql13-contrib-13.21-1.mga9
postgresql13-devel-13.21-1.mga9
postgresql13-docs-13.21-1.mga9
postgresql13-pl-13.21-1.mga9
postgresql13-plperl-13.21-1.mga9
postgresql13-plpgsql-13.21-1.mga9
postgresql13-plpython3-13.21-1.mga9
postgresql13-pltcl-13.21-1.mga9
postgresql13-server-13.21-1.mga9

from SRPMS:
postgresql15-15.13-1.mga9.src.rpm
postgresql13-13.21-1.mga9.src.rpm

Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 9
Source RPM: postgresql17, postgresql15, postgresql13 => postgresql15, postgresql13
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED

Comment 3 Herman Viaene 2025-05-12 15:50:32 CEST

MGA9-64  Plasma Wayland on Compaq H000SB
No installation issues for version 13.
First follow bug 33779 Comment 4
# systemctl start postgresql
# systemctl -l status postgresql
● postgresql.service - PostgreSQL database server
     Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled; preset: disabled)
     Active: active (running) since Mon 2025-05-12 15:02:47 CEST; 14s ago
    Process: 39404 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (code=exited, status=0/SUCCESS)
    Process: 39533 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPORT} -w -t 300 (code=exited, status=0/SUCCESS)
   Main PID: 39538 (postgres)
      Tasks: 7 (limit: 8806)
     Memory: 62.6M
        CPU: 3.946s
     CGroup: /system.slice/postgresql.service
             ├─39538 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
             ├─39575 "postgres: checkpointer "
             ├─39576 "postgres: background writer "
             ├─39577 "postgres: walwriter "
             ├─39578 "postgres: autovacuum launcher "
             ├─39579 "postgres: stats collector "
             └─39580 "postgres: logical replication launcher "

May 12 15:02:40 mach3.hviaene.thuis systemd[1]: Starting postgresql.service...
May 12 15:02:46 mach3.hviaene.thuis pg_ctl[39538]: 2025-05-12 15:02:46.796 CEST [39538] LOG:  starting PostgreSQL 13.21 on x86_64-mageia-linux-gnu, compiled>
May 12 15:02:46 mach3.hviaene.thuis pg_ctl[39538]: 2025-05-12 15:02:46.802 CEST [39538] LOG:  listening on IPv6 address "::1", port 5432
May 12 15:02:46 mach3.hviaene.thuis pg_ctl[39538]: 2025-05-12 15:02:46.802 CEST [39538] LOG:  listening on IPv4 address "127.0.0.1", port 5432
May 12 15:02:46 mach3.hviaene.thuis pg_ctl[39538]: 2025-05-12 15:02:46.840 CEST [39538] LOG:  listening on Unix socket "/tmp/.s.PGSQL.5432"
May 12 15:02:46 mach3.hviaene.thuis pg_ctl[39569]: 2025-05-12 15:02:46.919 CEST [39569] LOG:  database system was shut down at 2025-05-12 15:02:45 CEST
May 12 15:02:46 mach3.hviaene.thuis pg_ctl[39538]: 2025-05-12 15:02:46.990 CEST [39538] LOG:  database system is ready to accept connections
May 12 15:02:47 mach3.hviaene.thuis systemd[1]: Started postgresql.service.
# systemctl enable postgresql
Created symlink /etc/systemd/system/multi-user.target.wants/postgresql.service → /usr/lib/systemd/system/postgresql.service.
# systemctl restart postgresql
# systemctl -l status postgresql
● postgresql.service - PostgreSQL database server
     Loaded: loaded (/usr/lib/systemd/system/postgresql.service; enabled; preset: disabled)
     Active: active (running) since Mon 2025-05-12 15:03:58 CEST; 8s ago
    Process: 47969 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (code=exited, status=0/SUCCESS)
    Process: 47978 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPORT} -w -t 300 (code=exited, status=0/SUCCESS)
   Main PID: 47984 (postgres)
      Tasks: 7 (limit: 8806)
     Memory: 15.0M
        CPU: 177ms
     CGroup: /system.slice/postgresql.service
             ├─47984 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
             ├─48022 "postgres: checkpointer "
             ├─48023 "postgres: background writer "
             ├─48024 "postgres: walwriter "
             ├─48026 "postgres: autovacuum launcher "
             ├─48027 "postgres: stats collector "
             └─48028 "postgres: logical replication launcher "

May 12 15:03:58 mach3.hviaene.thuis systemd[1]: Starting postgresql.service...
May 12 15:03:58 mach3.hviaene.thuis pg_ctl[47984]: 2025-05-12 15:03:58.548 CEST [47984] LOG:  starting PostgreSQL 13.21 on x86_64-mageia-linux-gnu, compiled>
May 12 15:03:58 mach3.hviaene.thuis pg_ctl[47984]: 2025-05-12 15:03:58.550 CEST [47984] LOG:  listening on IPv6 address "::1", port 5432
May 12 15:03:58 mach3.hviaene.thuis pg_ctl[47984]: 2025-05-12 15:03:58.550 CEST [47984] LOG:  listening on IPv4 address "127.0.0.1", port 5432
May 12 15:03:58 mach3.hviaene.thuis pg_ctl[47984]: 2025-05-12 15:03:58.593 CEST [47984] LOG:  listening on Unix socket "/tmp/.s.PGSQL.5432"
May 12 15:03:58 mach3.hviaene.thuis pg_ctl[48017]: 2025-05-12 15:03:58.696 CEST [48017] LOG:  database system was shut down at 2025-05-12 15:03:58 CEST
May 12 15:03:58 mach3.hviaene.thuis pg_ctl[47984]: 2025-05-12 15:03:58.763 CEST [47984] LOG:  database system is ready to accept connections
May 12 15:03:58 mach3.hviaene.thuis systemd[1]: Started postgresql.service.
Then as normal user:
$ psql -U postgres
psql (13.21)
Type "help" for help.

postgres=# create database mageia;
CREATE DATABASE
postgres=# \c mageia;
You are now connected to database "mageia" as user "postgres".
mageia=# create table mag_versions (name varchar(12), cr_date date);
CREATE TABLE
mageia=# create index magidx on mag_versions(name);
CREATE INDEX
mageia=# insert into mag_versions values ('9', '26-Aug-2023');
INSERT 0 1
mageia=# insert into mag_versions values ('8', '2-Feb-2021');
INSERT 0 1
mageia=# select * from mag_versions;
 name |  cr_date   
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
(2 rows)

mageia=# insert into mag_versions values ('10', '25-Mar-2026');
INSERT 0 1
mageia=# select * from mag_versions;
 name |  cr_date   
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
 10   | 2026-03-25
(3 rows)

mageia=# delete from mag_versions where name = '10';
DELETE 1
mageia=# select * from mag_versions;
 name |  cr_date   
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
(2 rows)

Seems OK, now deleting all to test version 15

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2025-05-12 16:18:45 CEST

Installed version 15 without issues.
I wanted to use phpPgAdmin to rummage in the database, but hit two snags:
1. Installing phpPgAdmin from MCC would draw in a bunch of php84 from backports, I don't like that. urpmi just draws in 2 packages from the current php-82.
2. No joy with phpPgAdmin: I get "Version of PostgreSQL not supported. Please upgrade to version or later." So back to the CLI.
I will not repeat all this again since they are the same as above.
As per bug 33779, this seems good enough to go.

Whiteboard: (none) => MGA9-64-OK

katnatek 2025-05-12 21:22:42 CEST

Keywords: (none) => advisory

Comment 5 Thomas Andrews 2025-05-13 15:51:54 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2025-05-13 21:42:43 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0155.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.