Bug 34608 - postgresql new security issues CVE-2025-871[3-5]
Summary: postgresql new security issues CVE-2025-871[3-5]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-09-03 15:21 CEST by Nicolas Salguero
Modified: 2025-09-08 21:36 CEST (History)
3 users (show)

See Also:
Source RPM: postgresql15, postgresql13
CVE: CVE-2025-8713, CVE-2025-8714, CVE-2025-8715
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-09-03 15:21:26 CEST 
PostgreSQL has released new versions on August 14:
https://www.postgresql.org/about/news/postgresql-176-1610-1514-1419-1322-and-18-beta-3-released-3118/
Comment 1 Nicolas Salguero 2025-09-03 15:42:31 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

PostgreSQL optimizer statistics can expose sampled data within a view, partition, or child table. (CVE-2025-8713)

PostgreSQL pg_dump lets superuser of origin server execute arbitrary code in psql client. (CVE-2025-8714)

PostgreSQL pg_dump newline in object name executes arbitrary code in psql client and in restore target server. (CVE-2025-8715)

References:
https://www.postgresql.org/about/news/postgresql-176-1610-1514-1419-1322-and-18-beta-3-released-3118/
========================

Updated packages in core/updates_testing:
========================
lib(64)ecpg15_6-15.14-1.mga9
lib(64)pq5-15.14-1.mga9
postgresql15-15.14-1.mga9
postgresql15-contrib-15.14-1.mga9
postgresql15-devel-15.14-1.mga9
postgresql15-docs-15.14-1.mga9
postgresql15-pl-15.14-1.mga9
postgresql15-plperl-15.14-1.mga9
postgresql15-plpgsql-15.14-1.mga9
postgresql15-plpython3-15.14-1.mga9
postgresql15-pltcl-15.14-1.mga9
postgresql15-server-15.14-1.mga9

lib(64)ecpg13_6-13.22-1.mga9
lib(64)pq5.13-13.22-1.mga9
postgresql13-13.22-1.mga9
postgresql13-contrib-13.22-1.mga9
postgresql13-devel-13.22-1.mga9
postgresql13-docs-13.22-1.mga9
postgresql13-pl-13.22-1.mga9
postgresql13-plperl-13.22-1.mga9
postgresql13-plpgsql-13.22-1.mga9
postgresql13-plpython3-13.22-1.mga9
postgresql13-pltcl-13.22-1.mga9
postgresql13-server-13.22-1.mga9

from SRPMS:
postgresql15-15.14-1.mga9.src.rpm
postgresql13-13.22-1.mga9.src.rpm

CVE: (none) => CVE-2025-8713, CVE-2025-8714, CVE-2025-8715
Status: NEW => ASSIGNED
Source RPM: (none) => postgresql15, postgresql13
Assignee: bugsquad => qa-bugs

Comment 2 Herman Viaene 2025-09-04 17:10:06 CEST 
MGA9-64 server Plasma Wayland on Compaq H000SB
First install version 15
# systemctl start httpd
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled)
     Active: active (running) since Thu 2025-09-04 16:15:24 CEST; 10s ago
   Main PID: 33892 (/usr/sbin/httpd)
     Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
      Tasks: 6 (limit: 8805)
     Memory: 10.2M
        CPU: 447ms
     CGroup: /system.slice/httpd.service
             ├─33892 /usr/sbin/httpd -DFOREGROUND
             ├─33894 /usr/sbin/httpd -DFOREGROUND
             ├─33895 /usr/sbin/httpd -DFOREGROUND
             ├─33896 /usr/sbin/httpd -DFOREGROUND
             ├─33897 /usr/sbin/httpd -DFOREGROUND
             └─33898 /usr/sbin/httpd -DFOREGROUND

Sep 04 16:15:23 mach3.hviaene.thuis systemd[1]: Starting httpd.service...
Sep 04 16:15:24 mach3.hviaene.thuis systemd[1]: Started httpd.service.
# systemctl start postgresql
# systemctl -l status postgresql
● postgresql.service - PostgreSQL database server
     Loaded: loaded (/usr/lib/systemd/system/postgresql.service; disabled; preset: disabled)
     Active: active (running) since Thu 2025-09-04 16:32:19 CEST; 14s ago
    Process: 48602 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (code=exited, status=0/SUCCESS)
    Process: 48740 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPORT} -w -t 300 (code=exited, status=0/SUCCESS)
   Main PID: 48746 (postgres)
      Tasks: 6 (limit: 8805)
     Memory: 60.0M
        CPU: 4.516s
     CGroup: /system.slice/postgresql.service
             ├─48746 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
             ├─48767 "postgres: checkpointer "
             ├─48768 "postgres: background writer "
             ├─48776 "postgres: walwriter "
             ├─48777 "postgres: autovacuum launcher "
             └─48778 "postgres: logical replication launcher "

Sep 04 16:32:12 mach3.hviaene.thuis systemd[1]: Starting postgresql.service...
Sep 04 16:32:19 mach3.hviaene.thuis pg_ctl[48746]: 2025-09-04 16:32:19.085 CEST [48746] LOG:  starting PostgreSQL 15.14 on x86_64-mageia-linux-gnu, >
Sep 04 16:32:19 mach3.hviaene.thuis pg_ctl[48746]: 2025-09-04 16:32:19.089 CEST [48746] LOG:  listening on IPv6 address "::1", port 5432
Sep 04 16:32:19 mach3.hviaene.thuis pg_ctl[48746]: 2025-09-04 16:32:19.090 CEST [48746] LOG:  listening on IPv4 address "127.0.0.1", port 5432
Sep 04 16:32:19 mach3.hviaene.thuis pg_ctl[48746]: 2025-09-04 16:32:19.127 CEST [48746] LOG:  listening on Unix socket "/tmp/.s.PGSQL.5432"
Sep 04 16:32:19 mach3.hviaene.thuis pg_ctl[48769]: 2025-09-04 16:32:19.215 CEST [48769] LOG:  database system was shut down at 2025-09-04 16:32:17 C>
Sep 04 16:32:19 mach3.hviaene.thuis pg_ctl[48746]: 2025-09-04 16:32:19.290 CEST [48746] LOG:  database system is ready to accept connections
Sep 04 16:32:19 mach3.hviaene.thuis systemd[1]: Started postgresql.service.
[root@mach3 ~]# systemctl enable postgresql
Created symlink /etc/systemd/system/multi-user.target.wants/postgresql.service → /usr/lib/systemd/system/postgresql.service.
# systemctl restart postgresql
# systemctl -l status postgresql
● postgresql.service - PostgreSQL database server
     Loaded: loaded (/usr/lib/systemd/system/postgresql.service; enabled; preset: disabled)
     Active: active (running) since Thu 2025-09-04 16:33:33 CEST; 8s ago
    Process: 55988 ExecStartPre=/usr/libexec/postgresql_initdb.sh ${PGDATA} (code=exited, status=0/SUCCESS)
    Process: 55992 ExecStart=/usr/bin/pg_ctl start -D ${PGDATA} -s -o -p ${PGPORT} -w -t 300 (code=exited, status=0/SUCCESS)
   Main PID: 55998 (postgres)
      Tasks: 6 (limit: 8805)
     Memory: 15.8M
        CPU: 216ms
     CGroup: /system.slice/postgresql.service
             ├─55998 /usr/bin/postgres -D /var/lib/pgsql/data -p 5432
             ├─56026 "postgres: checkpointer "
             ├─56027 "postgres: background writer "
             ├─56036 "postgres: walwriter "
             ├─56037 "postgres: autovacuum launcher "
             └─56038 "postgres: logical replication launcher "

Sep 04 16:33:33 mach3.hviaene.thuis systemd[1]: Starting postgresql.service...
Sep 04 16:33:33 mach3.hviaene.thuis pg_ctl[55998]: 2025-09-04 16:33:33.302 CEST [55998] LOG:  starting PostgreSQL 15.14 on x86_64-mageia-linux-gnu, >
Sep 04 16:33:33 mach3.hviaene.thuis pg_ctl[55998]: 2025-09-04 16:33:33.307 CEST [55998] LOG:  listening on IPv6 address "::1", port 5432
Sep 04 16:33:33 mach3.hviaene.thuis pg_ctl[55998]: 2025-09-04 16:33:33.308 CEST [55998] LOG:  listening on IPv4 address "127.0.0.1", port 5432
Sep 04 16:33:33 mach3.hviaene.thuis pg_ctl[55998]: 2025-09-04 16:33:33.347 CEST [55998] LOG:  listening on Unix socket "/tmp/.s.PGSQL.5432"
Sep 04 16:33:33 mach3.hviaene.thuis pg_ctl[56028]: 2025-09-04 16:33:33.468 CEST [56028] LOG:  database system was shut down at 2025-09-04 16:33:32 C>
Sep 04 16:33:33 mach3.hviaene.thuis pg_ctl[55998]: 2025-09-04 16:33:33.552 CEST [55998] LOG:  database system is ready to accept connections
Sep 04 16:33:33 mach3.hviaene.thuis systemd[1]: Started postgresql.service.

Then as normal user:
$ psql -U postgres
psql (15.14)
Type "help" for help.

postgres=# create database mageia;
CREATE DATABASE
postgres=# \c mageia;
You are now connected to database "mageia" as user "postgres".
mageia=# create table mag_versions (name varchar(12), cr_date date);
CREATE TABLE
mageia=# create index magidx on mag_versions(name);
CREATE INDEX
mageia=# insert into mag_versions values ('9', '26-Aug-2023');
INSERT 0 1
mageia=# insert into mag_versions values ('8', '2-Feb-2021');
INSERT 0 1
mageia=# select * from mag_versions;
 name |  cr_date   
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
(2 rows)

mageia=# insert into mag_versions values ('10', '25-Mar-2026');
INSERT 0 1
mageia=# select * from mag_versions;
 name |  cr_date   
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
 10   | 2026-03-25
(3 rows)

mageia=# delete from mag_versions where name = '10';
DELETE 1
mageia=# select * from mag_versions;
 name |  cr_date   
------+------------
 9    | 2023-08-26
 8    | 2021-02-02
(2 rows)

mageia=# quit

Deleted all packages and /var/lib/pgsql, installed version 13 and repeated the same commands as above with same correct results.
Good to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 3 Thomas Andrews 2025-09-06 02:47:22 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

katnatek 2025-09-06 04:36:25 CEST

Keywords: (none) => advisory

Comment 4 Mageia Robot 2025-09-08 21:36:40 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0230.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.