Bug 7121 - postgresql new security issues CVE-2012-3488 and CVE-2012-3489
: postgresql new security issues CVE-2012-3488 and CVE-2012-3489
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://www.postgresql.org/about/news/...
: MGA1TOO has_procedure mga2-64-OK MGA1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-08-20 15:33 CEST by David Walser
Modified: 2012-08-26 23:57 CEST (History)
6 users (show)

See Also:
Source RPM: postgresql
CVE:


Attachments
example webmin configuration for postgresql module (49.67 KB, image/png)
2012-08-23 16:30 CEST, claire robinson
Details

Description David Walser 2012-08-20 15:33:24 CEST
Mandriva has issued an advisory on August 19:
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:139

This has already been fixed in Cauldron.
Comment 1 Olivier Thauvin 2012-08-21 09:40:02 CEST
I just submit latest version of postgresql in update_testing for both mga 1 and 2.

Suggested advisory:
========================
Latest version of postgresql, including fixes for CVE-2012-3488 and CVE-2012-3489

The Postgresql team provide a new version of postgresql server fixing various bugs and multiple vulnaribilty.

Prevent access to external files/URLs via contrib/xml2's xslt_process()
(Peter Eisentraut). libxslt offers the ability to read and write both
files and URLs through stylesheet commands, thus allowing unprivileged
database users to both read and write data with the privileges of the
database server. Disable that through proper use of libxslt's security
options (CVE-2012-3488). Also, remove xslt_process()'s ability to
fetch documents and stylesheets from external files/URLs. While this
was a documented feature, it was long regarded as a bad idea. The
fix for CVE-2012-3489 broke that capability, and rather than expend
effort on trying to fix it, we're just going to summarily remove it.

Prevent access to external files/URLs via XML entity references (Noah
Misch, Tom Lane). xml_parse() would attempt to fetch external files or
URLs as needed to resolve DTD and entity references in an XML value,
thus allowing unprivileged database users to attempt to fetch data
with the privileges of the database server. While the external data
wouldn't get returned directly to the user, portions of it could
be exposed in error messages if the data didn't parse as valid XML;
and in any case the mere ability to check existence of a file might
be useful to an attacker (CVE-2012-3489).

Provided version are:
for postgresql8.4: 8.4.13
for postgresql9.0: 9.0.9
for postgresql9.1: 9.1.5 (mga 2 only)

==========
Comment 3 Samuel Verschelde 2012-08-21 20:44:39 CEST
On Mageia 1 i586, postgresql9.0 works fine.
Comment 4 Samuel Verschelde 2012-08-22 23:24:30 CEST
Does postgresql come with a test suite that we could execute? And is there a test suite executed during build?
Comment 5 Olivier Thauvin 2012-08-22 23:29:08 CEST
I am not sure there is tests embeded with the software itself.

But there is some always executed succefully during rpm build.

By experience, I never saw an upstream postgresql update breaking something.
Comment 6 claire robinson 2012-08-23 15:41:26 CEST
Simple procedure here once webmin has been configured properly

https://bugs.mageia.org/show_bug.cgi?id=6334#c2
Comment 7 claire robinson 2012-08-23 15:46:22 CEST
No public PoC's that I can see so just testing functionality.
Comment 8 claire robinson 2012-08-23 16:02:17 CEST
Testing Mageia 2 x86_64
Comment 9 claire robinson 2012-08-23 16:28:40 CEST
Listing rpms for reference..

$ ./srpm postgresql9.1 "Core Updates Testing"
Media: Core Updates Testing
SRPM: postgresql9.1-9.1.5-1.mga2.src.rpm
----------------------------------------
lib64ecpg9.1_6
lib64pq9.1_5
postgresql9.1-contrib
postgresql9.1-devel
postgresql9.1-docs
postgresql9.1-plperl
postgresql9.1-plpgsql
postgresql9.1-pl
postgresql9.1-plpython
postgresql9.1-pltcl
postgresql9.1
postgresql9.1-server

$ ./srpm postgresql9.0 "Core Updates Testing"
Media: Core Updates Testing
SRPM: postgresql9.0-9.0.9-1.mga2.src.rpm
----------------------------------------
lib64ecpg9.0_6
lib64pq9.0_5
postgresql9.0-contrib
postgresql9.0-devel
postgresql9.0-docs
postgresql9.0-plperl
postgresql9.0-plpgsql
postgresql9.0-pl
postgresql9.0-plpython
postgresql9.0-pltcl
postgresql9.0
postgresql9.0-server

$ ./srpm postgresql8.4 "Core Updates Testing"
Media: Core Updates Testing
SRPM: postgresql8.4-8.4.12-1.mga2.src.rpm
-----------------------------------------
lib64ecpg8.4_6
lib64pq8.4_5
postgresql8.4-contrib
postgresql8.4-devel
postgresql8.4-docs
postgresql8.4-plperl
postgresql8.4-plpgsql
postgresql8.4-pl
postgresql8.4-plpython
postgresql8.4-pltcl
postgresql8.4
postgresql8.4-server
Comment 10 claire robinson 2012-08-23 16:30:37 CEST
Created attachment 2667 [details]
example webmin configuration for postgresql module
Comment 11 claire robinson 2012-08-23 16:59:26 CEST
It appears the version of postgresql8.4 in mga2 testing is the same as that in updates.

Olivier could you check please.

Thanks.
Comment 12 Olivier Thauvin 2012-08-23 17:11:32 CEST
Indeed, dunno what happend but I made a msitake for sure.

8.4.13 is submitted.
Comment 13 claire robinson 2012-08-23 17:13:58 CEST
Thankyou :)

Testing complete mga2 x86_64 for postgresql9.1 and postgresql9.0 in the meantime.
Comment 14 claire robinson 2012-08-23 18:19:29 CEST
Tested postgresql8.4 now too so testing complete mga2 x86_64

Tested using webmin.
Start the webmin service and log in at https://localhost:10000
Edit the postgresql module configuration as required
Allow it to start the postgresql server

Create a new database and click on it to enter it.
Click Execute SQL
Select the Run SQL from file tab
Select the world.sql file from bug 6334 and click OK
View the data in the tables it creates

To install a different postgresql version..

eg. 8.4 to 9.1

# urpme -a postgresql8.4 postgresql8.4-server
removing postgresql8.4-8.4.13-1.mga2.x86_64 postgresql8.4-server-8.4.13-1.mga2.x86_64
postgresql.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig postgresql off
removing package postgresql8.4-server-8.4.13-1.mga2.x86_64
removing package postgresql8.4-8.4.13-1.mga2.x86_64

# rm -rf /var/lib/pgsql

# urpmi postgresql9.1 postgresql9.1-server lib64pq9.1_5
The following package has to be removed for others to be upgraded:
lib64pq8.4_5-8.4.13-1.mga2.x86_64
 (due to conflicts with lib64pq9.1_5-9.1.5-1.mga2.x86_64) (y/N) y
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Updates Testing")
  lib64pq9.1_5                   9.1.5        1.mga2        x86_64  
  postgresql9.1                  9.1.5        1.mga2        x86_64  
  postgresql9.1-plpgsql          9.1.5        1.mga2        x86_64  
  postgresql9.1-server           9.1.5        1.mga2        x86_64  
22MB of additional disk space will be used.
4.4MB of packages will be retrieved.
Proceed with the installation of the 4 packages? (Y/n) y
Comment 15 Eduard Beliaev 2012-08-24 21:28:30 CEST
Postgresql 9.1.5 works ok on Mageia 2 x86_64.

Tested with webmin.
Comment 16 Eduard Beliaev 2012-08-26 02:19:51 CEST
I will test now all the 3 versions on Mageia 2 x86/i568 with webmin.
Comment 17 Dave Hodgins 2012-08-26 04:24:17 CEST
Testing Mageia 1 i586 and x86-64
Comment 18 Dave Hodgins 2012-08-26 04:51:56 CEST
Testing complete on Mageia 1 i586 for the srpms
postgresql8.4-8.4.13-1.mga1.src.rpm
postgresql9.0-9.0.9-1.mga1.src.rpm

Just to clarify, the procedure used, was to configure webmin
as per attachment 2667 [details], then, with postgresql and webmin running,
use webmin to create the World database, select the World database,
and run the sql from a file, from
http://pgfoundry.org/frs/download.php/527/world-1.0.tar.gz
to create and load the tables, then use webmin to view the data
in the tables.

Testing Mageia 1 x86-64 shortly.
Comment 19 Dave Hodgins 2012-08-26 05:18:49 CEST
Testing complete on Mageia 1 x86-64.
Comment 20 Eduard Beliaev 2012-08-26 17:12:14 CEST
Just finished testing. All the versions work ok on Mageia 2 x86/i568. I created tables, DB, deleted them, etc..

Versions tested:
postgresql8.4-8.4.13-1.mga2.src.rpm and .12 by mistake.
postgresql9.0-9.0.9-1.mga2.src.rpm
postgresql9.1-9.1.5-1.mga2.src.rpm
Comment 21 claire robinson 2012-08-26 18:48:08 CEST
Thanks Eduard. Validating.


Suggested advisory:
========================
Latest version of postgresql, including fixes for CVE-2012-3488 and
CVE-2012-3489

The Postgresql team provide a new version of postgresql server fixing various
bugs and multiple vulnaribilty.

Prevent access to external files/URLs via contrib/xml2's xslt_process()
(Peter Eisentraut). libxslt offers the ability to read and write both
files and URLs through stylesheet commands, thus allowing unprivileged
database users to both read and write data with the privileges of the
database server. Disable that through proper use of libxslt's security
options (CVE-2012-3488). Also, remove xslt_process()'s ability to
fetch documents and stylesheets from external files/URLs. While this
was a documented feature, it was long regarded as a bad idea. The
fix for CVE-2012-3489 broke that capability, and rather than expend
effort on trying to fix it, we're just going to summarily remove it.

Prevent access to external files/URLs via XML entity references (Noah
Misch, Tom Lane). xml_parse() would attempt to fetch external files or
URLs as needed to resolve DTD and entity references in an XML value,
thus allowing unprivileged database users to attempt to fetch data
with the privileges of the database server. While the external data
wouldn't get returned directly to the user, portions of it could
be exposed in error messages if the data didn't parse as valid XML;
and in any case the mere ability to check existence of a file might
be useful to an attacker (CVE-2012-3489).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3488
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3489
http://www.postgresql.org/docs/8.4/static/release-8-4-13.html
http://www.postgresql.org/docs/9.0/static/release-9-0-9.html
http://www.postgresql.org/docs/9.1/static/release-9-1-5.html
http://www.postgresql.org/about/news/1407/
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:139
==============================

SRPMS:
postgresql8.4-8.4.13-1.mga1
postgresql9.0-9.0.9-1.mga1
postgresql8.4-8.4.13-1.mga2
postgresql9.0-9.0.9-1.mga2
postgresql9.1-9.1.5-1.mga2

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 22 Thomas Backlund 2012-08-26 23:57:49 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0242

Note You need to log in before you can comment on or make changes to this bug.