SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   PostgreSQL Vendors:   postgresql.org
PostgreSQL Bugs Let Remote Authenticated Users Deny Service and Obtain Elevated Privileges
SecurityTracker Alert ID:  1019157
SecurityTracker URL:  http://securitytracker.com/id/1019157
CVE Reference:   CVE-2007-3278, CVE-2007-4769, CVE-2007-4772, CVE-2007-6067, CVE-2007-6600, CVE-2007-6601   (Links to External Site)
Updated:  Oct 7 2009
Original Entry Date:  Jan 7 2008
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 7.3.21, 7.4.19, 8.0.15, 8.1.11, and 8.2.6
Description:   Several vulnerabilities were reported in PostgreSQL. A remote authenticated user can gain elevated privileges on the target database. A remote authenticated user can cause denial of service conditions.

A remote authenticated user can invoke certain index functions to gain elevated privileges [CVE-2007-6600]. The VACUUM and ANALYZE functions can be executed with superuser privileges. The SET ROLE and SET SESSION AUTHORIZATION functions can be accessed within index functions.

A remote authenticated user can submit SQL queries containing specially crafted regular expressions to cause the database to enter an infinite loop, consume excessive memory, or crash [CVE-2007-4772, CVE-2007-6067, CVE-2007-4769].

A remote authenticated user can invoke DBLink functions (combined with local trust or ident authentication) to gain superuser privileges [CVE-2007-3278, CVE-2007-6601].
Impact:   A remote authenticated user can gain elevated privileges on the target database.

A remote authenticated user can cause denial of service conditions on the target system.
Solution:   The vendor has issued fixes (7.3.21, 7.4.19, 8.0.15, 8.1.11, and 8.2.6).

The PostgreSQL advisory is available at:

http://www.postgresql.org/about/news.905

On September 20, 2009, the vendor reported that the fix for CVE-2007-6600 was incompleted. A revised fix was issued and the incomplete fix was assigned CVE-2009-3230 [see Alert ID 1022992].
Vendor URL:  www.postgresql.org/about/news.905 (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 11 2008 (Sun Issues Advisory) PostgreSQL Bugs Let Remote Authenticated Users Deny Service and Obtain Elevated Privileges
Sun has issued an advisory for Solaris 10.
Jan 11 2008 (Red Hat Issues Fix) PostgreSQL Bugs Let Remote Authenticated Users Deny Service and Obtain Elevated Privileges
Red Hat has released a fix for Red Hat Enterprise Linux 3.
Jan 11 2008 (Red Hat Issues Fix) PostgreSQL Bugs Let Remote Authenticated Users Deny Service and Obtain Elevated Privileges
Red Hat has released a fix for Red Hat Enterprise Linux 4 and 5.
Feb 1 2008 (Red Hat Issues Fix) PostgreSQL Bugs Let Remote Authenticated Users Deny Service and Obtain Elevated Privileges
Red Hat has released a fix for Red Hat Application Stack.
Feb 21 2008 (Red Hat Issues Fix for tcltk) PostgreSQL Bugs Let Remote Authenticated Users Deny Service and Obtain Elevated Privileges
Red Hat has released a fix for tcltk on Red Hat Enterprise Linux 2.1 and 3.
Apr 1 2008 (HP Issues Fix for Internet Express) PostgreSQL Bugs Let Remote Authenticated Users Deny Service and Obtain Elevated Privileges
HP has issued a fix for HP Internet Express on HP Tru64 UNIX.


 Source Message Contents
Subject:  PostgreSQL 2007-01-07 Cumulative Security Release

Today the PostgreSQL Global Development Group is releasing updated 
versions which patch five security vulnerabilities. These releases 
update all current PostgreSQL versions, including 8.2, 8.1, 8.0, 7.4 and 
7.3.  They are considered CRITICAL and PostgreSQL DBAs and sysadmins 
should install the update as soon as they reasonably can.  Our security 
team has made all efforts to make these patches backwards-compatible, 
and upgrading does not require converting your data files.

Please read the remainder of this message for further important details 
and announcements.

Details of Security Fixes
----------------------------
There are five security fixes included in this release.  None of these 
issues are known to have been exploited in the field; they were 
discovered through security analysis.

Index Functions Privilege Escalation (CVE-2007-6600): as a unique 
feature, PostgreSQL allows users to create indexes on the results of 
user-defined functions, known as "expression indexes".   This provided 
two vulnerabilities to privilege escalation: (1) index functions were 
executed as the superuser and not the table owner during VACUUM and 
ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were 
permitted within index functions.  Both of these holes have now been closed.

Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067, 
CVE-2007-4769): three separate issues in the regular expression 
libraries used by PostgreSQL allowed malicious users to initiate a 
denial-of-service by passing certain regular expressions in SQL queries. 
  First, users could create infinite loops using some specific regular 
expressions.  Second, certain complex regular expressions could consume 
excessive amounts of memory.  Third, out-of-range backref numbers could 
be used to crash the backend.  All of these issues have been patched.

DBLink Privilege Escalation (CVE-2007-6601): DBLink functions combined 
with local trust or ident authentication could be used by a malicious 
user to gain superuser privileges.  This issue has been fixed, and does 
not affect users who have not installed DBLink (an optional module), or 
who are using password authentication for local access.  This same 
problem was addressed in the previous release cycle (see CVE-2007-3278), 
but that patch failed to close all forms of the loophole.

EOL Notices
---------------------
Minor release 7.3.21 for PostgreSQL version 7.3 will be the last update 
to the 7.3 branch.  As version 7.3 is now over five years old, the 
community will no longer release patches for it after today's release. 
Users of version 7.3 are encouraged to upgrade to a more current version 
as soon as possible, or to seek support from a commercial support vendor 
who is willing to continue backpatching for them.

8.1.11 and 8.0.15 are also the last 8.1 and 8.0 update releases for 
which the PostgreSQL community will produce binary packages for Windows. 
Windows users are encouraged to move to 8.2.6 or later, since there are 
Windows-specific fixes in 8.2 that are impractical to back-port.  8.1 
and 8.0 updates will continue to be supported on other platforms and in 
source form.

Download and Install
------------------------
PostgreSQL minor releases 8.2.6, 8.1.11, 8.0.15, 7.4.19 and 7.3.21 are 
available through our FTP mirror network:

-- Source Code: http://www.postgresql.org/ftp/source/
-- Binaries for some platforms:  http://www.postgresql.org/ftp/binary/

If you need additional information on the included updates, it's 
available in our Release Notes 
(http://www.postgresql.org/docs/current/static/release.html).  These 
upgrades can be copied directly over existing PostgreSQL binaries and do 
not require dump-and-reload for any system which has been updated in the 
last six months (older versions may require some specific post-update 
steps; see the release notes).

As always, PostgreSQL update releases are cumulative.  All security 
fixes will be included in the upcoming version 8.3 release candidate. 
This notice will be posted to the PostgreSQL security page: 
http://www.postgresql.org/support/security

-- PostgreSQL Global Development Group


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC