Arch Linux Security Advisory ASA-201502-4 ========================================= Severity: High Date : 2015-02-06 CVE-ID : CVE-2014-8161 CVE-2015-0241 CVE-2015-0243 CVE-2015-0244 Package : postgresql Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package postgresql before version 9.4.1-1 is vulnerable to multiple issues, including information leak, denial of service, privilege escalation and command injection. Resolution ========== Upgrade to 9.4.1-1. # pacman -Syu "postgresql>=9.4.1-1" The problem has been fixed upstream in version 9.4.1. Workaround ========== None. Description =========== - CVE-2014-8161 (information leak) Some server error messages show the values of columns that violate a constraint, such as a unique constraint. If the user does not have SELECT privilege on all columns of the table, this could mean exposing values that the user should not be able to see. Adjust the code so that values are displayed only when they came from the SQL command or could be selected by the user. - CVE-2015-0241 (denial of service, privilege escalation) When to_char() processes a numeric formatting template calling for a large number of digits, PostgreSQL would read past the end of a buffer. When processing a crafted timestamp formatting template, PostgreSQL would write past the end of a buffer. Either case could crash the server. We have not ruled out the possibility of attacks that lead to privilege escalation, though they seem unlikely. - CVE-2015-0243 (denial of service, privilege escalation) Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. - CVE-2015-0244 (command injection) If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. Impact ====== A remote, authenticated attacker might be able to get access to sensitive information, escalate privileges or cause a denial of service by crashing the server. A remote attacker could inject arbitrary SQL command by submitting crafted binary data within a command parameter. References ========== https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8161 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0241 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0243 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0244 http://www.postgresql.org/docs/9.4/static/release-9-4-1.html