ESB-2018.3527 - [Win][UNIX/Linux] PostgreSQL: Execute arbitrary code/commands - Existing account 2018-11-09

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3527
            PostgreSQL updates fix SQL injection vulnerability
                              9 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           PostgreSQL
Publisher:         PostgreSQL
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-16850  

Original Bulletin: 
   https://www.postgresql.org/about/news/1905/

- --------------------------BEGIN INCLUDED TEXT--------------------

PostgreSQL 11.1, 10.6, 9.6.11, 9.5.15, 9.4.20, and 9.3.25 Released!

Posted on 2018-11-08 by PostgreSQL Global Development Group

The PostgreSQL Global Development Group has released an update to all supported
versions of our database system, including 11.1, 10.6, 9.6.11, 9.5.15, 9.4.20,
and 9.3.25. This release fixes one security issue as well as bugs reported over
the last three months.

All users using the affected versions of PostgreSQL should update as soon as
possible. Please see the notes on "Updating" below for any post-update steps
that may be required if you are using pg_stat_statements in your installation.

This update is also the final release for PostgreSQL 9.3, which is now
end-of-life and will no longer receive any bug or security fixes. If your
environment still uses PostgreSQL 9.3, please make plans to update to a
community supported version as soon as possible. Please see our versioning
policy for more information.

Security Issues

One security vulnerability has been closed by this release:

  * CVE-2018-16850: SQL injection in pg_upgrade and pg_dump, via CREATE TRIGGER
    ... REFERENCING.

Using a purpose-crafted trigger definition, an attacker can run arbitrary SQL
statements with superuser privileges when a superuser runs pg_upgrade on the
database or during a pg_dump dump/restore cycle. This attack requires a CREATE
privilege on some non-temporary schema or a TRIGGER privilege on a table. This
is exploitable in the default PostgreSQL configuration, where all users have
CREATE privilege on public schema.

Bug Fixes and Improvements

This update also fixes numerous bugs that were reported in the last several
months. Some of these issues affect only version 11, but many affect all
supported versions.

These releases include fixes that:

  * Ensure that automatically created child indexes are created in the same
    tablespace as the parent partitioned index
  * Fix several crashes with triggers
  * Fix problems with applying ON COMMIT DELETE ROWS to a partitioned temporary
    table
  * Fix how NULL values are handled when using LEFT JOIN with a parallelized
    hash join
  * Several fixes around using named or defaulted arguments in CALL statements
  * Fix for strict aggregate functions (i.e. aggregates that cannot accept NULL
    inputs) with ORDER BY columns that enforces the strictness check
  * Fix with CASE statements where an expression was cast to an array type
  * Disable an optimization for updating expression indexes in order to prevent
    a crash
  * Fix a memory leak that occurred on a specific case of using a SP-GiST index
  * Fix for pg_verify_checksums incorrectly reporting on files that are not
    expected to have checksums
  * Prevent the PostgreSQL server from starting when wal_level is set to a
    value that cannot support an existing replication slot
  * Ensure that the server will process already-received NOTIFY and SIGTERM
    interrupts before waiting for client input
  * Allow PL/Ruby to work with newer versions of PostgreSQL
  * Fix for character-class checks on Windows for Unicode characters above
    U+FFFF, which affected full-text search as well as contrib/ltree and
    contrib/pg_trgm
  * Fix a case where psql would not report the receipt of a message from a
    NOTIFY call until after the next command
  * Fix build problems on macOS 10.14 (Mojave)
  * Several build fixes for the Windows platform

This updates also contains tzdata release 2018g for DST law changes in Chile,
Fiji, Morocco, and Russia (Volgograd), plus historical corrections for China,
Hawaii, Japan, Macau, and North Korea.

PostgreSQL 9.3 is End-of-Life (EOL)

PostgreSQL 9.3 is now end-of-life and will no longer receive any bug or
security fixes. We urge users to start planning an upgrade to a later version
of PostgreSQL as soon as possible. Please see our versioning policy for more
information.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW+TggGaOgq3Tt24GAQj2SxAAvnqfImUQEucx2P9a6yDJLX0MABOEcZ55
Fb3XUvgtOCtgtDLCbFF+zuvX/4FGQvAeYAR4Pe7Z5acF6QtX4mibUsrxSPxDHFY2
ryBglrH1LzGY9BpFhWjBCGFb5WJm6vaKAj/bEFJ7GC04qgbl5QZhMMpqAZk6HPhV
vfZvy9CtgEAoNB4Rsk8P1tW3DsZTffHwTQhMnKGOpIiACvpgEUGRtuPE+++BkYg5
+MKUoX5LhFKBUM8k4vt+RQ4847h0z28OVrEE7Ha+OBdtcer8m13q9B0s5E9RocY2
V342pS6GPqS/s7idipSIO+FdTTzdbSo7DholEtUVGTTin81ZgWkzarTN48Pb/THp
DBkzIJnD/LDhZ3xcAWowPypMjgJt8Eehdv9zvKYAWosdCLGSv5Inqv1xeVoScvmM
y33yDObJIxrLqambmGCvNRXHYh9QYoXUODjoKWmumrUMxUAYNMdO1O41GuF4twaO
KhtVSCq/ToaTVfTYar8cIkcjh+Sb2aBqT3Y3KwiE0nffULvHU8GCxMFLuCYgprgB
do4+u4ZNOymtRzsxTtSYo9pbNkTlDGU8imrID3gVpEelJ7ioZ7drtI6mmfCwnKk/
/kIdOTyvut4cR7o+SWj2nOhqCV7aG2HKLkGuDIIIrB+V1LrY4wgRIIiNeUi813Yw
PIqZfCnh4oc=
=c26S
-----END PGP SIGNATURE-----

« Back to bulletins