Source: postgresql-16
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The recently fixed postgresql issues are addresed, but still open
in postgresql-16. I suppose the plan is to remove -16 in the mid
term, but in the interim filing a bug for the record.
CVE-2024-10976[0]:
| Incomplete tracking in PostgreSQL of tables with row security allows
| a reused query to view or change different rows from those intended.
| CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row
| security and user ID changes. They missed cases where a subquery,
| WITH query, security invoker view, or SQL-language function
| references a table with a row-level security policy. This has the
| same consequences as the two earlier CVEs. That is to say, it leads
| to potentially incorrect policies being applied in cases where role-
| specific policies are used and a given query is planned under one
| role and then executed under other roles. This scenario can happen
| under security definer functions or when a common user and query is
| planned initially and then re-used across multiple SET ROLEs.
| Applying an incorrect policy may permit a user to complete
| otherwise-forbidden reads and modifications. This affects only
| databases that have used CREATE POLICY to define a row security
| policy. An attacker must tailor an attack to a particular
| application's pattern of query plan reuse, user ID changes, and
| role-specific row security policies. Versions before PostgreSQL
| 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CVE-2024-10977[1]:
| Client use of server error message in PostgreSQL allows a server not
| trusted under current SSL or GSS settings to furnish arbitrary non-
| NUL bytes to the libpq application. For example, a man-in-the-
| middle attacker could send a long error message that a human or
| screen-scraper user of psql mistakes for valid query results. This
| is probably not a concern for clients where the user interface
| unambiguously indicates the boundary between one error message and
| other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14,
| 13.17, and 12.21 are affected.
CVE-2024-10978[2]:
| Incorrect privilege assignment in PostgreSQL allows a less-
| privileged application user to view or change different rows from
| those intended. An attack requires the application to use SET ROLE,
| SET SESSION AUTHORIZATION, or an equivalent feature. The problem
| arises when an application query uses parameters from the attacker
| or conveys query results to the attacker. If that query reacts to
| current_setting('role') or the current user ID, it may modify or
| return data as though the session had not used SET ROLE or SET
| SESSION AUTHORIZATION. The attacker does not control which
| incorrect user ID applies. Query text from less-privileged sources
| is not a concern here, because SET ROLE and SET SESSION
| AUTHORIZATION are not sandboxes for unvetted queries. Versions
| before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are
| affected.
CVE-2024-10979[3]:
| Incorrect control of environment variables in PostgreSQL PL/Perl
| allows an unprivileged database user to change sensitive process
| environment variables (e.g. PATH). That often suffices to enable
| arbitrary code execution, even if the attacker lacks a database
| server operating system user. Versions before PostgreSQL 17.1,
| 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-10976
https://www.cve.org/CVERecord?id=CVE-2024-10976
[1] https://security-tracker.debian.org/tracker/CVE-2024-10977
https://www.cve.org/CVERecord?id=CVE-2024-10977
[2] https://security-tracker.debian.org/tracker/CVE-2024-10978
https://www.cve.org/CVERecord?id=CVE-2024-10978
[3] https://security-tracker.debian.org/tracker/CVE-2024-10979
https://www.cve.org/CVERecord?id=CVE-2024-10979
Please adjust the affected versions in the BTS as needed.
