Bug 1104199 (CVE-2018-10915)

Summary: VUL-0: CVE-2018-10915: postgresql94,postgresql96,postgresql10: Fix failure to reset libpq's state fully between connection attempts
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: max, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/212516/
Whiteboard: CVSSv3:RedHat:CVE-2018-10915:8.5:(AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) CVSSv3:SUSE:CVE-2018-10915:8.5:(AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2018-08-08 14:22:47 UTC
CVE-2018-10915

https://borka.postgresql.org/staging/3ff314b316b0edaa589a7e237f9588e66942cf7e/


Fix failure to reset libpq's state fully between connection attempts

An unprivileged user of dblink or postgres_fdw could bypass the checks 
intended to prevent use of server-side credentials, such as a 
~/.pgpass file owned by the operating-system user running the server. 
Servers allowing peer authentication on local connections are 
particularly vulnerable. Other attacks such as SQL injection into a 
postgres_fdw session are also possible. Attacking postgres_fdw in this 
way requires the ability to create a foreign server object with 
selected connection parameters, but any user with access to dblink 
could exploit the problem. In general, an attacker with the ability to 
select the connection parameters for a libpq-using application could 
cause mischief, though other plausible attack scenarios are harder to 
think of. Our thanks to Andrew Krasichkov for reporting this issue. 
(CVE-2018-10915)
Comment 1 Marcus Meissner 2018-08-08 14:31:19 UTC
CRD: 2018-08-09
Comment 3 Marcus Meissner 2018-08-09 14:26:13 UTC
is public

https://www.postgresql.org/about/news/1878/

CVE-2018-10915: Certain host connection parameters defeat client-side security defenses

libpq, the client connection API for PostgreSQL that is also used by other connection libraries, had an internal issue where it did not reset all of its connection state variables when attempting to reconnect. In particular, the state variable that determined whether or not a password is needed for a connection would not be reset, which could allow users of features requiring libpq, such as the dblink or postgres_fdw extensions, to login to servers they should not be able to access.

You can check if your database has either extension installed by running the following from your PostgreSQL shell:

\dx dblink|postgres_fdw

Users are advised to upgrade their libpq installations as soon as possible.

The PostgreSQL Global Development Group thanks Andrew Krasichkov for reporting this problem.
Comment 5 Swamp Workflow Management 2018-08-10 17:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1104199) was mentioned in
https://build.opensuse.org/request/show/628665 Factory / postgresql10
https://build.opensuse.org/request/show/628666 Factory / postgresql96
https://build.opensuse.org/request/show/628667 Factory / postgresql95
https://build.opensuse.org/request/show/628668 Factory / postgresql94
https://build.opensuse.org/request/show/628669 Factory / postgresql93
Comment 6 Swamp Workflow Management 2018-08-30 19:11:48 UTC
SUSE-SU-2018:2564-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1091610,1104199,1104202
CVE References: CVE-2018-10915,CVE-2018-10925,CVE-2018-1115
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    postgresql10-10.5-4.5.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    postgresql10-10.5-4.5.1
Comment 7 Swamp Workflow Management 2018-09-04 10:08:53 UTC
openSUSE-SU-2018:2599-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1091610,1104199,1104202
CVE References: CVE-2018-10915,CVE-2018-10925,CVE-2018-1115
Sources used:
openSUSE Leap 15.0 (src):    postgresql10-10.5-lp150.3.3.1
Comment 9 Swamp Workflow Management 2018-10-22 16:13:30 UTC
SUSE-SU-2018:3287-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1104199
CVE References: CVE-2018-10915
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    postgresql94-libs-9.4.19-0.23.19.1
SUSE Linux Enterprise Server 11-SP4 (src):    postgresql94-9.4.19-0.23.19.1, postgresql94-libs-9.4.19-0.23.19.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    postgresql94-9.4.19-0.23.19.1, postgresql94-libs-9.4.19-0.23.19.1
Comment 10 Swamp Workflow Management 2018-10-24 13:14:00 UTC
SUSE-SU-2018:3377-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1104199,1104202
CVE References: CVE-2018-10915,CVE-2018-10925
Sources used:
SUSE OpenStack Cloud 7 (src):    postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    postgresql96-libs-9.6.10-3.22.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1
SUSE Linux Enterprise Server 12-SP3 (src):    postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1
SUSE Linux Enterprise Server 12-LTSS (src):    postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1
SUSE Enterprise Storage 4 (src):    postgresql96-9.6.10-3.22.7, postgresql96-libs-9.6.10-3.22.1
Comment 11 Swamp Workflow Management 2018-10-25 16:20:39 UTC
openSUSE-SU-2018:3449-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1104199,1104202
CVE References: CVE-2018-10915,CVE-2018-10925
Sources used:
openSUSE Leap 42.3 (src):    postgresql96-9.6.10-21.1, postgresql96-libs-9.6.10-21.1
Comment 13 Swamp Workflow Management 2018-11-26 20:09:08 UTC
SUSE-SU-2018:3909-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1104199
CVE References: CVE-2018-10915
Sources used:
SUSE OpenStack Cloud 7 (src):    postgresql94-9.4.19-21.22.7
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    postgresql94-9.4.19-21.22.7
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    postgresql94-9.4.19-21.22.7
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    postgresql94-9.4.19-21.22.7
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    postgresql94-9.4.19-21.22.7
SUSE Linux Enterprise Server 12-LTSS (src):    postgresql94-9.4.19-21.22.7
SUSE Enterprise Storage 4 (src):    postgresql94-9.4.19-21.22.7
Comment 14 Marcus Meissner 2018-12-06 14:22:56 UTC
was fixed in initial 10.5 shipment of postgresql10.
Comment 15 Swamp Workflow Management 2018-12-07 11:26:47 UTC
openSUSE-SU-2018:4007-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1104199
CVE References: CVE-2018-10915
Sources used:
openSUSE Leap 42.3 (src):    postgresql94-9.4.19-24.1, postgresql94-libs-9.4.19-24.1
Comment 16 Swamp Workflow Management 2019-02-27 21:00:36 UTC
This is an autogenerated message for OBS integration:
This bug (1104199) was mentioned in
https://build.opensuse.org/request/show/679960 Factory / postgresql10
Comment 17 OBSbugzilla Bot 2020-08-14 08:10:13 UTC
This is an autogenerated message for OBS integration:
This bug (1104199) was mentioned in
https://build.opensuse.org/request/show/826617 15.1+15.2+Backports:SLE-15-SP1+Backports:SLE-15-SP2 / postgresql96
Comment 18 Swamp Workflow Management 2020-08-17 16:17:34 UTC
openSUSE-SU-2020:1227-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1091610,1104199,1104202,1134689,1145092,1148643,1163985,1171924,1175194
CVE References: CVE-2018-10915,CVE-2018-10925,CVE-2018-1115,CVE-2019-10130,CVE-2019-10208,CVE-2020-14350,CVE-2020-1720
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    postgresql-12.0.1-lp151.6.9.1, postgresql10-10.13-lp151.2.14.1, postgresql12-12.3-lp151.2.1, postgresql96-9.6.19-lp151.3.3.1