Bug 1214059 (CVE-2023-39417)

Summary: VUL-0: CVE-2023-39417: postgresql12,postgresql13,postgresql14,postgresql15: Disallow substituting a schema or owner name into an extension script if the name contains a quote, backslash, or dollar sign
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gianluca.gabrielli, max, security-team, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/374471/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-39417:6.3:(AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Cathy Hu 2023-08-08 08:28:12 UTC 
CVE-2023-39417

Disallow substituting a schema or owner name into an
extension script if the name contains a quote,
backslash, or dollar sign (Noah Misch)

This restriction guards against SQL-injection hazards
for trusted extensions.


affects all active versions 11-15
Comment 1 Cathy Hu 2023-08-08 10:35:50 UTC 
CRD: 2023-08-10
Comment 5 Reinhard Max 2023-08-10 13:15:53 UTC 
https://www.postgresql.org/about/news/2689/
Comment 6 OBSbugzilla Bot 2023-08-10 16:05:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1214059) was mentioned in
https://build.opensuse.org/request/show/1103348 Factory / postgresql11
https://build.opensuse.org/request/show/1103350 Factory / postgresql12
https://build.opensuse.org/request/show/1103351 Factory / postgresql13
Comment 7 OBSbugzilla Bot 2023-08-14 10:55:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1214059) was mentioned in
https://build.opensuse.org/request/show/1103837 Factory / postgresql15
Comment 8 Maintenance Automation 2023-08-17 12:30:03 UTC 
SUSE-SU-2023:3343-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1214059
CVE References: CVE-2023-39417
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): postgresql14-14.9-3.26.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): postgresql14-14.9-3.26.1
SUSE Linux Enterprise Server 12 SP5 (src): postgresql14-14.9-3.26.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): postgresql14-14.9-3.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-08-17 12:30:05 UTC 
SUSE-SU-2023:3342-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1214059, 1214061
CVE References: CVE-2023-39417, CVE-2023-39418
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): postgresql15-15.4-3.12.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): postgresql15-15.4-3.12.1
SUSE Linux Enterprise Server 12 SP5 (src): postgresql15-15.4-3.12.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): postgresql15-15.4-3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2023-08-17 12:30:07 UTC 
SUSE-SU-2023:3341-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1214059
CVE References: CVE-2023-39417
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): postgresql12-12.16-3.42.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): postgresql12-12.16-3.42.1
SUSE Linux Enterprise Server 12 SP5 (src): postgresql12-12.16-3.42.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): postgresql12-12.16-3.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-08-17 16:30:22 UTC 
SUSE-SU-2023:3348-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1214059
CVE References: CVE-2023-39417
Sources used:
SUSE Manager Retail Branch Server 4.2 (src): postgresql14-14.9-150200.5.29.1
SUSE Manager Server 4.2 (src): postgresql14-14.9-150200.5.29.1
openSUSE Leap 15.4 (src): postgresql14-14.9-150200.5.29.1
openSUSE Leap 15.5 (src): postgresql14-14.9-150200.5.29.1
Basesystem Module 15-SP4 (src): postgresql14-14.9-150200.5.29.1
Legacy Module 15-SP5 (src): postgresql14-14.9-150200.5.29.1
SUSE Package Hub 15 15-SP4 (src): postgresql14-14.9-150200.5.29.1
SUSE Package Hub 15 15-SP5 (src): postgresql14-14.9-150200.5.29.1
Server Applications Module 15-SP4 (src): postgresql14-14.9-150200.5.29.1
SUSE Manager Proxy 4.2 (src): postgresql14-14.9-150200.5.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2023-08-17 16:30:25 UTC 
SUSE-SU-2023:3347-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1214059, 1214061
CVE References: CVE-2023-39417, CVE-2023-39418
Sources used:
openSUSE Leap 15.4 (src): postgresql15-15.4-150200.5.12.1
openSUSE Leap 15.5 (src): postgresql15-15.4-150200.5.12.1
Basesystem Module 15-SP4 (src): postgresql15-15.4-150200.5.12.1
Basesystem Module 15-SP5 (src): postgresql15-15.4-150200.5.12.1
SUSE Package Hub 15 15-SP4 (src): postgresql15-15.4-150200.5.12.1
Server Applications Module 15-SP4 (src): postgresql15-15.4-150200.5.12.1
Server Applications Module 15-SP5 (src): postgresql15-15.4-150200.5.12.1
SUSE Manager Proxy 4.2 (src): postgresql15-15.4-150200.5.12.1
SUSE Manager Retail Branch Server 4.2 (src): postgresql15-15.4-150200.5.12.1
SUSE Manager Server 4.2 (src): postgresql15-15.4-150200.5.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2023-08-17 16:30:28 UTC 
SUSE-SU-2023:3346-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1214059
CVE References: CVE-2023-39417
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): postgresql12-12.16-150100.3.44.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): postgresql12-12.16-150100.3.44.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): postgresql12-12.16-150100.3.44.1
SUSE CaaS Platform 4.0 (src): postgresql12-12.16-150100.3.44.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2023-08-17 16:30:30 UTC 
SUSE-SU-2023:3345-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1214059
CVE References: CVE-2023-39417
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): postgresql13-13.12-3.36.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): postgresql13-13.12-3.36.1
SUSE Linux Enterprise Server 12 SP5 (src): postgresql13-13.12-3.36.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): postgresql13-13.12-3.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Maintenance Automation 2023-08-17 16:30:33 UTC 
SUSE-SU-2023:3344-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1214059
CVE References: CVE-2023-39417
Sources used:
openSUSE Leap 15.4 (src): postgresql13-13.12-150200.5.43.1
openSUSE Leap 15.5 (src): postgresql13-13.12-150200.5.43.1
Legacy Module 15-SP4 (src): postgresql13-13.12-150200.5.43.1
SUSE Manager Proxy 4.2 (src): postgresql13-13.12-150200.5.43.1
SUSE Manager Retail Branch Server 4.2 (src): postgresql13-13.12-150200.5.43.1
SUSE Manager Server 4.2 (src): postgresql13-13.12-150200.5.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2023-08-23 12:30:08 UTC 
SUSE-SU-2023:3384-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1214059
CVE References: CVE-2023-39417
Sources used:
openSUSE Leap 15.4 (src): postgresql12-12.16-150200.8.47.1
openSUSE Leap 15.5 (src): postgresql12-12.16-150200.8.47.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Maintenance Automation 2023-09-14 16:30:01 UTC 
SUSE-SU-2023:3344-2: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1214059
CVE References: CVE-2023-39417
Sources used:
Galera for Ericsson 15 SP5 (src): postgresql13-13.12-150200.5.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Cathy Hu 2023-09-25 12:24:54 UTC 
done, closing
Comment 19 OBSbugzilla Bot 2023-10-25 12:45:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1214059) was mentioned in
https://build.opensuse.org/request/show/1120251 Factory / postgresql14