Bug 1114837 - (CVE-2018-16850) VUL-0: CVE-2018-16850: postgresql10: Improper quoting of transition table names when pg_dump emits CREATE TRIGGER can cause privilege escalation
(CVE-2018-16850)
VUL-0: CVE-2018-16850: postgresql10: Improper quoting of transition table nam...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3:RedHat:CVE-2018-16850:8.0:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-11-06 10:57 UTC by Robert Frohl
Modified: 2019-11-15 07:05 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2018-11-06 10:57:44 UTC
Ensure proper quoting of transition table names when pg_dump emits CREATE TRIGGER ... REFERENCING commands (Tom Lane)

This oversight could be exploited by an unprivileged user to gain superuser privileges during the next dump/reload or pg_upgrade run. (CVE-2018-16850)
Comment 3 Alexander Bergmann 2018-11-08 17:31:28 UTC
Public now: https://www.postgresql.org/about/news/1905/

One security vulnerability has been closed by this release:

CVE-2018-16850: SQL injection in pg_upgrade and pg_dump, via

   CREATE TRIGGER ... REFERENCING.

Using a purpose-crafted trigger definition, an attacker can run arbitrary SQL statements with superuser privileges when a superuser runs pg_upgrade on the database or during a pg_dump dump/restore cycle. This attack requires a CREATE privilege on some non-temporary schema or a TRIGGER privilege on a table. This is exploitable in the default PostgreSQL configuration, where all users have CREATE privilege on public schema.
Comment 4 Swamp Workflow Management 2018-11-15 17:09:10 UTC
SUSE-SU-2018:3770-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1114837
CVE References: CVE-2018-16850
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    postgresql10-libs-10.6-1.6.1
SUSE Linux Enterprise Server 12-SP3 (src):    postgresql10-10.6-1.6.1, postgresql10-libs-10.6-1.6.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    postgresql10-10.6-1.6.1, postgresql10-libs-10.6-1.6.1
Comment 5 Swamp Workflow Management 2018-11-24 17:13:21 UTC
openSUSE-SU-2018:3893-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1114837
CVE References: CVE-2018-16850
Sources used:
openSUSE Leap 42.3 (src):    postgresql10-10.6-5.1, postgresql10-libs-10.6-5.1
Comment 6 Swamp Workflow Management 2018-11-26 10:20:07 UTC
This is an autogenerated message for OBS integration:
This bug (1114837) was mentioned in
https://build.opensuse.org/request/show/651972 Factory / postgresql11
https://build.opensuse.org/request/show/651973 Factory / postgresql10
Comment 7 Swamp Workflow Management 2018-11-29 17:09:07 UTC
SUSE-SU-2018:3942-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1114837
CVE References: CVE-2018-16850
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    postgresql10-10.6-4.8.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    postgresql10-10.6-4.8.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    postgresql10-10.6-4.8.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    postgresql10-10.6-4.8.1
Comment 8 Swamp Workflow Management 2018-12-07 23:11:56 UTC
openSUSE-SU-2018:4031-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1114837
CVE References: CVE-2018-16850
Sources used:
openSUSE Leap 15.0 (src):    postgresql10-10.6-lp150.3.6.1
Comment 9 Swamp Workflow Management 2018-12-12 14:09:15 UTC
SUSE-SU-2018:3770-2: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1114837
CVE References: CVE-2018-16850
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    postgresql10-libs-10.6-1.6.1
SUSE Linux Enterprise Server 12-SP4 (src):    postgresql10-10.6-1.6.1, postgresql10-libs-10.6-1.6.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    postgresql10-10.6-1.6.1, postgresql10-libs-10.6-1.6.1
Comment 10 Swamp Workflow Management 2019-02-27 08:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (1114837) was mentioned in
https://build.opensuse.org/request/show/679731 Factory / postgresql10
Comment 11 Swamp Workflow Management 2019-02-27 21:00:44 UTC
This is an autogenerated message for OBS integration:
This bug (1114837) was mentioned in
https://build.opensuse.org/request/show/679960 Factory / postgresql10
Comment 12 Marcus Meissner 2019-11-15 07:05:47 UTC
done