Bug 65191 (CVE-2005-0227) - VUL-0: CVE-2005-0227: postgresql: LOAD vulnerability
Summary: VUL-0: CVE-2005-0227: postgresql: LOAD vulnerability
Status: RESOLVED FIXED
Alias: CVE-2005-0227
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:NVD:CVE-2005-0227:4.3:(AV:L/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-26 19:30 UTC by Reinhard Max
Modified: 2021-12-03 15:14 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patchinfo-sles8.psql (528 bytes, text/plain)
2005-01-26 22:18 UTC, Thomas Biege 		Details
patchinfo-sles9.psql (583 bytes, text/plain)
2005-01-26 22:18 UTC, Thomas Biege 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Reinhard Max 2005-01-26 19:30:27 UTC 
It has been found, that unprivileged users can use the LOAD SQL statement to
load and execute arbitrary code from shared libraries inside the database
backend. Details can be found in this email thread:

http://archives.postgresql.org/pgsql-bugs/2005-01/msg00269.php

The PostgreSQL development will create patch releases for the 7.2, 7.3, 7.4, and
8.0 versions of PostgreSQL by the end of this week to fix this.

This means we have to do yet another round of PostgreSQL updates for sles8,
sles9, and all box versions back to 8.1.
Comment 1 Thomas Biege 2005-01-26 20:02:47 UTC 
I'll handle swamp and patchinfo ASAP
Comment 2 Thomas Biege 2005-01-26 21:48:01 UTC 
 SM-Tracker-231
Comment 3 Thomas Biege 2005-01-26 22:18:08 UTC 
Created attachment 27931 [details]
patchinfo-sles8.psql
Comment 4 Thomas Biege 2005-01-26 22:18:23 UTC 
Created attachment 27932 [details]
patchinfo-sles9.psql
Comment 5 Thomas Biege 2005-01-26 22:20:04 UTC 
Please use the following patchinfo text stub for the box patchinfo files. I was 
not able to comb out the different package names for the different versions 
of SL. 
 
PACKAGER: max@suse.de 
BUGZILLA: 50191 
CATEGORY: security 
DESCRIPTION: 
Security Update: 
This update fixes the possibility for unprivileged users to load 
and execute arbitray code from shared libraries via the LOAD SQL 
statement in the database beckend. 
DESCRIPTION_DE: 
Sicherheits-Update: 
Mit diesem Update ist es fortan nicht mehr moeglich, dass unpriviligierte 
Benutzer das LOAD SQL-Statement benutzen, um beliebigen Code von 
Shared-Libraries 
im DB-Backend zu laden und auszufuehren.
Comment 6 Reinhard Max 2005-01-28 20:39:30 UTC 
A couple more must-fix issues have popped up at the PostgreSQL team, and so the
patch releases have been  delayed until Sunday or Monday...
Comment 7 Reinhard Max 2005-02-03 03:48:35 UTC 
Packages submitted. Patchinfo will follow tommorrow.
BTW, this vulnerability was also reported on Heise today:
http://www.heise.de/newsticker/meldung/55828
Comment 8 Thomas Biege 2005-02-03 17:16:14 UTC 
Thanks.
Comment 9 Reinhard Max 2005-02-03 18:53:54 UTC 
Patchinfo files submitted to /work/src/done/PATCHINFO/postgresql.patch.*
Reassigning to security-team for further tracking...
Comment 10 Thomas Biege 2005-02-03 20:34:11 UTC 
Thanks.
Comment 11 Thomas Biege 2005-02-10 16:56:43 UTC 
Reinhard, 
the additional vulnerabilities you talked about in comment #6 were these the 
folowing? 
 
-- 
 
A flaw in the LOAD command in PostgreSQL was discovered. 
CAN-2005-0227 
 
A local user could bypass the EXECUTE permission check for functions by 
using the CREATE AGGREGATE command. CAN-2005-0244 
 
Multiple buffer overflows were found in PL/PgSQL. CAN-2005-0245, 
CAN-2005-0247 
 
A flaw in contrib/intagg CAN-2005-0246 
 
-- 
 
Are they fixed too?
Comment 12 Reinhard Max 2005-02-10 16:58:58 UTC 
Where can I look up the full text for these CAN IDs?
Comment 13 Thomas Biege 2005-02-10 18:20:46 UTC 
http://cve.mitre.org/cve
Comment 14 Reinhard Max 2005-02-10 19:09:36 UTC 
CAN-2005-0227 is what this bug report originally was about, so that onw will be
fixed with this update.

The others are all reported against 8.0.1, which was released together with the
latest 7.x patch releases to fix CAN-2005-0227. This means that the other
vulnerabilities either don't exist in the 7.x series, or are not fixed in the
latest releases.

I think that the PostgreSQL team will soon come up with another round of patch
releases for all versions that are affected by these vulnreabilities.
Comment 15 Marcus Meissner 2005-02-10 21:37:42 UTC 
i opened a new one for the new issues, 
http://bugzilla.suse.de/show_bug.cgi?id=50692
Comment 16 Marcus Meissner 2005-02-15 00:23:37 UTC 
fixed