Bug 993454 - (CVE-2016-5423) VUL-0: CVE-2016-5423: postgresql: CASE/WHEN with inlining can cause untrusted pointer dereference
(CVE-2016-5423)
VUL-0: CVE-2016-5423: postgresql: CASE/WHEN with inlining can cause untrusted...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/171850/
CVSSv2:RedHat:CVE-2016-5423:6.5:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-08-12 08:36 UTC by Victor Pereira
Modified: 2018-11-07 16:28 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2016-08-12 08:36:35 UTC
rh#1364001

It was discovered that certain SQL statements containing CASE/WHEN commands could crash the PostgreSQL server, or disclose a few bytes of server memory, potentially leading to arbitrary code execution.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1364001
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5423
http://www.debian.org/security/2016/dsa-3646
Comment 2 Andreas Stieger 2016-08-12 12:12:45 UTC
Affected versions: 9.5, 9.4, 9.3, 9.2, 9.1
Upstream fixed in: 9.5.4, 9.4.9, 9.3.14, 9.2.18, 9.1.23
Comment 3 Reinhard Max 2016-09-22 16:33:16 UTC
Packages were submitted to 13.2, SLE11-SP1 and SLE12 by Fabian Weiss, but for some reason the automatism that normally posts them here does not work.
Comment 4 Swamp Workflow Management 2016-09-29 15:11:16 UTC
SUSE-SU-2016:2414-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 973660,993453,993454
CVE References: CVE-2016-5423,CVE-2016-5424
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    postgresql93-9.3.14-19.2
SUSE Linux Enterprise Server 12-LTSS (src):    postgresql93-9.3.14-19.2
Comment 5 Swamp Workflow Management 2016-09-29 15:12:00 UTC
SUSE-SU-2016:2415-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 973660,993453,993454
CVE References: CVE-2016-5423,CVE-2016-5424
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    postgresql94-libs-9.4.9-14.1
SUSE Linux Enterprise Server 12-SP1 (src):    postgresql94-9.4.9-14.1, postgresql94-libs-9.4.9-14.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    postgresql94-9.4.9-14.1, postgresql94-libs-9.4.9-14.1
Comment 6 Swamp Workflow Management 2016-09-29 17:11:57 UTC
SUSE-SU-2016:2418-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 993453,993454
CVE References: CVE-2016-5423,CVE-2016-5424
Sources used:
SUSE Manager 2.1 (src):    postgresql94-9.4.9-0.19.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    postgresql94-libs-9.4.9-0.19.1
SUSE Linux Enterprise Server 11-SP4 (src):    postgresql94-9.4.9-0.19.1, postgresql94-libs-9.4.9-0.19.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    postgresql94-9.4.9-0.19.1, postgresql94-libs-9.4.9-0.19.1
Comment 7 Swamp Workflow Management 2016-09-30 16:11:44 UTC
openSUSE-SU-2016:2425-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 993453,993454
CVE References: CVE-2016-5423,CVE-2016-5424
Sources used:
openSUSE 13.2 (src):    postgresql93-9.3.14-2.13.1, postgresql93-libs-9.3.14-2.13.1
Comment 8 Swamp Workflow Management 2016-10-06 13:10:00 UTC
openSUSE-SU-2016:2464-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 973660,993453,993454
CVE References: CVE-2016-5423,CVE-2016-5424
Sources used:
openSUSE Leap 42.1 (src):    postgresql94-9.4.9-7.1, postgresql94-libs-9.4.9-7.1
Comment 10 Swamp Workflow Management 2017-04-15 16:10:04 UTC
openSUSE-SU-2017:1021-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1029547,973660,993453,993454
CVE References: CVE-2016-5423,CVE-2016-5424
Sources used:
openSUSE Leap 42.2 (src):    postgresql93-9.3.14-5.5.1, postgresql93-libs-9.3.14-5.5.1
openSUSE Leap 42.1 (src):    postgresql93-9.3.14-8.1, postgresql93-libs-9.3.14-8.1
Comment 11 Bernhard Wiedemann 2017-08-11 14:06:27 UTC
This is an autogenerated message for OBS integration:
This bug (993454) was mentioned in
https://build.opensuse.org/request/show/516114 Factory / postgresql93