Bug 872783 - (CVE-2014-0067) VUL-1: CVE-2014-0067: postgresql91,postgresql: Vulnerability during "make check"
VUL-1: CVE-2014-0067: postgresql91,postgresql: Vulnerability during "make check"
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2014-04-09 13:01 UTC by Johannes Segitz
Modified: 2016-04-27 20:16 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-04-09 13:01:36 UTC


The PostgreSQL Global Development Group security team has discovered a vulnerability in the scripts that orchestrate PostgreSQL test suites that validate the functionality of the PostgreSQL binaries. While a test suite is running, a user with interactive access to the system can hijack the operating system user account running the suite. Only users who run "make check" on a system they share with untrusted users are at risk. A future set of update releases will fix this vulnerability, though there will be no need to reinstall existing deployments. In the meantime, users are advised to run the test suites only on non-shared systems or under operating system user accounts dedicated to the task of running test suites. 

This vulnerability arises from the test scripts' use of "initdb" to create a PostgreSQL database cluster permitting local "trust" authentication. User-crafted workflows doing the same will exhibit the same vulnerability. We recommend studying automated usage of initdb in your own software. If a procedure in question could run on a system shared with untrusted users, follow the same precautions around that procedure as for the PostgreSQL test suites. The fix for PostgreSQL itself will establish a secure pattern for automating initdb, which you can later adopt. 

On Unix-like platforms the attacker needs to be able to reach the server's socket file, so the risk depends on where the platform places the socket file and whether there are filesystem permissions protections in place. On Windows, the server opens a locally-accessible TCP socket, so there is no possibility of ameliorating the risk through filesystem permissions. 

The changes required to make this situation safer are expected to be somewhat invasive and might break user-crafted testing workflows. Therefore, the PostgreSQL project will not actually be supplying a fix on 20-Feb, merely announcing that there is a problem and recommending that users not use "make check" on machines shared with untrusted users. Suitable changes to the regression testing setup will subsequently be debated publicly and can be expected to be incorporated in future releases. 

The PostgreSQL project thanks Noah Misch for reporting this problem.

Comment 1 SMASH SMASH 2014-04-09 13:05:11 UTC
Affected packages:

SLE-9-SP3-TERADATA: postgresql
SLE-11-SP3: postgresql91, postgresql
SLE-10-SP3-TERADATA: postgresql
Comment 2 Swamp Workflow Management 2014-04-09 22:00:22 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2015-01-14 15:42:08 UTC
wontfix perhaps?
Comment 4 Reinhard Max 2015-01-14 16:25:51 UTC
Upstream has meanwhile released two more rounds of patchlevel updates that fix this, but we haven't adopted them yet, because they seem to address no other security issues.
Comment 5 Reinhard Max 2015-03-16 10:42:23 UTC
The fix for this was contained in the Feb. 2015 round of updates.
Comment 6 Johannes Segitz 2015-03-24 10:47:56 UTC
(In reply to Reinhard Max from comment #5)
Then we can close this one.