Bugzilla – Bug 872783
VUL-1: CVE-2014-0067: postgresql91,postgresql: Vulnerability during "make check"
Last modified: 2016-04-27 20:16:32 UTC
CVE-2014-0067 http://wiki.postgresql.org/wiki/20140220securityrelease The PostgreSQL Global Development Group security team has discovered a vulnerability in the scripts that orchestrate PostgreSQL test suites that validate the functionality of the PostgreSQL binaries. While a test suite is running, a user with interactive access to the system can hijack the operating system user account running the suite. Only users who run "make check" on a system they share with untrusted users are at risk. A future set of update releases will fix this vulnerability, though there will be no need to reinstall existing deployments. In the meantime, users are advised to run the test suites only on non-shared systems or under operating system user accounts dedicated to the task of running test suites. This vulnerability arises from the test scripts' use of "initdb" to create a PostgreSQL database cluster permitting local "trust" authentication. User-crafted workflows doing the same will exhibit the same vulnerability. We recommend studying automated usage of initdb in your own software. If a procedure in question could run on a system shared with untrusted users, follow the same precautions around that procedure as for the PostgreSQL test suites. The fix for PostgreSQL itself will establish a secure pattern for automating initdb, which you can later adopt. On Unix-like platforms the attacker needs to be able to reach the server's socket file, so the risk depends on where the platform places the socket file and whether there are filesystem permissions protections in place. On Windows, the server opens a locally-accessible TCP socket, so there is no possibility of ameliorating the risk through filesystem permissions. The changes required to make this situation safer are expected to be somewhat invasive and might break user-crafted testing workflows. Therefore, the PostgreSQL project will not actually be supplying a fix on 20-Feb, merely announcing that there is a problem and recommending that users not use "make check" on machines shared with untrusted users. Suitable changes to the regression testing setup will subsequently be debated publicly and can be expected to be incorporated in future releases. The PostgreSQL project thanks Noah Misch for reporting this problem. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0067 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0067
Affected packages: SLE-9-SP3-TERADATA: postgresql SLE-11-SP3: postgresql91, postgresql SLE-10-SP3-TERADATA: postgresql
bugbot adjusting priority
wontfix perhaps?
Upstream has meanwhile released two more rounds of patchlevel updates that fix this, but we haven't adopted them yet, because they seem to address no other security issues.
The fix for this was contained in the Feb. 2015 round of updates.
(In reply to Reinhard Max from comment #5) Then we can close this one.