From 7b1fab3fd2e17063fb1ec98e8ff5512a6b3da9b6 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Mon, 17 Feb 2014 14:25:34 -0500 Subject: [PATCH] Last-minute updates for release notes. Add entries for security issues. Security: CVE-2014-0060 through CVE-2014-0067 --- doc/src/sgml/release-8.4.sgml | 139 +++++++++++++++++++++ doc/src/sgml/release-9.0.sgml | 139 +++++++++++++++++++++ doc/src/sgml/release-9.1.sgml | 139 +++++++++++++++++++++ doc/src/sgml/release-9.2.sgml | 139 +++++++++++++++++++++ doc/src/sgml/release-9.3.sgml | 219 ++++++++++++++++++++++++++++++++++ 5 files changed, 775 insertions(+) diff --git a/doc/src/sgml/release-8.4.sgml b/doc/src/sgml/release-8.4.sgml index f6accba6cd..c3226d340e 100644 --- a/doc/src/sgml/release-8.4.sgml +++ b/doc/src/sgml/release-8.4.sgml @@ -40,6 +40,145 @@ + + + Shore up GRANT ... WITH ADMIN OPTION restrictions + (Noah Misch) + + + + Granting a role without ADMIN OPTION is supposed to + prevent the grantee from adding or removing members from the granted + role, but this restriction was easily bypassed by doing SET + ROLE first. The security impact is mostly that a role member can + revoke the access of others, contrary to the wishes of his grantor. + Unapproved role member additions are a lesser concern, since an + uncooperative role member could provide most of his rights to others + anyway by creating views or SECURITY DEFINER functions. + (CVE-2014-0060) + + + + + + Prevent privilege escalation via manual calls to PL validator + functions (Andres Freund) + + + + The primary role of PL validator functions is to be called implicitly + during CREATE FUNCTION, but they are also normal SQL + functions that a user can call explicitly. Calling a validator on + a function actually written in some other language was not checked + for and could be exploited for privilege-escalation purposes. + The fix involves adding a call to a privilege-checking function in + each validator function. Non-core procedural languages will also + need to make this change to their own validator functions, if any. + (CVE-2014-0061) + + + + + + Avoid multiple name lookups during table and index DDL + (Robert Haas, Andres Freund) + + + + If the name lookups come to different conclusions due to concurrent + activity, we might perform some parts of the DDL on a different table + than other parts. At least in the case of CREATE INDEX, + this can be used to cause the permissions checks to be performed + against a different table than the index creation, allowing for a + privilege escalation attack. + (CVE-2014-0062) + + + + + + Prevent buffer overrun with long datetime strings (Noah Misch) + + + + The MAXDATELEN constant was too small for the longest + possible value of type interval, allowing a buffer overrun + in interval_out(). Although the datetime input + functions were more careful about avoiding buffer overrun, the limit + was short enough to cause them to reject some valid inputs, such as + input containing a very long timezone name. The ecpg + library contained these vulnerabilities along with some of its own. + (CVE-2014-0063) + + + + + + Prevent buffer overrun due to integer overflow in size calculations + (Noah Misch, Heikki Linnakangas) + + + + Several functions, mostly type input functions, calculated an + allocation size without checking for overflow. If overflow did + occur, a too-small buffer would be allocated and then written past. + (CVE-2014-0064) + + + + + + Prevent overruns of fixed-size buffers + (Peter Eisentraut, Jozef Mlich) + + + + Use strlcpy() and related functions to provide a clear + guarantee that fixed-size buffers are not overrun. Unlike the + preceding items, it is unclear whether these cases really represent + live issues, since in most cases there appear to be previous + constraints on the size of the input string. Nonetheless it seems + prudent to silence all Coverity warnings of this type. + (CVE-2014-0065) + + + + + + Avoid crashing if crypt() returns NULL (Honza Horak, + Bruce Momjian) + + + + There are relatively few scenarios in which crypt() + could return NULL, but contrib/chkpass would crash + if it did. One practical case in which this could be an issue is + if libc is configured to refuse to execute unapproved + hashing algorithms (e.g., FIPS mode). + (CVE-2014-0066) + + + + + + Document risks of make check in the regression testing + instructions (Noah Misch, Tom Lane) + + + + Since the temporary server started by make check + uses trust authentication, another user on the same machine + could connect to it as database superuser, and then potentially + exploit the privileges of the operating-system user who started the + tests. A future release will probably incorporate changes in the + testing procedure to prevent this risk, but some public discussion is + needed first. So for the moment, just warn people against using + make check when there are untrusted users on the + same machine. + (CVE-2014-0067) + + + Fix possible mis-replay of WAL records when some segments of a diff --git a/doc/src/sgml/release-9.0.sgml b/doc/src/sgml/release-9.0.sgml index 8d75f8b16a..81897ae837 100644 --- a/doc/src/sgml/release-9.0.sgml +++ b/doc/src/sgml/release-9.0.sgml @@ -34,6 +34,145 @@ + + + Shore up GRANT ... WITH ADMIN OPTION restrictions + (Noah Misch) + + + + Granting a role without ADMIN OPTION is supposed to + prevent the grantee from adding or removing members from the granted + role, but this restriction was easily bypassed by doing SET + ROLE first. The security impact is mostly that a role member can + revoke the access of others, contrary to the wishes of his grantor. + Unapproved role member additions are a lesser concern, since an + uncooperative role member could provide most of his rights to others + anyway by creating views or SECURITY DEFINER functions. + (CVE-2014-0060) + + + + + + Prevent privilege escalation via manual calls to PL validator + functions (Andres Freund) + + + + The primary role of PL validator functions is to be called implicitly + during CREATE FUNCTION, but they are also normal SQL + functions that a user can call explicitly. Calling a validator on + a function actually written in some other language was not checked + for and could be exploited for privilege-escalation purposes. + The fix involves adding a call to a privilege-checking function in + each validator function. Non-core procedural languages will also + need to make this change to their own validator functions, if any. + (CVE-2014-0061) + + + + + + Avoid multiple name lookups during table and index DDL + (Robert Haas, Andres Freund) + + + + If the name lookups come to different conclusions due to concurrent + activity, we might perform some parts of the DDL on a different table + than other parts. At least in the case of CREATE INDEX, + this can be used to cause the permissions checks to be performed + against a different table than the index creation, allowing for a + privilege escalation attack. + (CVE-2014-0062) + + + + + + Prevent buffer overrun with long datetime strings (Noah Misch) + + + + The MAXDATELEN constant was too small for the longest + possible value of type interval, allowing a buffer overrun + in interval_out(). Although the datetime input + functions were more careful about avoiding buffer overrun, the limit + was short enough to cause them to reject some valid inputs, such as + input containing a very long timezone name. The ecpg + library contained these vulnerabilities along with some of its own. + (CVE-2014-0063) + + + + + + Prevent buffer overrun due to integer overflow in size calculations + (Noah Misch, Heikki Linnakangas) + + + + Several functions, mostly type input functions, calculated an + allocation size without checking for overflow. If overflow did + occur, a too-small buffer would be allocated and then written past. + (CVE-2014-0064) + + + + + + Prevent overruns of fixed-size buffers + (Peter Eisentraut, Jozef Mlich) + + + + Use strlcpy() and related functions to provide a clear + guarantee that fixed-size buffers are not overrun. Unlike the + preceding items, it is unclear whether these cases really represent + live issues, since in most cases there appear to be previous + constraints on the size of the input string. Nonetheless it seems + prudent to silence all Coverity warnings of this type. + (CVE-2014-0065) + + + + + + Avoid crashing if crypt() returns NULL (Honza Horak, + Bruce Momjian) + + + + There are relatively few scenarios in which crypt() + could return NULL, but contrib/chkpass would crash + if it did. One practical case in which this could be an issue is + if libc is configured to refuse to execute unapproved + hashing algorithms (e.g., FIPS mode). + (CVE-2014-0066) + + + + + + Document risks of make check in the regression testing + instructions (Noah Misch, Tom Lane) + + + + Since the temporary server started by make check + uses trust authentication, another user on the same machine + could connect to it as database superuser, and then potentially + exploit the privileges of the operating-system user who started the + tests. A future release will probably incorporate changes in the + testing procedure to prevent this risk, but some public discussion is + needed first. So for the moment, just warn people against using + make check when there are untrusted users on the + same machine. + (CVE-2014-0067) + + + Fix possible mis-replay of WAL records when some segments of a diff --git a/doc/src/sgml/release-9.1.sgml b/doc/src/sgml/release-9.1.sgml index 310e7e2858..05724cc82b 100644 --- a/doc/src/sgml/release-9.1.sgml +++ b/doc/src/sgml/release-9.1.sgml @@ -34,6 +34,145 @@ + + + Shore up GRANT ... WITH ADMIN OPTION restrictions + (Noah Misch) + + + + Granting a role without ADMIN OPTION is supposed to + prevent the grantee from adding or removing members from the granted + role, but this restriction was easily bypassed by doing SET + ROLE first. The security impact is mostly that a role member can + revoke the access of others, contrary to the wishes of his grantor. + Unapproved role member additions are a lesser concern, since an + uncooperative role member could provide most of his rights to others + anyway by creating views or SECURITY DEFINER functions. + (CVE-2014-0060) + + + + + + Prevent privilege escalation via manual calls to PL validator + functions (Andres Freund) + + + + The primary role of PL validator functions is to be called implicitly + during CREATE FUNCTION, but they are also normal SQL + functions that a user can call explicitly. Calling a validator on + a function actually written in some other language was not checked + for and could be exploited for privilege-escalation purposes. + The fix involves adding a call to a privilege-checking function in + each validator function. Non-core procedural languages will also + need to make this change to their own validator functions, if any. + (CVE-2014-0061) + + + + + + Avoid multiple name lookups during table and index DDL + (Robert Haas, Andres Freund) + + + + If the name lookups come to different conclusions due to concurrent + activity, we might perform some parts of the DDL on a different table + than other parts. At least in the case of CREATE INDEX, + this can be used to cause the permissions checks to be performed + against a different table than the index creation, allowing for a + privilege escalation attack. + (CVE-2014-0062) + + + + + + Prevent buffer overrun with long datetime strings (Noah Misch) + + + + The MAXDATELEN constant was too small for the longest + possible value of type interval, allowing a buffer overrun + in interval_out(). Although the datetime input + functions were more careful about avoiding buffer overrun, the limit + was short enough to cause them to reject some valid inputs, such as + input containing a very long timezone name. The ecpg + library contained these vulnerabilities along with some of its own. + (CVE-2014-0063) + + + + + + Prevent buffer overrun due to integer overflow in size calculations + (Noah Misch, Heikki Linnakangas) + + + + Several functions, mostly type input functions, calculated an + allocation size without checking for overflow. If overflow did + occur, a too-small buffer would be allocated and then written past. + (CVE-2014-0064) + + + + + + Prevent overruns of fixed-size buffers + (Peter Eisentraut, Jozef Mlich) + + + + Use strlcpy() and related functions to provide a clear + guarantee that fixed-size buffers are not overrun. Unlike the + preceding items, it is unclear whether these cases really represent + live issues, since in most cases there appear to be previous + constraints on the size of the input string. Nonetheless it seems + prudent to silence all Coverity warnings of this type. + (CVE-2014-0065) + + + + + + Avoid crashing if crypt() returns NULL (Honza Horak, + Bruce Momjian) + + + + There are relatively few scenarios in which crypt() + could return NULL, but contrib/chkpass would crash + if it did. One practical case in which this could be an issue is + if libc is configured to refuse to execute unapproved + hashing algorithms (e.g., FIPS mode). + (CVE-2014-0066) + + + + + + Document risks of make check in the regression testing + instructions (Noah Misch, Tom Lane) + + + + Since the temporary server started by make check + uses trust authentication, another user on the same machine + could connect to it as database superuser, and then potentially + exploit the privileges of the operating-system user who started the + tests. A future release will probably incorporate changes in the + testing procedure to prevent this risk, but some public discussion is + needed first. So for the moment, just warn people against using + make check when there are untrusted users on the + same machine. + (CVE-2014-0067) + + + Fix possible mis-replay of WAL records when some segments of a diff --git a/doc/src/sgml/release-9.2.sgml b/doc/src/sgml/release-9.2.sgml index 33e2a4e810..be35779779 100644 --- a/doc/src/sgml/release-9.2.sgml +++ b/doc/src/sgml/release-9.2.sgml @@ -34,6 +34,145 @@ + + + Shore up GRANT ... WITH ADMIN OPTION restrictions + (Noah Misch) + + + + Granting a role without ADMIN OPTION is supposed to + prevent the grantee from adding or removing members from the granted + role, but this restriction was easily bypassed by doing SET + ROLE first. The security impact is mostly that a role member can + revoke the access of others, contrary to the wishes of his grantor. + Unapproved role member additions are a lesser concern, since an + uncooperative role member could provide most of his rights to others + anyway by creating views or SECURITY DEFINER functions. + (CVE-2014-0060) + + + + + + Prevent privilege escalation via manual calls to PL validator + functions (Andres Freund) + + + + The primary role of PL validator functions is to be called implicitly + during CREATE FUNCTION, but they are also normal SQL + functions that a user can call explicitly. Calling a validator on + a function actually written in some other language was not checked + for and could be exploited for privilege-escalation purposes. + The fix involves adding a call to a privilege-checking function in + each validator function. Non-core procedural languages will also + need to make this change to their own validator functions, if any. + (CVE-2014-0061) + + + + + + Avoid multiple name lookups during table and index DDL + (Robert Haas, Andres Freund) + + + + If the name lookups come to different conclusions due to concurrent + activity, we might perform some parts of the DDL on a different table + than other parts. At least in the case of CREATE INDEX, + this can be used to cause the permissions checks to be performed + against a different table than the index creation, allowing for a + privilege escalation attack. + (CVE-2014-0062) + + + + + + Prevent buffer overrun with long datetime strings (Noah Misch) + + + + The MAXDATELEN constant was too small for the longest + possible value of type interval, allowing a buffer overrun + in interval_out(). Although the datetime input + functions were more careful about avoiding buffer overrun, the limit + was short enough to cause them to reject some valid inputs, such as + input containing a very long timezone name. The ecpg + library contained these vulnerabilities along with some of its own. + (CVE-2014-0063) + + + + + + Prevent buffer overrun due to integer overflow in size calculations + (Noah Misch, Heikki Linnakangas) + + + + Several functions, mostly type input functions, calculated an + allocation size without checking for overflow. If overflow did + occur, a too-small buffer would be allocated and then written past. + (CVE-2014-0064) + + + + + + Prevent overruns of fixed-size buffers + (Peter Eisentraut, Jozef Mlich) + + + + Use strlcpy() and related functions to provide a clear + guarantee that fixed-size buffers are not overrun. Unlike the + preceding items, it is unclear whether these cases really represent + live issues, since in most cases there appear to be previous + constraints on the size of the input string. Nonetheless it seems + prudent to silence all Coverity warnings of this type. + (CVE-2014-0065) + + + + + + Avoid crashing if crypt() returns NULL (Honza Horak, + Bruce Momjian) + + + + There are relatively few scenarios in which crypt() + could return NULL, but contrib/chkpass would crash + if it did. One practical case in which this could be an issue is + if libc is configured to refuse to execute unapproved + hashing algorithms (e.g., FIPS mode). + (CVE-2014-0066) + + + + + + Document risks of make check in the regression testing + instructions (Noah Misch, Tom Lane) + + + + Since the temporary server started by make check + uses trust authentication, another user on the same machine + could connect to it as database superuser, and then potentially + exploit the privileges of the operating-system user who started the + tests. A future release will probably incorporate changes in the + testing procedure to prevent this risk, but some public discussion is + needed first. So for the moment, just warn people against using + make check when there are untrusted users on the + same machine. + (CVE-2014-0067) + + + Fix possible mis-replay of WAL records when some segments of a diff --git a/doc/src/sgml/release-9.3.sgml b/doc/src/sgml/release-9.3.sgml index 11e429bb65..5538707a09 100644 --- a/doc/src/sgml/release-9.3.sgml +++ b/doc/src/sgml/release-9.3.sgml @@ -51,6 +51,225 @@ + + + + + Shore up GRANT ... WITH ADMIN OPTION restrictions + (Noah Misch) + + + + Granting a role without ADMIN OPTION is supposed to + prevent the grantee from adding or removing members from the granted + role, but this restriction was easily bypassed by doing SET + ROLE first. The security impact is mostly that a role member can + revoke the access of others, contrary to the wishes of his grantor. + Unapproved role member additions are a lesser concern, since an + uncooperative role member could provide most of his rights to others + anyway by creating views or SECURITY DEFINER functions. + (CVE-2014-0060) + + + + + + + + Prevent privilege escalation via manual calls to PL validator + functions (Andres Freund) + + + + The primary role of PL validator functions is to be called implicitly + during CREATE FUNCTION, but they are also normal SQL + functions that a user can call explicitly. Calling a validator on + a function actually written in some other language was not checked + for and could be exploited for privilege-escalation purposes. + The fix involves adding a call to a privilege-checking function in + each validator function. Non-core procedural languages will also + need to make this change to their own validator functions, if any. + (CVE-2014-0061) + + + + + + + + Avoid multiple name lookups during table and index DDL + (Robert Haas, Andres Freund) + + + + If the name lookups come to different conclusions due to concurrent + activity, we might perform some parts of the DDL on a different table + than other parts. At least in the case of CREATE INDEX, + this can be used to cause the permissions checks to be performed + against a different table than the index creation, allowing for a + privilege escalation attack. + (CVE-2014-0062) + + + + + + + + Prevent buffer overrun with long datetime strings (Noah Misch) + + + + The MAXDATELEN constant was too small for the longest + possible value of type interval, allowing a buffer overrun + in interval_out(). Although the datetime input + functions were more careful about avoiding buffer overrun, the limit + was short enough to cause them to reject some valid inputs, such as + input containing a very long timezone name. The ecpg + library contained these vulnerabilities along with some of its own. + (CVE-2014-0063) + + + + + + + + Prevent buffer overrun due to integer overflow in size calculations + (Noah Misch, Heikki Linnakangas) + + + + Several functions, mostly type input functions, calculated an + allocation size without checking for overflow. If overflow did + occur, a too-small buffer would be allocated and then written past. + (CVE-2014-0064) + + + + + + + + Prevent overruns of fixed-size buffers + (Peter Eisentraut, Jozef Mlich) + + + + Use strlcpy() and related functions to provide a clear + guarantee that fixed-size buffers are not overrun. Unlike the + preceding items, it is unclear whether these cases really represent + live issues, since in most cases there appear to be previous + constraints on the size of the input string. Nonetheless it seems + prudent to silence all Coverity warnings of this type. + (CVE-2014-0065) + + + + + + + + Avoid crashing if crypt() returns NULL (Honza Horak, + Bruce Momjian) + + + + There are relatively few scenarios in which crypt() + could return NULL, but contrib/chkpass would crash + if it did. One practical case in which this could be an issue is + if libc is configured to refuse to execute unapproved + hashing algorithms (e.g., FIPS mode). + (CVE-2014-0066) + + + + + + + + Document risks of make check in the regression testing + instructions (Noah Misch, Tom Lane) + + + + Since the temporary server started by make check + uses trust authentication, another user on the same machine + could connect to it as database superuser, and then potentially + exploit the privileges of the operating-system user who started the + tests. A future release will probably incorporate changes in the + testing procedure to prevent this risk, but some public discussion is + needed first. So for the moment, just warn people against using + make check when there are untrusted users on the + same machine. + (CVE-2014-0067) + + +