SB2014033102 - Multiple vulnerabilities in PostgreSQL

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2014-2669)

The vulnerability allows a remote #AU# to read and manipulate data.

Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact via vectors related to the (1) hstore_recv, (2) hstore_from_arrays, and (3) hstore_from_array functions in contrib/hstore/hstore_io.c; and the (4) hstoreArrayToPairs function in contrib/hstore/hstore_op.c, which triggers a buffer overflow. NOTE: this issue was SPLIT from CVE-2014-0064 because it has a different set of affected versions.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-0061)

The vulnerability allows a remote #AU# to read and manipulate data.

The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions.

3) Race condition (CVE-ID: CVE-2014-0062)

The vulnerability allows a remote #AU# to read and manipulate data.

Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating or deleting a table with the same name during the timing window.

4) Stack-based buffer overflow (CVE-ID: CVE-2014-0063)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

5) Input validation error (CVE-ID: CVE-2014-0064)

The vulnerability allows a remote #AU# to read and manipulate data.

Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, which trigger a buffer overflow. NOTE: this identifier has been SPLIT due to different affected versions; use CVE-2014-2669 for the hstore vector.

6) Buffer overflow (CVE-ID: CVE-2014-0065)

The vulnerability allows a remote #AU# to read and manipulate data.

Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, a different vulnerability than CVE-2014-0063.

7) NULL pointer dereference (CVE-ID: CVE-2014-0066)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via unspecified vectors.

8) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-0060)

The vulnerability allows a remote #AU# to manipulate data.

PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.

Remediation

Install update from vendor's website.

References

• http://rhn.redhat.com/errata/RHSA-2014-0221.html
• http://rhn.redhat.com/errata/RHSA-2014-0469.html
• http://wiki.postgresql.org/wiki/20140220securityrelease
• http://www.debian.org/security/2014/dsa-2864
• http://www.debian.org/security/2014/dsa-2865
• http://www.postgresql.org/about/news/1506/
• http://www.postgresql.org/support/security/
• https://github.com/postgres/postgres/commit/31400a673325147e1205326008e32135a78b4d8a
• http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
• http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
• http://lists.opensuse.org/opensuse-updates/2014-03/msg00018.html
• http://lists.opensuse.org/opensuse-updates/2014-03/msg00038.html
• http://rhn.redhat.com/errata/RHSA-2014-0211.html
• http://rhn.redhat.com/errata/RHSA-2014-0249.html
• http://secunia.com/advisories/61307
• http://support.apple.com/kb/HT6448
• http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
• http://www.ubuntu.com/usn/USN-2120-1
• https://support.apple.com/kb/HT6536
• http://www.securityfocus.com/bid/65727
• http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
• http://www.securityfocus.com/bid/65719
• https://bugzilla.redhat.com/show_bug.cgi?id=1065226
• https://github.com/postgres/postgres/commit/4318daecc959886d001a6e79c6ea853e8b1dfb4b
• http://www.securityfocus.com/bid/65725
• https://bugzilla.redhat.com/show_bug.cgi?id=1065230
• http://www.securityfocus.com/bid/65731
• https://puppet.com/security/cve/cve-2014-0060