SB2024112281 - openEuler 22.03 LTS SP1 update for libpq

Description

This security bulletin contains information about 10 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2023-5868)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the aggregate function calls when handling "unknown"-type arguments. A remote user can read parts of system memory.

2) Integer overflow (CVE-ID: CVE-2023-5869)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in array modification. A remote user can pass specially crafted data to the application, trigger an integer overflow and execute arbitrary code on the target system.

3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-5870)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to pg_cancel_backend rolse signals background workers, including the logical replication launcher, autovacuum workers and the autovacuum launcher. A remote privileged user can abuse this behavior and perform a denial of service (DoS) attack.

4) Improper Privilege Management (CVE-ID: CVE-2024-0985)

The vulnerability allows a remote user to escalate privileges within the database.

The vulnerability exists due to late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY. A remote user who is an object creator can execute arbitrary SQL functions as the command issuer.

5) Improper privilege management (CVE-ID: CVE-2024-10976)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to improper privilege management in cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. A remote user can bypass implemented security restrictions and gain unauthorized access to the database in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles.

6) Man-in-the-Middle (MitM) attack (CVE-ID: CVE-2024-10977)

The vulnerability allows a remote attacker to spoof error messages from the database.

The vulnerability exists due to an error in libpq, which allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. A remote attacker can perform a man-in-the-middle attack to send a long error message that a human or screen-scraper user of psql mistakes for valid query results.

7) Incorrect privilege assignment (CVE-ID: CVE-2024-10978)

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to incorrect privilege assignment when application uses SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. A remote user can force the application to reset their role to a wrong user ID and view or change different rows from those intended.

8) Improper authorization (CVE-ID: CVE-2024-10979)

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to incorrect control of environment variables. A remote unprivileged database user can change sensitive process environment variables (e.g. PATH) and execute arbitrary code on the database server.

9) Security features bypass (CVE-ID: CVE-2023-2455)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to incomplete fix for #VU40402 (CVE-2016-2193) that did not anticipate a scenario involving function inlining. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications.

This affects only databases that have used CREATE POLICY to define a row security policy.

10) Security Features (CVE-ID: CVE-2016-2193)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

PostgreSQL before 9.5.x before 9.5.2 does not properly maintain row-security status in cached plans, which might allow attackers to bypass intended access restrictions by leveraging a session that performs queries as more than one role.

Remediation

Install update from vendor's website.

References

• https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-2428