StarlingX

[Debian] High CVE: CVE-2024-0985 postgresql-13 execute arbitrary SQL functions as the command issuer

Bug #2054274 reported by Yue Tao on 2024-02-19

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Wentao Zhang

Bug Description

CVE-2024-0985: https://nvd.nist.gov/vuln/detail/CVE-2024-0985

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.

Base Score: High

Reference:

['libpq5_13.13-0+deb11u1_amd64.deb===>libpq5_13.14-0+deb11u1_amd64.deb', 'libpq-dev_13.13-0+deb11u1_amd64.deb===>libpq-dev_13.14-0+deb11u1_amd64.deb', 'postgresql-13_13.13-0+deb11u1_amd64.deb===>postgresql-13_13.14-0+deb11u1_amd64.deb', 'postgresql-client-13_13.13-0+deb11u1_amd64.deb===>postgresql-client-13_13.14-0+deb11u1_amd64.deb']
https://security-tracker.debian.org/tracker/DSA-5622-1

Tags:

CVE References

2024-0985

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-03-01: Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/910704

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-03-04: Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/910704
Committed: https://opendev.org/starlingx/tools/commit/183e2959e80364f7f3d76a76e67697e9f15661e3
Submitter: "Zuul (22348)"
Branch: master

commit 183e2959e80364f7f3d76a76e67697e9f15661e3
Author: Wentao Zhang <email address hidden>
Date: Fri Mar 1 00:39:31 2024 -0800

Debian: postgresql-13: fix CVE-2024-0985

    Upgrade libpq5 to 13.14-0+deb11u1
    Upgrade libpq-dev to 13.14-0+deb11u1
    Upgrade postgresql-13 to 13.14-0+deb11u1
    Upgrade postgresql-client-13 to 13.14-0+deb11u1

    Refer to:
    https://nvd.nist.gov/vuln/detail/CVE-2024-0985
    https://security-tracker.debian.org/tracker/DSA-5622-1

    TestPlan:
    PASS: downloader; build-pkgs; build-image
    PASS: Jenkins Installation

Closes-Bug: 2054274

Change-Id: I194a78d1e1371b6550a1fc755f296251f417f016
Signed-off-by: Wentao Zhang <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Ghada Khalil (gkhalil) on 2024-04-01

Changed in starlingx:
assignee:	nobody → Wentao Zhang (wzhang4)

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.