postgresql-8.4 8.4.20-0ubuntu0.12.04 source package in Ubuntu


postgresql-8.4 (8.4.20-0ubuntu0.12.04) precise-security; urgency=medium

  * New upstream security/bugfix release. (LP: #1282677)
    - Shore up GRANT ... WITH ADMIN OPTION restrictions.
      Granting a role without ADMIN OPTION is supposed to prevent the grantee
      from adding or removing members from the granted role, but this
      restriction was easily bypassed by doing SET ROLE first. The security
      impact is mostly that a role member can revoke the access of others,
      contrary to the wishes of his grantor. Unapproved role member additions
      are a lesser concern, since an uncooperative role member could provide
      most of his rights to others anyway by creating views or SECURITY
      DEFINER functions. (CVE-2014-0060)
    - Prevent privilege escalation via manual calls to PL validator functions.
      The primary role of PL validator functions is to be called implicitly
      during CREATE FUNCTION, but they are also normal SQL functions that a
      user can call explicitly. Calling a validator on a function actually
      written in some other language was not checked for and could be
      exploited for privilege-escalation purposes. The fix involves adding a
      call to a privilege-checking function in each validator function.
      Non-core procedural languages will also need to make this change to
      their own validator functions, if any. (CVE-2014-0061)
    - Avoid multiple name lookups during table and index DDL.
      If the name lookups come to different conclusions due to concurrent
      activity, we might perform some parts of the DDL on a different table
      than other parts. At least in the case of CREATE INDEX, this can be used
      to cause the permissions checks to be performed against a different
      table than the index creation, allowing for a privilege escalation
      attack. (CVE-2014-0062)
    - Prevent buffer overrun with long datetime strings.
      The MAXDATELEN constant was too small for the longest possible value of
      type interval, allowing a buffer overrun in interval_out(). Although the
      datetime input functions were more careful about avoiding buffer
      overrun, the limit was short enough to cause them to reject some valid
      inputs, such as input containing a very long timezone name. The ecpg
      library contained these vulnerabilities along with some of its own.
    - Prevent buffer overrun due to integer overflow in size calculations.
      Several functions, mostly type input functions, calculated an allocation
      size without checking for overflow. If overflow did occur, a too-small
      buffer would be allocated and then written past. (CVE-2014-0064)
    - Prevent overruns of fixed-size buffers.
      Use strlcpy() and related functions to provide a clear guarantee that
      fixed-size buffers are not overrun. Unlike the preceding items, it is
      unclear whether these cases really represent live issues, since in most
      cases there appear to be previous constraints on the size of the input
      string. Nonetheless it seems prudent to silence all Coverity warnings of
      this type. (CVE-2014-0065)
    - Avoid crashing if crypt() returns NULL.
      There are relatively few scenarios in which crypt() could return NULL,
      but contrib/chkpass would crash if it did. One practical case in which
      this could be an issue is if libc is configured to refuse to execute
      unapproved hashing algorithms (e.g., "FIPS mode"). (CVE-2014-0066)
    - Document risks of make check in the regression testing instructions
      Since the temporary server started by make check uses "trust"
      authentication, another user on the same machine could connect to it as
      database superuser, and then potentially exploit the privileges of the
      operating-system user who started the tests. A future release will
      probably incorporate changes in the testing procedure to prevent this
      risk, but some public discussion is needed first. So for the moment,
      just warn people against using make check when there are untrusted users
      on the same machine. (CVE-2014-0067)
  * The upstream tarballs no longer contain a plain HISTORY file, but point to
    the html documentation. Add 70-history.patch to note the location of these
    files in our changelog.gz file.
 -- Martin Pitt <email address hidden>   Thu, 20 Feb 2014 13:15:23 -0800

Upload details

Uploaded by:
Martin Pitt on 2014-02-22
Sponsored by:
Marc Deslauriers
Uploaded to:
Original maintainer:
Ubuntu Developers
any all
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section
Precise security on 2014-02-24 universe database


File Size SHA-256 Checksum
postgresql-8.4_8.4.20.orig.tar.gz 17.5 MiB 2c05da292dc8037e12e1b424213141609961a2be25395f36d3be3c3d0b4eaf29
postgresql-8.4_8.4.20-0ubuntu0.12.04.diff.gz 50.5 KiB 010f1637ca09d431f2151da7c8eb0cdcfc15a7f6e1cd9e54791e665e7e10ab41
postgresql-8.4_8.4.20-0ubuntu0.12.04.dsc 2.7 KiB 9654a12ba2d9238a755ee0a7a9f1d5afe1623e0d357d8a40c16c32b64d66e05c

View changes file

Binary packages built by this source

postgresql-8.4: object-relational SQL database, version 8.4 server

 PostgreSQL is a fully featured object-relational database management
 system. It supports a large part of the SQL standard and is designed
 to be extensible by users in many aspects. Some of the features are:
 ACID transactions, foreign keys, views, sequences, subqueries,
 triggers, user-defined types and functions, outer joins, multiversion
 concurrency control. Graphical user interfaces and bindings for many
 programming languages are available as well.
 This package provides the database server for PostgreSQL 8.4. Servers
 for other major release versions can be installed simultaneously and
 are coordinated by the postgresql-common package. A package providing
 ident-server is needed if you want to authenticate remote connections
 with identd.

postgresql-client-8.4: front-end programs for PostgreSQL 8.4

 This package contains client and administrative programs for
 PostgreSQL: these are the interactive terminal client psql and
 programs for creating and removing users and databases.
 This is the client package for PostgreSQL 8.4. If you install
 PostgreSQL 8.4 on a standalone machine, you need the server package
 postgresql-8.4, too. On a network, you can install this package on
 many client machines, while the server package may be installed on
 only one machine.
 PostgreSQL is an object-relational SQL database management system.

postgresql-contrib-8.4: additional facilities for PostgreSQL

 The PostgreSQL contrib package provides several additional features
 for the PostgreSQL database. This version is built to work with the
 server package postgresql-8.4. contrib often serves as a testbed for
 features before they are adopted into PostgreSQL proper:
  adminpack - File and log manipulation routines, used by pgAdmin
  btree_gist - B-Tree indexing using GiST (Generalised Search Tree)
  chkpass - An auto-encrypted password datatype
  cube - Multidimensional-cube datatype (GiST indexing example)
  dblink - Functions to return results from a remote database
  earthdistance - Operator for computing the distance (in miles) between
                   two points on the earth's surface
  fuzzystrmatch - Levenshtein, metaphone, and soundex fuzzy string matching
  hstore - Store (key, value) pairs
  intagg - Integer aggregator/enumerator
  _int - Index support for arrays of int4, using GiST (benchmark
                   needs the libdbd-pg-perl package)
  isn - type extensions for ISBN, ISSN, ISMN, EAN13 product numbers
  lo - Large Object maintenance
  ltree - Tree-like data structures
  oid2name - Maps OIDs to table names
  pageinspect - Inspection of database pages
  pg_buffercache - Real time queries on the shared buffer cache
  pg_freespacemap- Displays the contents of the free space map (FSM)
  pg_trgm - Determine the similarity of text based on trigram matching
  pg_standby - Create a warm stand-by server
  pgbench - TPC-B like benchmark
  pgcrypto - Cryptographic functions
  pgrowlocks - A function to return row locking information
  pgstattuple - Returns the percentage of dead tuples in a table; this
                   indicates whether a vacuum is required.
  seg - Confidence-interval datatype (GiST indexing example)
  spi - PostgreSQL Server Programming Interface; 4 examples of
                   its use:
                   autoinc - A function for implementing AUTOINCREMENT/
                   insert_username - function for inserting user names
                   moddatetime - Update modification timestamps
                   refint - Functions for implementing referential
                                integrity (foreign keys). Note that this is
                                now superseded by built-in referential
                   timetravel - Re-implements in user code the time travel
                                feature that was removed in 6.3.
  tablefunc - examples of functions returning tables
  uuid-ossp - UUID generation functions
  vacuumlo - Remove orphaned large objects
 PostgreSQL is an object-relational SQL database management system.

postgresql-doc-8.4: documentation for the PostgreSQL database management system

 This package contains all README files, user manual, and examples for
 PostgreSQL 8.4. The manual is in HTML format.
 PostgreSQL is an object-relational SQL database management system.

postgresql-plperl-8.4: PL/Perl procedural language for PostgreSQL 8.4

 PL/Perl enables an SQL developer to write procedural language functions
 for PostgreSQL 8.4 in Perl. You need this package if you have any
 PostgreSQL 8.4 functions that use the languages plperl or plperlu.
 PostgreSQL is an object-relational SQL database management system.

postgresql-plpython-8.4: PL/Python procedural language for PostgreSQL 8.4

 PL/Python enables an SQL developer to write procedural language functions
 for PostgreSQL 8.4 in Python. You need this package if you have any
 PostgreSQL 8.4 functions that use the languages plpython or plpythonu.
 PostgreSQL is an object-relational SQL database management system.

postgresql-pltcl-8.4: PL/Tcl procedural language for PostgreSQL 8.4

 PL/Tcl enables an SQL developer to write procedural language functions
 for PostgreSQL 8.4 in Tcl. You need this package if you have any
 PostgreSQL 8.4 functions that use the languages pltcl or pltclu.
 PostgreSQL is an object-relational SQL database management system.

postgresql-server-dev-8.4: development files for PostgreSQL 8.4 server-side programming

 Header files for compiling SSI code to link into PostgreSQL's backend; for
 example, for C functions to be called from SQL.
 This package also contains the Makefiles necessary for building add-on
 modules of PostgreSQL, which would otherwise have to be built in the
 PostgreSQL source-code tree.
 PostgreSQL is an object-relational SQL database management system.