New upstream microreleases 9.3.22, 9.5.12, 9.6.8 and 10.3

Bug #1752271 reported by Christian Ehrhardt  on 2018-02-28
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postgresql-10 (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned
postgresql-9.3 (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
postgresql-9.5 (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
postgresql-9.6 (Ubuntu)
Undecided
Unassigned
Artful
Undecided
Unassigned

Bug Description

Postgresql stable update

Note: this is an unusual schedule, but this is about a fix for a (not yet published) security fix. But the disclosure didn't align with the common releases.

Note: this time in the initial release there were build errors (on windows), so this is already based on the rerolled upstream tarballs

Current versions in supported releases:
 postgresql-9.3 | 9.3.21-0ubuntu0.14.04 trusty
 postgresql-9.5 | 9.5.11-0ubuntu0.16.04 xenial
 postgresql-9.6 | 9.6.7-0ubuntu0.17.10 artful
 postgresql-10 | 10.2-1 bionic

Special cases:
- Bionic will be synced from Debian which usually releases fast.
  So no Bionic upload.
- This is again a security update, so while we want to bundle postrges-common
  fixes for some dep8 tests, this is not the "normal" SRU we will do so

Last related stable updates: 9.3.22, 9.5.12, 9.6.8, 10.3

So the todo is to pick:
MRE: Trusty 9.3.22 from https://borka.postgresql.org/staging/70f3461f2a455731e6f3d11e313840be0b48cf00/postgresql-9.3.22.tar.gz
MRE: Xenial 9.5.12 from https://borka.postgresql.org/staging/70f3461f2a455731e6f3d11e313840be0b48cf00/postgresql-9.5.12.tar.gz
Sync: Artful 9.6.8 from https://borka.postgresql.org/staging/70f3461f2a455731e6f3d11e313840be0b48cf00/postgresql-9.6.8.tar.gz

Standing MRE - Consider last updates as template:
- pad.lv/1637236
- pad.lv/1664478
- pad.lv/1690730
- pad.lv/1713979
- pad.lv/1730661
- pad.lv/1747676

As usual we test and prep from the PPA and then add the NEWS/Upgrade Info link once available for the final upload (Annoucnment is Thursday 1st of March).

CVE References

Note: opening private as it is not yet announced
Will open up then ...

no longer affects: postgresql-10 (Ubuntu Trusty)
no longer affects: postgresql-10 (Ubuntu Xenial)
no longer affects: postgresql-10 (Ubuntu Artful)
Changed in postgresql-10 (Ubuntu Bionic):
status: New → Triaged
no longer affects: postgresql-9.3 (Ubuntu Xenial)
no longer affects: postgresql-9.3 (Ubuntu Artful)
no longer affects: postgresql-9.3 (Ubuntu Bionic)
no longer affects: postgresql-9.5 (Ubuntu Trusty)
no longer affects: postgresql-9.5 (Ubuntu Artful)
no longer affects: postgresql-9.5 (Ubuntu Bionic)
no longer affects: postgresql-9.6 (Ubuntu Trusty)
no longer affects: postgresql-9.6 (Ubuntu Bionic)
no longer affects: postgresql-9.6 (Ubuntu Xenial)
Changed in postgresql-9.6 (Ubuntu):
status: New → Invalid
Changed in postgresql-9.6 (Ubuntu Artful):
status: New → In Progress
Changed in postgresql-9.5 (Ubuntu Xenial):
status: New → In Progress
Changed in postgresql-9.5 (Ubuntu):
status: New → Invalid
Changed in postgresql-9.3 (Ubuntu Trusty):
status: New → In Progress
Changed in postgresql-9.3 (Ubuntu):
status: New → Invalid

Uploads prepared and building in ppas atm;
For tests pre-upload (while waiting for the official release and announcement)

Trusty: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3179
Xenial: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3180
Artful: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3181

Build (and build time tests) complete and all good.

Kicked the Dep8 tests against the PPA content (will take a while)

Hrm, I don't see why, but the bileto tests no more run.
/me shakes his fist against infrastructure

I want at least to run the core tests manually instead now ...

For postgresql-common, mimeo and the respective postgresql-<VER> I ran tests manually.

$ rel=artful; for d in *.dsc; do autopkgtest -o ${d}.log --apt-upgrade --shell-fail --setup-commands="add-apt-repository ppa:ci-train-ppa-service/3181; apt update; apt -y upgrade" --no-built-binaries $d -- qemu --qemu-options='-cpu host' --cpus 10 --ram-size=4098 ~/${rel}/autopkgtest-${rel}-amd64.img; done
$ rel=xenial; for d in *.dsc; do autopkgtest -o ${d}.log --apt-upgrade --shell-fail --setup-commands="add-apt-repository ppa:ci-train-ppa-service/3180; apt update; apt -y upgrade" --no-built-binaries $d -- qemu --qemu-options='-cpu host' --cpus 10 --ram-size=4098 ~/${rel}/autopkgtest-${rel}-amd64.img; done
$ rel=trusty; for d in *.dsc; do autopkgtest --apt-upgrade --shell-fail --setup-commands="add-apt-repository ppa:ci-train-ppa-service/3179; apt update; apt -y upgrade" --no-built-binaries $d -- qemu --qemu-options='-cpu host' --cpus 10 --ram-size=4098 ~/${rel}/autopkgtest-${rel}-amd64.img; done

Those all worked from the ppa.

Also the releases are now public, so I can modify the changelog details and make them available as last time.
=> Setting the bug public as well

information type: Private Security → Public Security

FYI: Shared the finalized (changelog and news link) uploads with the Security Team

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.3 - 9.3.22-0ubuntu0.14.04

---------------
postgresql-9.3 (9.3.22-0ubuntu0.14.04) trusty-security; urgency=medium

  * New upstream release (LP: #1752271)
    If you run an installation in which not all users are mutually
    trusting, or if you maintain an application or extension that is
    intended for use in arbitrary situations, it is strongly recommended
    that you read the documentation changes described in the first changelog
    entry below, and take suitable steps to ensure that your installation or
    code is secure.

    Also, the changes described in the second changelog entry below may
    cause functions used in index expressions or materialized views to fail
    during auto-analyze, or when reloading from a dump. After upgrading,
    monitor the server logs for such problems, and fix affected functions.

    - Document how to configure installations and applications to guard
      against search-path-dependent trojan-horse attacks from other users

      Using a search_path setting that includes any schemas writable by a
      hostile user enables that user to capture control of queries and then
      run arbitrary SQL code with the permissions of the attacked user. While
      it is possible to write queries that are proof against such hijacking,
      it is notationally tedious, and it's very easy to overlook holes.
      Therefore, we now recommend configurations in which no untrusted schemas
      appear in one's search path.
      (CVE-2018-1058)

    - Avoid use of insecure search_path settings in pg_dump and other client
      programs

      pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications
      were themselves vulnerable to the type of hijacking described in the
      previous changelog entry; since these applications are commonly run by
      superusers, they present particularly attractive targets. To make them
      secure whether or not the installation as a whole has been secured,
      modify them to include only the pg_catalog schema in their search_path
      settings. Autovacuum worker processes now do the same, as well.

      In cases where user-provided functions are indirectly executed by these
      programs -- for example, user-provided functions in index expressions --
      the tighter search_path may result in errors, which will need to be
      corrected by adjusting those user-provided functions to not assume
      anything about what search path they are invoked under. That has always
      been good practice, but now it will be necessary for correct behavior.
      (CVE-2018-1058)

    - Details about other changes can be found at
      https://www.postgresql.org/docs/9.3/static/release-9-3-22.html

 -- Christian Ehrhardt <email address hidden> Wed, 28 Feb 2018 09:59:05 +0100

Changed in postgresql-9.3 (Ubuntu Trusty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.6 - 9.6.8-0ubuntu0.17.10

---------------
postgresql-9.6 (9.6.8-0ubuntu0.17.10) artful-security; urgency=medium

  * New upstream release (LP: #1752271)
    If you run an installation in which not all users are mutually
    trusting, or if you maintain an application or extension that is
    intended for use in arbitrary situations, it is strongly recommended
    that you read the documentation changes described in the first changelog
    entry below, and take suitable steps to ensure that your installation or
    code is secure.

    Also, the changes described in the second changelog entry below may
    cause functions used in index expressions or materialized views to fail
    during auto-analyze, or when reloading from a dump. After upgrading,
    monitor the server logs for such problems, and fix affected functions.

    - Document how to configure installations and applications to guard
      against search-path-dependent trojan-horse attacks from other users

      Using a search_path setting that includes any schemas writable by a
      hostile user enables that user to capture control of queries and then
      run arbitrary SQL code with the permissions of the attacked user. While
      it is possible to write queries that are proof against such hijacking,
      it is notationally tedious, and it's very easy to overlook holes.
      Therefore, we now recommend configurations in which no untrusted schemas
      appear in one's search path.
      (CVE-2018-1058)

    - Avoid use of insecure search_path settings in pg_dump and other client
      programs

      pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications
      were themselves vulnerable to the type of hijacking described in the
      previous changelog entry; since these applications are commonly run by
      superusers, they present particularly attractive targets. To make them
      secure whether or not the installation as a whole has been secured,
      modify them to include only the pg_catalog schema in their search_path
      settings. Autovacuum worker processes now do the same, as well.

      In cases where user-provided functions are indirectly executed by these
      programs -- for example, user-provided functions in index expressions --
      the tighter search_path may result in errors, which will need to be
      corrected by adjusting those user-provided functions to not assume
      anything about what search path they are invoked under. That has always
      been good practice, but now it will be necessary for correct behavior.
      (CVE-2018-1058)

    - Details about other changes can be found at
      https://www.postgresql.org/docs/9.6/static/release-9-6-8.html

 -- Christian Ehrhardt <email address hidden> Wed, 28 Feb 2018 09:59:10 +0100

Changed in postgresql-9.6 (Ubuntu Artful):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package postgresql-9.5 - 9.5.12-0ubuntu0.16.04

---------------
postgresql-9.5 (9.5.12-0ubuntu0.16.04) xenial-security; urgency=medium

  * New upstream release (LP: #1752271)
    If you run an installation in which not all users are mutually
    trusting, or if you maintain an application or extension that is
    intended for use in arbitrary situations, it is strongly recommended
    that you read the documentation changes described in the first changelog
    entry below, and take suitable steps to ensure that your installation or
    code is secure.

    Also, the changes described in the second changelog entry below may
    cause functions used in index expressions or materialized views to fail
    during auto-analyze, or when reloading from a dump. After upgrading,
    monitor the server logs for such problems, and fix affected functions.

    - Document how to configure installations and applications to guard
      against search-path-dependent trojan-horse attacks from other users

      Using a search_path setting that includes any schemas writable by a
      hostile user enables that user to capture control of queries and then
      run arbitrary SQL code with the permissions of the attacked user. While
      it is possible to write queries that are proof against such hijacking,
      it is notationally tedious, and it's very easy to overlook holes.
      Therefore, we now recommend configurations in which no untrusted schemas
      appear in one's search path.
      (CVE-2018-1058)

    - Avoid use of insecure search_path settings in pg_dump and other client
      programs

      pg_dump, pg_upgrade, vacuumdb and other PostgreSQL-provided applications
      were themselves vulnerable to the type of hijacking described in the
      previous changelog entry; since these applications are commonly run by
      superusers, they present particularly attractive targets. To make them
      secure whether or not the installation as a whole has been secured,
      modify them to include only the pg_catalog schema in their search_path
      settings. Autovacuum worker processes now do the same, as well.

      In cases where user-provided functions are indirectly executed by these
      programs -- for example, user-provided functions in index expressions --
      the tighter search_path may result in errors, which will need to be
      corrected by adjusting those user-provided functions to not assume
      anything about what search path they are invoked under. That has always
      been good practice, but now it will be necessary for correct behavior.
      (CVE-2018-1058)

    - Details about other changes can be found at
      https://www.postgresql.org/docs/9.5/static/release-9-5-12.html

 -- Christian Ehrhardt <email address hidden> Wed, 28 Feb 2018 09:59:08 +0100

Changed in postgresql-9.5 (Ubuntu Xenial):
status: In Progress → Fix Released
Changed in postgresql-10 (Ubuntu Bionic):
status: Triaged → Fix Released
Changed in postgresql-10 (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers