Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#9120 - postgresql-8.2.5 subject to five critical vulnerabilities

Attached to Project: Arch Linux
Opened by Kerin Millar (kerframil) - Monday, 07 January 2008, 15:52 GMT
Last edited by Eric Belanger (Snowman) - Tuesday, 08 January 2008, 02:58 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version 2007.08-2
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


Description: Five vulnerabilities deemed "critical" have been addressed in PostgreSQL. The fixed versions are 8.2.6, 8.1.11, 8.0.15, 7.4.19, 7.3.21.

Additional info:

Full details can be found here:

The following is an excerpt from the announcement which details the vulnerabilities themselves (CVE-2007-6600, CVE-2007-4772, CVE-2007-6067, CVE-2007-4769, CVE-2007-6601):

Index Functions Privilege Escalation (CVE-2007-6600): as a unique feature, PostgreSQL allows users to create indexes on the results of user-defined functions, known as "expression indexes". This provided two vulnerabilities to privilege escalation: (1) index functions were executed as the superuser and not the table owner during VACUUM and ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were permitted within index functions. Both of these holes have now been closed.

Regular Expression Denial-of-Service (CVE-2007-4772, CVE-2007-6067, CVE-2007-4769): three separate issues in the regular expression libraries used by PostgreSQL allowed malicious users to initiate a denial-of-service by passing certain regular expressions in SQL queries. First, users could create infinite loops using some specific regular expressions. Second, certain complex regular expressions could consume excessive amounts of memory. Third, out-of-range backref numbers could be used to crash the backend. All of these issues have been patched.

DBLink Privilege Escalation (CVE-2007-6601): DBLink functions combined with local trust or ident authentication could be used by a malicious user to gain superuser privileges. This issue has been fixed, and does not affect users who have not installed DBLink (an optional module), or who are using password authentication for local access. This same problem was addressed in the previous release cycle (see CVE-2007-3278), but that patch failed to close all forms of the loophole.
This task depends upon

Closed by  Eric Belanger (Snowman)
Tuesday, 08 January 2008, 02:58 GMT
Reason for closing:  Fixed
Additional comments about closing:  The postgresql packages have been updated to 8.2.6