[gentoo-announce] [ GLSA 200410-16 ] PostgreSQL: Insecure temporary file use in make_oidjoins_check - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200410-16 ] PostgreSQL: Insecure temporary file use in make_oidjoins_check
Date:	Mon, 18 Oct 2004 20:36:15
Message-Id:	`417428F9.7000902@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200410-16

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: PostgreSQL: Insecure temporary file use in

9

            make_oidjoins_check

10

      Date: October 18, 2004

11

      Bugs: #66371

12

        ID: 200410-16

13

14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

15

16

Synopsis

17

========

18

19

The make_oidjoins_check script, part of the PostgreSQL package, is

20

vulnerable to symlink attacks, potentially allowing a local user to

21

overwrite arbitrary files with the rights of the user running the

22

utility.

23

24

Background

25

==========

26

27

PostgreSQL is an open source database based on the POSTGRES database

28

management system. It includes several contributed scripts including

29

the make_oidjoins_check script.

30

31

Affected packages

32

=================

33

34

    -------------------------------------------------------------------

35

     Package            /   Vulnerable   /                  Unaffected

36

    -------------------------------------------------------------------

37

  1  dev-db/postgresql      <= 7.4.5-r1                    >= 7.4.5-r2

38

                                                          *>= 7.3.7-r2

39

40

Description

41

===========

42

43

The make_oidjoins_check script insecurely creates temporary files in

44

world-writeable directories with predictable names.

45

46

Impact

47

======

48

49

A local attacker could create symbolic links in the temporary files

50

directory, pointing to a valid file somewhere on the filesystem. When

51

make_oidjoins_check is called, this would result in file overwrite with

52

the rights of the user running the utility, which could be the root

53

user.

54

55

Workaround

56

==========

57

58

There is no known workaround at this time.

59

60

Resolution

61

==========

62

63

All PostgreSQL users should upgrade to the latest version:

64

65

    # emerge sync

66

67

    # emerge -pv ">=dev-db/postgresql-7.4.5-r2"

68

    # emerge ">=dev-db/postgresql-7.4.5-r2"

69

70

Upgrade notes: PostgreSQL 7.3.x users should upgrade to the latest

71

available 7.3.x version to retain database compatibility.

72

73

References

74

==========

75

76

  [ 1 ] Trustix Advisory #2004-0050

77

        http://www.trustix.org/errata/2004/0050/

78

79

Availability

80

============

81

82

This GLSA and any updates to it are available for viewing at

83

the Gentoo Security Website:

84

85

  http://security.gentoo.org/glsa/glsa-200410-16.xml

86

87

Concerns?

88

=========

89

90

Security is a primary focus of Gentoo Linux and ensuring the

91

confidentiality and security of our users machines is of utmost

92

importance to us. Any security concerns should be addressed to

93

security@g.o or alternatively, you may file a bug at

94

http://bugs.gentoo.org.

95

96

License

97

=======

98

99

Copyright 2004 Gentoo Foundation, Inc; referenced text

100

belongs to its owner(s).

101

102

The contents of this document are licensed under the

103

Creative Commons - Attribution / Share Alike license.

104

105

http://creativecommons.org/licenses/by-sa/1.0

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200410-16
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: PostgreSQL: Insecure temporary file use in
9	make_oidjoins_check
10	Date: October 18, 2004
11	Bugs: #66371
12	ID: 200410-16
13
14	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16	Synopsis
17	========
18
19	The make_oidjoins_check script, part of the PostgreSQL package, is
20	vulnerable to symlink attacks, potentially allowing a local user to
21	overwrite arbitrary files with the rights of the user running the
22	utility.
23
24	Background
25	==========
26
27	PostgreSQL is an open source database based on the POSTGRES database
28	management system. It includes several contributed scripts including
29	the make_oidjoins_check script.
30
31	Affected packages
32	=================
33
34	-------------------------------------------------------------------
35	Package / Vulnerable / Unaffected
36	-------------------------------------------------------------------
37	1 dev-db/postgresql <= 7.4.5-r1 >= 7.4.5-r2
38	*>= 7.3.7-r2
39
40	Description
41	===========
42
43	The make_oidjoins_check script insecurely creates temporary files in
44	world-writeable directories with predictable names.
45
46	Impact
47	======
48
49	A local attacker could create symbolic links in the temporary files
50	directory, pointing to a valid file somewhere on the filesystem. When
51	make_oidjoins_check is called, this would result in file overwrite with
52	the rights of the user running the utility, which could be the root
53	user.
54
55	Workaround
56	==========
57
58	There is no known workaround at this time.
59
60	Resolution
61	==========
62
63	All PostgreSQL users should upgrade to the latest version:
64
65	# emerge sync
66
67	# emerge -pv ">=dev-db/postgresql-7.4.5-r2"
68	# emerge ">=dev-db/postgresql-7.4.5-r2"
69
70	Upgrade notes: PostgreSQL 7.3.x users should upgrade to the latest
71	available 7.3.x version to retain database compatibility.
72
73	References
74	==========
75
76	[ 1 ] Trustix Advisory #2004-0050
77	http://www.trustix.org/errata/2004/0050/
78
79	Availability
80	============
81
82	This GLSA and any updates to it are available for viewing at
83	the Gentoo Security Website:
84
85	http://security.gentoo.org/glsa/glsa-200410-16.xml
86
87	Concerns?
88	=========
89
90	Security is a primary focus of Gentoo Linux and ensuring the
91	confidentiality and security of our users machines is of utmost
92	importance to us. Any security concerns should be addressed to
93	security@g.o or alternatively, you may file a bug at
94	http://bugs.gentoo.org.
95
96	License
97	=======
98
99	Copyright 2004 Gentoo Foundation, Inc; referenced text
100	belongs to its owner(s).
101
102	The contents of this document are licensed under the
103	Creative Commons - Attribution / Share Alike license.
104
105	http://creativecommons.org/licenses/by-sa/1.0