(LiveHacking.Com) – New security updates for all active versions PostgreSQL, the object-relational database system, have been released by the PostgreSQL Global Development Group. The updates are available for versions 9.1.3, 9.0.7, 8.4.11 and 8.3.18.
The update fixes vulnerability in three areas:
- Permissions on a function called by a trigger are not checked.
- SSL certificate name checks are truncated to 32 characters, allowing connection spoofing under some circumstances.
- Line breaks in object names can be exploited to execute code when loading a pg_dump file.
The first fix prevents users from defining triggers which execute functions for which the user does not have EXECUTE permission. The problem was that CREATE TRIGGER failed to make any permissions check on the trigger function to be called. If the trigger function was marked SECURITY DEFINER, privilege escalation becomes possible.
The SSL fix resolves a problem with SSL common name truncation, which could allow hijacking of an SSL connection under exceptional circumstances. Since the name extracted from an SSL certificate was incorrectly truncated to 32 characters it was theoretically possible to spoof the name on a false certificate.
The final security fix is to the pg_dump program. pg_dump copies object names into comments in a SQL script without sanitizing them by using an object name which includes a newline it is possible to add SQL commands to the dump script. When the dump script is reloaded, the command would be executed with the privileges of whoever is running the script.
Users of pg_dump, users of SSL certificates for validation or users of triggers using SECURITY DEFINER should upgrade their installations immediately.
This release also contains 45 fixes to version 9.1, and a smaller number of fixes to older versions, including:
- Fix btree index corruption from insertions concurrent with vacuuming
- Recover from errors occurring during WAL replay of DROP TABLESPACE
- Fix transient zeroing of shared buffers during WAL replay
- Fix postmaster to attempt restart after a hot-standby crash
- Fix corner case in SSI transaction cleanup
- Update per-column permissions, not only per-table permissions, when changing table owner
- Fix handling of data-modifying WITH subplans in READ COMMITTED rechecking
- Fix for “could not find plan for CTE” failures
- Fix unsupported node type error caused by COLLATE in an INSERT expression
- Avoid crashing when we have problems deleting table files post-commit
- Fix recently-introduced memory leak in processing of inet/cidr
- Fix GIN cost estimation to handle column IN (…) index conditions
- Fix I/O-conversion-related memory leaks in plpgsql
- Teach pg_upgrade to handle renaming of plpython’s shared library (affecting upgrades to 9.1)
PostgreSQL can be downloaded from:
- Main download page: http://www.postgresql.org/download/
- Source code: http://www.postgresql.org/ftp/source/
- Binary packages: http://www.postgresql.org/ftp/binary/
- One-click installer, including Windows packages: http://www.enterprisedb.com/products/pgdownload.do