An update for libpq is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-2429 Final 1.0 1.0 2024-11-22 Initial 2024-11-22 2024-11-22 openEuler SA Tool V1.0 2024-11-22 libpq security update An update for libpq is now available for openEuler-24.03-LTS PostgreSQL is a powerful, open source object-relational database system that uses and extends the SQL language combined with many features that safely store and scale the most complicated data workloads. This package provides the essential shared library for any PostgreSQL client program or interface. Security Fix(es): Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.(CVE-2024-0985) Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.(CVE-2024-10976) Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.(CVE-2024-10977) Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.(CVE-2024-10978) Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.(CVE-2024-10979) An update for libpq is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High libpq https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2429 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-0985 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-10976 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-10977 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-10978 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-10979 https://nvd.nist.gov/vuln/detail/CVE-2024-0985 https://nvd.nist.gov/vuln/detail/CVE-2024-10976 https://nvd.nist.gov/vuln/detail/CVE-2024-10977 https://nvd.nist.gov/vuln/detail/CVE-2024-10978 https://nvd.nist.gov/vuln/detail/CVE-2024-10979 openEuler-24.03-LTS libpq-15.9-1.oe2403.aarch64.rpm libpq-debuginfo-15.9-1.oe2403.aarch64.rpm libpq-debugsource-15.9-1.oe2403.aarch64.rpm libpq-devel-15.9-1.oe2403.aarch64.rpm libpq-15.9-1.oe2403.src.rpm libpq-15.9-1.oe2403.x86_64.rpm libpq-debuginfo-15.9-1.oe2403.x86_64.rpm libpq-debugsource-15.9-1.oe2403.x86_64.rpm libpq-devel-15.9-1.oe2403.x86_64.rpm Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected. 2024-11-22 CVE-2024-0985 openEuler-24.03-LTS High 8.0 AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H libpq security update 2024-11-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2429 Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected. 2024-11-22 CVE-2024-10976 openEuler-24.03-LTS Medium 4.2 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N libpq security update 2024-11-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2429 Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected. 2024-11-22 CVE-2024-10977 openEuler-24.03-LTS Low 3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N libpq security update 2024-11-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2429 Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected. 2024-11-22 CVE-2024-10978 openEuler-24.03-LTS Medium 4.2 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N libpq security update 2024-11-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2429 Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected. 2024-11-22 CVE-2024-10979 openEuler-24.03-LTS High 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H libpq security update 2024-11-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2429