User: Password:
Subscribe / Log in / New account


A PostgreSQL flaw

February 21, 2007

This article was contributed by Jake Edge.

An announcement of possibly insecure practices in user-defined PostgreSQL functions seems at first blush to be a fairly straightforward advisory; a deeper look reveals some serious implications. It is a problem that echoes a textbook security hole in UNIX setuid programs; it would appear that the developers did not consider that history when adding a setuid-like capability to PostgreSQL. Unfortunately, it also appears that the fix that the advisory recommends is not up to the task of resolving the issue. Anyone using SECURITY DEFINER functions in PostgreSQL probably has quite a large job ahead of them to clear up this particular mess.

PostgreSQL functions can be be declared as "SECURITY DEFINER" functions, which causes them to run with the privileges of the owner rather than those of the invoker. PostgreSQL binds the operators and functions called at runtime and searches each element in the schema path to find them. Unfortunately, the user invoking the function can control the schema search path and, by defining operators or other functions that are used by the SECURITY DEFINER function, the invoker can run any code with the permissions of the owner.

The once common, now hopefully largely eradicated, UNIX parallel was a vulnerability in setuid programs that invoked other programs via exec(). If the program did not either sanitize its PATH environment variable or fully specify the path to the executable, it was vulnerable to attackers who would put their own code in the path, with the same name as the executable, ahead of the standard program. When the setuid program executed, it would grab the wrong binary and the attacker could run arbitrary code with the permissions of the owner of the setuid program. Another important requirement is that all elements of the sanitized PATH and the directory of the binary are not writable by non-privileged users.

So, much like the solution to the UNIX issue, the advisory suggests that SECURITY DEFINER functions specify a sanitized schema path. The equivalent to a fully specified path is not recommended as it is "likely to induce mistakes and will furthermore make the source code harder to read and maintain." Unfortunately, it turns out that because of the way PostgreSQL processes the function definitions, the only solution is to schema-qualify each and every function and operator reference in the function. In addition, setting a schema search path in a function is not local to the function, it changes the global search path for the whole program; functions that do this should restore the original search path on exit.

It turns out that the references in a function are resolved as PostgreSQL creates an execution plan for the function. This is prior to actually executing the "set search path" operation in the function and so it will bind to functions and operators in the user controlled schema path as described here. The only alternative is the laborious and error-prone task of schema-qualifying function and operator references in SECURITY DEFINER functions.

This is a very unfortunate outcome for a feature that was meant to promote more secure database usage. The idea is to separate the database privileges into different users but to still allow users with few privileges to perform a restricted set of privileged operations. It is surprising that the UNIX setuid issues from the dawn of time_t were not more closely studied when this feature was implemented. It would also seem that the PostgreSQL developers will need to rework how the execution plan and search path interact to fix this design flaw.

Comments (4 posted)

New vulnerabilities

clamav: directory traversal, denial of service

Package(s):clamav CVE #(s):CVE-2007-0897 CVE-2007-0898
Created:February 20, 2007 Updated:March 7, 2007
Description: Clam AntiVirus ClamAV before 0.90 does not close open file descriptors under certain conditions, which allows remote attackers to cause a denial of service (file descriptor consumption and failed scans) via CAB archives with a cabinet header record length of zero, which causes a function to return without closing a file descriptor. (CVE-2007-0897)

Directory traversal vulnerability in clamd in Clam AntiVirus ClamAV before 0.90 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the id MIME header parameter in a multi-part message. (CVE-2007-0898)

Debian DSA-1263-1 clamav 2007-03-06
Gentoo 200703-03 clamav 2007-03-02
SuSE SUSE-SA:2007:017 clamav 2007-02-23
Mandriva MDKSA-2007:043 clamav 2006-02-19

Comments (none posted)

ekiga: format string vulnerability

Package(s):ekiga CVE #(s):CVE-2007-1006 CVE-2007-0999
Created:February 21, 2007 Updated:March 30, 2007
Description: Ekiga contains a format string vulnerability in the code which processes control messages from remote peers.

If a user was running Ekiga and listening for incoming calls, a remote attacker could send a crafted call request, and execute arbitrary code with the user's privileges.

Gentoo 200703-25 ekiga 2007-03-29
Red Hat RHSA-2007:0087-02 ekiga 2007-03-14
Mandriva MDKSA-2007:058 ekiga 2007-03-08
Ubuntu USN-434-1 ekiga, gnomemeeting 2007-03-09
Fedora FEDORA-2007-322 ekiga 2007-03-07
Fedora FEDORA-2007-321 ekiga 2007-03-07
Ubuntu USN-426-1 ekiga, gnomemeeting 2007-02-22
Mandriva MDKSA-2007:044 ekiga 2007-02-21
Fedora FEDORA-2007-263 ekiga 2007-02-20
Fedora FEDORA-2007-262 ekiga 2007-02-20

Comments (none posted)

fail2ban: denial of service

Package(s):fail2ban CVE #(s):CVE-2006-6302
Created:February 16, 2007 Updated:July 30, 2007
Description: fail2ban 0.7.4 and earlier does not properly parse sshd logs file, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in to ssh using a login name containing certain strings with an IP address.
Gentoo 200702-05 fail2ban 2007-02-16

Comments (3 posted)

gnomemeeting: format string flaw

Package(s):gnomemeeting CVE #(s):CVE-2007-1007
Created:February 20, 2007 Updated:March 5, 2007
Description: A format string flaw was found in the way GnomeMeeting processes certain messages. If a user is running GnomeMeeting, a remote attacker who can connect to GnomeMeeting could trigger this flaw and potentially execute arbitrary code with the privileges of the user.
Debian DSA-1262-1 gnomemeeting 2007-03-04
Mandriva MDKSA-2007:045 gnomemeeting 2007-02-21
Red Hat RHSA-2007:0086-01 gnomemeeting 2007-02-20

Comments (none posted)

gnucash: temporary file vulnerability

Package(s):gnucash CVE #(s):CVE-2007-0007
Created:February 21, 2007 Updated:February 27, 2007
Description: Gnucash (2.0.4 and prior) suffers from a set of symbolic link vulnerabilities.
Fedora FEDORA-2007-256 gnucash 2007-02-27
Mandriva MDKSA-2007:046 gnucash 2007-02-21

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-0007 CVE-2007-0006
Created:February 15, 2007 Updated:November 14, 2007
Description: Linux kernel versions from 2.6.9 to 2.6.20 have a denial of service vulnerability. A remote attacker can cause the key_alloc_serial function's key serial number collision avoidance code to have a null dereference, resulting in a crash.
Fedora FEDORA-2007-599 kernel 2007-06-21
Red Hat RHSA-2007:0099-02 kernel 2007-03-14
rPath rPSA-2007-0050-1 kernel 2007-03-06
Red Hat RHSA-2007:0085-01 kernel 2007-02-27
Mandriva MDKSA-2007:047 kernel 2007-02-21
Fedora FEDORA-2007-226 kernel 2007-02-13
Fedora FEDORA-2007-225 kernel 2007-02-13

Comments (1 posted)

MoinMoin: cross-site scripting and information leak

Package(s):moin moinmoin CVE #(s):CVE-2007-0901 CVE-2007-0902
Created:February 21, 2007 Updated:February 21, 2007
Description: MoinMoin suffers from a pair of vulnerabilities. An attacker who tricks a MoinMoin user into viewing a specially-crafted URL can execute arbitrary JavaScript with the user's privileges. There is also an information disclosure vulnerability which can tell an attacker about the versions of software running on the system.
Ubuntu USN-423-1 moin, moin1.3 2007-02-20

Comments (none posted)

php: multiple vulnerabilities

Package(s):php CVE #(s):CVE-2007-0906 CVE-2007-0907 CVE-2007-0908 CVE-2007-0909 CVE-2007-0910 CVE-2007-0988
Created:February 20, 2007 Updated:March 21, 2007
Description: A number of buffer overflow flaws were found in the PHP session extension, the str_replace() function, and the imap_mail_compose() function. If very long strings under the control of an attacker are passed to the str_replace() function then an integer overflow could occur in memory allocation. If a script uses the imap_mail_compose() function to create a new MIME message based on an input body from an untrusted source, it could result in a heap overflow. An attacker who is able to access a PHP application affected by any these issues could trigger these flaws and possibly execute arbitrary code as the 'apache' user. (CVE-2007-0906)

If unserializing untrusted data on 64-bit platforms, the zend_hash_init() function can be forced to enter an infinite loop, consuming CPU resources for a limited length of time, until the script timeout alarm aborts execution of the script. (CVE-2007-0988)

If the wddx extension is used to import WDDX data from an untrusted source, certain WDDX input packets may allow a random portion of heap memory to be exposed. (CVE-2007-0908)

If the odbc_result_all() function is used to display data from a database, and the contents of the database table are under the control of an attacker, a format string vulnerability is possible which could lead to the execution of arbitrary code. (CVE-2007-0909)

A one byte memory read will always occur before the beginning of a buffer, which could be triggered for example by any use of the header() function in a script. However it is unlikely that this would have any effect. (CVE-2007-0907)

Several flaws in PHP could allows attackers to "clobber" certain super-global variables via unspecified vectors. (CVE-2007-0910)

Gentoo 200703-21 PHP 2007-03-20
SuSE SUSE-SA:2007:020 php4,php5 2007-03-15
Red Hat RHSA-2007:0082-02 PHP 2007-03-14
Ubuntu USN-424-2 USN-424-1 fixed 2007-03-08
Debian DSA-1264-1 php4 2007-03-07
rPath rPSA-2007-0043-1 php 2007-02-27
Fedora FEDORA-2007-287 php 2007-02-26
OpenPKG OpenPKG-SA-2007.010 php 2007-02-23
Slackware SSA:2007-053-01 php 2007-02-23
Mandriva MDKSA-2007:048 php 2006-02-22
Red Hat RHSA-2007:0088-01 PHP 2007-02-22
Ubuntu USN-424-1 php5 2007-02-21
Red Hat RHSA-2007:0081-01 PHP 2007-02-21
Fedora FEDORA-2007-261 php 2007-02-20
Red Hat RHSA-2007:0076-01 PHP 2007-02-19

Comments (none posted)

spamassassin: denial of service

Package(s):spamassassin CVE #(s):CVE-2007-0451
Created:February 16, 2007 Updated:March 14, 2007
Description: Version 3.1.8 of Spamassassin fixes some bugs and a malformed HTML denial of service vulnerability.
Red Hat RHSA-2007:0075-02 spamassassin 2007-03-14
Gentoo 200703-02 spamassassin 2007-03-02
Mandriva MDKSA-2007:049 spamassassin 2007-02-23
rPath rPSA-2007-0038-1 spamassassin 2007-02-23
Red Hat RHSA-2007:0074-01 spamassassin 2007-02-21
Fedora FEDORA-2007-242 spamassassin 2007-02-15
Fedora FEDORA-2007-241 spamassassin 2007-02-15

Comments (none posted)

sun-jdk: arbitrary code execution

Package(s):sun-jdk CVE #(s):CVE-2007-0243
Created:February 19, 2007 Updated:April 25, 2007
Description: A anonymous researcher discovered that an error in the handling of a GIF image with a zero width field block leads to a memory corruption flaw. An attacker could entice a user to run a specially crafted Java applet or application that would load a crafted GIF image, which could result in escalation of privileges and unauthorized access to system resources.
Red Hat RHSA-2007:0167-01 java-1.5.0-ibm 2007-04-25
Red Hat RHSA-2007:0166-01 java-1.4.2-ibm 2007-04-25
Gentoo 200702-08 emul-linux-x86-java 2007-02-17
Gentoo 200702-07 sun-jdk 2007-02-17

Comments (1 posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds