PostgreSQL critical security fix now available
The PostgreSQL developers have released the latest versions of the open source database and revealed the critical security hole which led them to close access to the source code of PostgreSQL last week while the fix was committed. PostgreSQL 9.0, 9.1 and 9.2 are affected, though the developers know of no exploit of the flaw being used in the wild. Users of PostgreSQL 8.4 are unaffected by this particular problem. The developers remind users of earlier versions that they are running unsupported editions of the database and already have un-patched security flaws on their servers.
If an attacker can get to the PostgreSQL network port, for example if the database is on the public cloud, it is possible to cause harm to the server. The flaw allows the attacker to use a command-line switch on a PostgreSQL connection to a running server, which was only meant to be used in single-user recovery mode. The request needs to make a connection request for a database that begins with a "-".
Exploiting the flaw, an unauthenticated attacker can carry out a persistent denial of service; they are able to append PostgreSQL error messages to targeted files in the database's data directory which, in turn, can cause the server to crash. The files can be fixed by removing the error message text or recovering from backup.
If the user has a legitimate login to the server, and only if the user has the same name as the database, then the vulnerability can be abused to raise privileges sufficiently to change a configuration variable with super user privileges. If the attacker meets the preceding requirements and can save files anywhere on the system, including /tmp, then they can go even further and load and execute arbitrary C code.
Administrators of PostgreSQL systems are advised to download PostgreSQL 9.2.4, 9.1.9 or 9.0.13 to resolve this problem. The developers have also released an FAQ which provides further details about the flaw and the code shutdown. It also explains who was given access to the fixed code and how cloud vendor Heroku was given early access due to their vulnerability and preparedness to test the fixes against running applications.
The critical flaw is, though, not the only security fix in the release. Two other security fixes – one to correct random number generation and another which allowed unprivileged users to interfere with backups – have also been fixed. Two issues with graphical PostgreSQL installers on Linux and Mac OS X which involved insecure passing of superuser passwords in a script and the use of predictable /tmp files have also been fixed in the release.
Beyond security, numerous minor fixes were made in the database, including fixes for GIST indexing, buffer and memory leaks, improved crash recovery, and a number of crashes prevented. There is also an 8.4 update, 8.4.17, which includes these changes where appropriate. Full details are available in the release notes for the versions.