Arch Linux Security Advisory ASA-201711-18

Severity: Medium
Date : 2017-11-10
CVE-ID : CVE-2017-15098 CVE-2017-15099
Package : postgresql-old-upgrade
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-486

Summary

The package postgresql-old-upgrade before version 9.6.6-1 is vulnerable
to multiple issues including access restriction bypass and information
disclosure.

Resolution

Upgrade to 9.6.6-1.

pacman -Syu “postgresql-old-upgrade>=9.6.6-1”

The problems have been fixed upstream in version 9.6.6.

Workaround

None.

Description

• CVE-2017-15098 (information disclosure)

A denial of service and potential memory disclosure vulnerability has
been discovered in PostgreSQL in the json_populate_recordset() and
jsonb_populate_recordset() functions.

• CVE-2017-15099 (access restriction bypass)

An access restriction bypass vulnerability has been discovered in
PostgreSQL, the “INSERT … ON CONFLICT DO UPDATE” would not check to
see if the executing user had permission to perform a “SELECT” on the
index performing the conflicting check. Additionally, in a table with
row-level security enabled, the “INSERT … ON CONFLICT DO UPDATE”
would not check the SELECT policies for that table before performing
the update.
The fix ensures that “INSERT … ON CONFLICT DO UPDATE” checks against
table permissions and RLS policies before executing.

Impact

A remote attacker is able to bypass access restrictions via certain
queries or possibly leak sensitive information from the running
process.

References

https://www.postgresql.org/about/news/1801/
https://security.archlinux.org/CVE-2017-15098
https://security.archlinux.org/CVE-2017-15099