Bug 949669 (CVE-2015-5288) - VUL-0: CVE-2015-5288: postgresql: Memory leak in crypt() function
Summary: VUL-0: CVE-2015-5288: postgresql: Memory leak in crypt() function
Status: RESOLVED FIXED
Alias: CVE-2015-5288
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2016-02-02
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:SUSE:CVE-2015-5288:4.0:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-09 08:13 UTC by Andreas Stieger
Modified: 2022-02-13 11:07 UTC (History)
4 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
upstream commit 1d812c8b059d0b9b1fba4a459c9876de0f6259b6 (8.99 KB, patch)
2015-10-09 09:12 UTC, Andreas Stieger 		Details | Diff
postgresql-8.3.23-CVE-2015-5288.patch (9.95 KB, patch)
2015-10-09 09:35 UTC, Andreas Stieger 		Details | Diff
postgresql-8.1.23-CVE-2015-5288.patch (9.95 KB, patch)
2015-10-09 09:40 UTC, Andreas Stieger 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-10-09 08:13:58 UTC 
from http://www.postgresql.org/about/news/1615/

2015-10-08 Security Update Release
Posted on Oct. 8, 2015

The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 9.4.5, 9.3.10, 9.2.14, 9.1.19 and 9.0.23. This release fixes two security issues, as well as several bugs found over the last four months. Users vulnerable to the security issues should update their installations immediately; other users should update at the next scheduled downtime. This is also the final update release for major version 9.0.
Security Fixes

Two security issues have been fixed in this release which affect users of specific PostgreSQL features:

[...]

CVE-2015-5288: The crypt() function included with the optional pgCrypto extension could be exploited to read a few additional bytes of memory. No working exploit for this issue has been developed.

Details from http://www.postgresql.org/support/security/

CVE-2015-5288
Affected versions: 9.4, 9.3, 9.2, 9.1, 9.0
Fixed in: 9.4.5, 9.3.10, 9.2.14, 9.1.19, 9.0.23
Component: contrib module
Class: C (A vulnerabilty that is exploitable for privilege escalation, but requiring a valid prior login.)
Description: Memory leak in crypt() function.
Comment 1 Andreas Stieger 2015-10-09 09:12:05 UTC 
Created attachment 650900 [details]
upstream commit 1d812c8b059d0b9b1fba4a459c9876de0f6259b6

http://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=1d812c8b059d0b9b1fba4a459c9876de0f6259b6

commit 1d812c8b059d0b9b1fba4a459c9876de0f6259b6
Author: Noah Misch <noah@leadboat.com>
Date:   Mon Oct 5 10:06:29 2015 -0400

    pgcrypto: Detect and report too-short crypt() salts.
    
    Certain short salts crashed the backend or disclosed a few bytes of
    backend memory.  For existing salt-induced error conditions, emit a
    message saying as much.  Back-patch to 9.0 (all supported versions).
    
    Josh Kupershmidt
    
    Security: CVE-2015-5288
Comment 2 Reinhard Max 2015-10-09 09:19:07 UTC 
No need for cherry-picking, we'll use the new patchlevel releases as always with PostgreSQL.
Comment 3 Andreas Stieger 2015-10-09 09:35:41 UTC 
Created attachment 650907 [details]
postgresql-8.3.23-CVE-2015-5288.patch

patch backported to 8.3.23, mininal context diff
Comment 4 Andreas Stieger 2015-10-09 09:40:19 UTC 
Created attachment 650908 [details]
postgresql-8.1.23-CVE-2015-5288.patch

An unfuzzed patch for SLE 10 SP3 TD, affected.
Comment 5 Reinhard Max 2015-10-09 09:45:59 UTC 
(In reply to Andreas Stieger from comment #3)
> Created attachment 650907 [details]
> postgresql-8.3.23-CVE-2015-5288.patch
> 
> patch backported to 8.3.23, mininal context diff

Do we still maintain 8.3 on SLE11?

I think we released the upgrades to 9.0 and 9.4 for SLE11, so that we do not need to do these backports once 8.3 is out of upstream maintenance.
Comment 8 Swamp Workflow Management 2015-10-09 22:00:15 UTC 
bugbot adjusting priority
Comment 10 Swamp Workflow Management 2015-10-12 11:53:17 UTC 
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2015-11-09.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62309
Comment 12 Bernhard Wiedemann 2015-10-13 15:01:18 UTC 
This is an autogenerated message for OBS integration:
This bug (949669) was mentioned in
https://build.opensuse.org/request/show/338464 Factory / postgresql93
https://build.opensuse.org/request/show/338466 Leap:42.1 / postgresql94
https://build.opensuse.org/request/show/338469 Leap:42.1 / postgresql93
Comment 13 Bernhard Wiedemann 2015-10-22 09:00:10 UTC 
This is an autogenerated message for OBS integration:
This bug (949669) was mentioned in
https://build.opensuse.org/request/show/340344 13.1 / postgresql92
https://build.opensuse.org/request/show/340345 13.2 / postgresql93
Comment 14 Swamp Workflow Management 2015-10-26 17:10:43 UTC 
SUSE-SU-2015:1821-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 949669,949670
CVE References: CVE-2015-5288,CVE-2015-5289
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    postgresql93-libs-9.3.10-11.1
SUSE Linux Enterprise Server 12 (src):    postgresql93-9.3.10-11.1, postgresql93-libs-9.3.10-11.1
SUSE Linux Enterprise Desktop 12 (src):    postgresql93-9.3.10-11.1, postgresql93-libs-9.3.10-11.1
Comment 15 Swamp Workflow Management 2015-10-30 12:10:22 UTC 
SUSE-OU-2015:1847-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: optional (moderate)
Bug References: 941886,945706,949669,949670,950486
CVE References: CVE-2015-5288,CVE-2015-5289
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    postgresql94-libs-9.4.5-4.1
SUSE Linux Enterprise Server 12 (src):    postgresql-init-9.4-17.8.1, postgresql94-9.4.5-4.5, postgresql94-libs-9.4.5-4.1
SUSE Linux Enterprise Desktop 12 (src):    postgresql94-9.4.5-4.5, postgresql94-libs-9.4.5-4.1
Comment 16 Swamp Workflow Management 2015-11-04 16:12:53 UTC 
openSUSE-SU-2015:1907-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 949669,949670
CVE References: CVE-2015-5288,CVE-2015-5289
Sources used:
openSUSE 13.2 (src):    postgresql93-9.3.10-2.7.1, postgresql93-libs-9.3.10-2.7.1
Comment 17 Swamp Workflow Management 2015-11-05 14:10:59 UTC 
openSUSE-SU-2015:1919-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 949669
CVE References: CVE-2015-5288
Sources used:
openSUSE 13.1 (src):    postgresql92-9.2.14-4.7.2, postgresql92-libs-9.2.14-4.7.1
Comment 19 Swamp Workflow Management 2016-01-19 09:13:48 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-02-02.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62445
Comment 28 Andrej Semen 2016-01-21 15:02:52 UTC 
is there a test case or reproducer you could provide for
QA maintenance testing?
Comment 29 Andreas Stieger 2016-01-21 15:15:14 UTC 
(In reply to Andrej Semen from comment #28)
> is there a test case or reproducer you could provide for
> QA maintenance testing?

From http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=1d812c8b059d0b9b1fba4a459c9876de0f6259b6;hp=2ca9d5445c35db8956e4abbf1e653373820e8c0a

"invalid salt" messages expected as below. 

-- error, salt too short:
SELECT crypt('foox', '$2a$');
ERROR:  invalid salt
-- error, first digit of count in salt invalid
SELECT crypt('foox', '$2a$40$RQiOJ.3ELirrXwxIZY8q0O');
ERROR:  invalid salt
-- error, count in salt too small
SELECT crypt('foox', '$2a$00$RQiOJ.3ELirrXwxIZY8q0O');
ERROR:  invalid salt

-- We are supposed to pass in a 2-character salt.
-- error since salt is too short:
SELECT crypt('password', 'a');
ERROR:  invalid salt

-- check XDES handling of keys longer than 8 chars
SELECT crypt('longlongpassword', '_J9..j2zz');
        crypt         
----------------------
 _J9..j2zz4BeseiQNwUg
(1 row)

-- error, salt too short
SELECT crypt('foox', '_J9..BWH');
ERROR:  invalid salt
-- error, count specified in the second argument is 0
SELECT crypt('password', '_........');
ERROR:  crypt(3) returned NULL
-- error, count will wind up still being 0 due to invalid encoding
-- of the count: only chars ``./0-9A-Za-z' are valid
SELECT crypt('password', '_..!!!!!!');
ERROR:  crypt(3) returned NULL
-- count should be non-zero here, will work
SELECT crypt('password', '_/!!!!!!!');
        crypt         
----------------------
 _/!!!!!!!zqM49hRzxko
(1 row)

The behavior before the patch is described as "Certain short salts crashed the backend or disclosed a few bytes of backend memory.", have not tried this. The above is part of the regression test suite that runs during build.
Comment 30 Swamp Workflow Management 2016-02-09 13:11:45 UTC 
SUSE-SU-2016:0389-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 949669
CVE References: CVE-2015-5288
Sources used:
SUSE Studio Onsite 1.3 (src):    postgresql91-libs-9.1.19-0.5.1
SUSE Manager 2.1 (src):    postgresql91-9.1.19-0.5.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    postgresql91-libs-9.1.19-0.5.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    postgresql91-9.1.19-0.5.1
SUSE Linux Enterprise Server 11-SP3 (src):    postgresql91-9.1.19-0.5.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    postgresql91-9.1.19-0.5.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    postgresql91-9.1.19-0.5.1
Comment 31 Swamp Workflow Management 2016-02-16 21:14:10 UTC 
SUSE-SU-2016:0482-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 949669,949670
CVE References: CVE-2015-5288,CVE-2015-5289
Sources used:
SUSE Manager 2.1 (src):    postgresql94-9.4.5-0.8.3
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    postgresql94-libs-9.4.5-0.8.3
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    postgresql94-libs-9.4.5-0.8.3
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    postgresql94-9.4.5-0.8.3, postgresql94-libs-9.4.5-0.8.3
SUSE Linux Enterprise Server 11-SP4 (src):    postgresql94-9.4.5-0.8.3, postgresql94-libs-9.4.5-0.8.3
SUSE Linux Enterprise Server 11-SP3 (src):    postgresql94-9.4.5-0.8.3, postgresql94-libs-9.4.5-0.8.3
SUSE Linux Enterprise Desktop 11-SP4 (src):    postgresql94-9.4.5-0.8.3, postgresql94-libs-9.4.5-0.8.3
SUSE Linux Enterprise Desktop 11-SP3 (src):    postgresql94-9.4.5-0.8.3, postgresql94-libs-9.4.5-0.8.3
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    postgresql94-9.4.5-0.8.3, postgresql94-libs-9.4.5-0.8.3
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    postgresql94-9.4.5-0.8.3
Comment 32 Swamp Workflow Management 2016-03-07 17:12:51 UTC 
SUSE-SU-2016:0677-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 949669,949670,966435,966436
CVE References: CVE-2007-4772,CVE-2015-5288,CVE-2015-5289,CVE-2016-0766,CVE-2016-0773
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    postgresql94-libs-9.4.6-0.14.3
SUSE Linux Enterprise Server 11-SP4 (src):    postgresql94-9.4.6-0.14.3, postgresql94-libs-9.4.6-0.14.3
SUSE Linux Enterprise Desktop 11-SP4 (src):    postgresql94-9.4.6-0.14.3, postgresql94-libs-9.4.6-0.14.3
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    postgresql94-9.4.6-0.14.3, postgresql94-libs-9.4.6-0.14.3
Comment 33 Marcus Meissner 2016-03-11 16:29:09 UTC 
released