Bug 949670 (CVE-2015-5289) - VUL-0: CVE-2015-5289: postgresql: Unchecked JSON input can crash the server
Summary: VUL-0: CVE-2015-5289: postgresql: Unchecked JSON input can crash the server
Status: RESOLVED FIXED
Alias: CVE-2015-5289
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Minor
Target Milestone: ---
Deadline: 2015-11-09
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:RedHat:CVE-2015-5289:4.3:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-09 08:14 UTC by Andreas Stieger
Modified: 2018-11-07 16:28 UTC (History)
2 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-10-09 08:14:01 UTC 
from http://www.postgresql.org/about/news/1615/

2015-10-08 Security Update Release
Posted on Oct. 8, 2015

The PostgreSQL Global Development Group has released an update to all supported versions of our database system, including 9.4.5, 9.3.10, 9.2.14, 9.1.19 and 9.0.23. This release fixes two security issues, as well as several bugs found over the last four months. Users vulnerable to the security issues should update their installations immediately; other users should update at the next scheduled downtime. This is also the final update release for major version 9.0.
Security Fixes

Two security issues have been fixed in this release which affect users of specific PostgreSQL features:

CVE-2015-5289: json or jsonb input values constructed from arbitrary user input can crash the PostgreSQL server and cause a denial of service.

[...]

Details from http://www.postgresql.org/support/security/

CVE-2015-5289
Affected versions: 9.4, 9.3, 9.2, 9.1, 9.0
Fixed in: 9.4.5, 9.3.10, 9.2.14, 9.1.19, 9.0.23
Component: core server
Class: D (A vulnerability that is exploitable for denial-of-service, but requiring a valid prior login.)
Description: Unchecked JSON input can crash the server
Comment 1 Andreas Stieger 2015-10-09 11:43:29 UTC 
Upstream master commits:

http://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=08fa47c4850cea32c3116665975bca219fbf2fe6

> Prevent stack overflow in json-related functions.
> 
> Sufficiently-deep recursion heretofore elicited a SIGSEGV.  If an
> application constructs PostgreSQL json or jsonb values from arbitrary
> user input, application users could have exploited this to terminate all
> active database connections.  That applies to 9.3, where the json parser
> adopted recursive descent, and later versions.  Only row_to_json() and
> array_to_json() were at risk in 9.2, both in a non-security capacity.
> Back-patch to 9.2, where the json type was introduced.
> 
> Oskari Saarenmaa, reviewed by Michael Paquier.
> 
> Security: CVE-2015-5289

Immediately following and possibly security relevant:

http://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=30cb12881de55bc91a2cbde29d836bd3332612c3

> Prevent stack overflow in container-type functions.
> 
> A range type can name another range type as its subtype, and a record
> type can bear a column of another record type.  Consequently, functions
> like range_cmp() and record_recv() are recursive.  Functions at risk
> include operator family members and referents of pg_type regproc
> columns.  Treat as recursive any such function that looks up and calls
> the same-purpose function for a record column type or the range subtype.
> Back-patch to 9.0 (all supported versions).
> 
> An array type's element type is never itself an array type, so array
> functions are unaffected.  Recursion depth proportional to array
> dimensionality, found in array_dim_to_jsonb(), is fine thanks to MAXDIM.

http://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=5976097c0fce03f8cc201aefc4445ad57e09bb75

> Prevent stack overflow in query-type functions.
> 
> The tsquery, ltxtquery and query_int data types have a common ancestor.
> Having acquired check_stack_depth() calls independently, each was
> missing at least one call.  Back-patch to 9.0 (all supported versions).

Tagged as security and build related:

http://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=9e36c91b468d7d821b77214337ff891811b4b337

> Fix insufficiently-portable regression test case.
> 
> Some of the buildfarm members are evidently miserly enough of stack space
> to pass the originally-committed form of this test.  Increase the
> requirement 10X to hopefully ensure that it fails as-expected everywhere.
> 
> Security: CVE-2015-5289
Comment 2 Andreas Stieger 2015-10-09 12:15:27 UTC 
(In reply to Andreas Stieger from comment #0)
> from http://www.postgresql.org/about/news/1615/
> [...]
> Affected versions: 9.4, 9.3, 9.2, 9.1, 9.0
> Fixed in: 9.4.5, 9.3.10, 9.2.14, 9.1.19, 9.0.23

This does not seem to hold true for the 08fa47c4850cea32c3116665975bca219fbf2fe6 change, as the json type was new in 9.2

However 
> Prevent stack overflow in container-type functions.
> Prevent stack overflow in query-type functions.

were merged to earlier releases, which is why this may be confused upstream They do not carry a CVE or security marker but could be back-ported nevertheless.
Comment 3 Andreas Stieger 2015-10-09 12:19:54 UTC 
Only this commit is relevant for 8.1.23 and 8.3.23:

9e36c91b468d7d821b77214337ff891811b4b337
> Fix insufficiently-portable regression test case.
Comment 6 Swamp Workflow Management 2015-10-12 11:53:27 UTC 
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2015-11-09.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62309
Comment 8 Bernhard Wiedemann 2015-10-13 15:01:23 UTC 
This is an autogenerated message for OBS integration:
This bug (949670) was mentioned in
https://build.opensuse.org/request/show/338464 Factory / postgresql93
https://build.opensuse.org/request/show/338466 Leap:42.1 / postgresql94
https://build.opensuse.org/request/show/338469 Leap:42.1 / postgresql93
Comment 9 Bernhard Wiedemann 2015-10-22 09:00:24 UTC 
This is an autogenerated message for OBS integration:
This bug (949670) was mentioned in
https://build.opensuse.org/request/show/340345 13.2 / postgresql93
Comment 10 Swamp Workflow Management 2015-10-26 17:10:53 UTC 
SUSE-SU-2015:1821-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 949669,949670
CVE References: CVE-2015-5288,CVE-2015-5289
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    postgresql93-libs-9.3.10-11.1
SUSE Linux Enterprise Server 12 (src):    postgresql93-9.3.10-11.1, postgresql93-libs-9.3.10-11.1
SUSE Linux Enterprise Desktop 12 (src):    postgresql93-9.3.10-11.1, postgresql93-libs-9.3.10-11.1
Comment 11 Swamp Workflow Management 2015-10-30 12:10:32 UTC 
SUSE-OU-2015:1847-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: optional (moderate)
Bug References: 941886,945706,949669,949670,950486
CVE References: CVE-2015-5288,CVE-2015-5289
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    postgresql94-libs-9.4.5-4.1
SUSE Linux Enterprise Server 12 (src):    postgresql-init-9.4-17.8.1, postgresql94-9.4.5-4.5, postgresql94-libs-9.4.5-4.1
SUSE Linux Enterprise Desktop 12 (src):    postgresql94-9.4.5-4.5, postgresql94-libs-9.4.5-4.1
Comment 12 Swamp Workflow Management 2015-11-04 16:13:04 UTC 
openSUSE-SU-2015:1907-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 949669,949670
CVE References: CVE-2015-5288,CVE-2015-5289
Sources used:
openSUSE 13.2 (src):    postgresql93-9.3.10-2.7.1, postgresql93-libs-9.3.10-2.7.1
Comment 14 Swamp Workflow Management 2016-02-16 21:14:22 UTC 
SUSE-SU-2016:0482-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 949669,949670
CVE References: CVE-2015-5288,CVE-2015-5289
Sources used:
SUSE Manager 2.1 (src):    postgresql94-9.4.5-0.8.3
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    postgresql94-libs-9.4.5-0.8.3
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    postgresql94-libs-9.4.5-0.8.3
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    postgresql94-9.4.5-0.8.3, postgresql94-libs-9.4.5-0.8.3
SUSE Linux Enterprise Server 11-SP4 (src):    postgresql94-9.4.5-0.8.3, postgresql94-libs-9.4.5-0.8.3
SUSE Linux Enterprise Server 11-SP3 (src):    postgresql94-9.4.5-0.8.3, postgresql94-libs-9.4.5-0.8.3
SUSE Linux Enterprise Desktop 11-SP4 (src):    postgresql94-9.4.5-0.8.3, postgresql94-libs-9.4.5-0.8.3
SUSE Linux Enterprise Desktop 11-SP3 (src):    postgresql94-9.4.5-0.8.3, postgresql94-libs-9.4.5-0.8.3
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    postgresql94-9.4.5-0.8.3, postgresql94-libs-9.4.5-0.8.3
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    postgresql94-9.4.5-0.8.3
Comment 15 Swamp Workflow Management 2016-03-07 17:13:05 UTC 
SUSE-SU-2016:0677-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 949669,949670,966435,966436
CVE References: CVE-2007-4772,CVE-2015-5288,CVE-2015-5289,CVE-2016-0766,CVE-2016-0773
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    postgresql94-libs-9.4.6-0.14.3
SUSE Linux Enterprise Server 11-SP4 (src):    postgresql94-9.4.6-0.14.3, postgresql94-libs-9.4.6-0.14.3
SUSE Linux Enterprise Desktop 11-SP4 (src):    postgresql94-9.4.6-0.14.3, postgresql94-libs-9.4.6-0.14.3
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    postgresql94-9.4.6-0.14.3, postgresql94-libs-9.4.6-0.14.3
Comment 16 Marcus Meissner 2016-03-11 16:29:18 UTC 
released