Bug 1208102 (CVE-2022-41862) - VUL-0: CVE-2022-41862: postgresql: memory leak in libpq
Summary: VUL-0: CVE-2022-41862: postgresql: memory leak in libpq
Status: RESOLVED FIXED
Alias: CVE-2022-41862
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/356555/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-41862:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-02-09 10:54 UTC by Marcus Meissner
Modified: 2024-05-03 15:01 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2023-02-09 10:54:25 UTC 
via max

the PostgreSQL team plans to releas another round of patchlevel 
updates tomorrow, that fix the folliwing security issue in addition to 
various other bug fixes:

   • libpq can leak memory contents after GSSAPI transport
     encryption initiation fails (Jacob Champion)

     A modified server, or an unauthenticated man-in-the-middle,
     can send a not-zero-terminated error message during setup of
     GSSAPI (Kerberos) transport encryption. libpq will then copy
     that string, as well as following bytes in application memory
     up to the next zero byte, to its error report. Depending on
     what the calling application does with the error report, this
     could result in disclosure of application memory contents.
     There is also a small probability of a crash due to reading
     beyond the end of memory. Fix by properly zero-terminating
     the server message. (CVE-2022-41862)

This affects PostgreSQL major versions 12 through 15, but not 11, 
which only gets a bugfix update. Version 10 and older are not 
supported anymore.
Comment 1 Marcus Meissner 2023-02-09 14:35:35 UTC 
is public

https://www.postgresql.org/about/news/2592/
Comment 2 OBSbugzilla Bot 2023-02-09 16:55:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1208102) was mentioned in
https://build.opensuse.org/request/show/1064054 Factory / postgresql15
https://build.opensuse.org/request/show/1064055 Factory / postgresql14
https://build.opensuse.org/request/show/1064056 Factory / postgresql13
https://build.opensuse.org/request/show/1064057 Factory / postgresql12
Comment 5 Swamp Workflow Management 2023-02-13 14:19:22 UTC 
SUSE-SU-2023:0391-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1208102
CVE References: CVE-2022-41862
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    postgresql13-13.10-3.30.1
SUSE Linux Enterprise Server 12-SP5 (src):    postgresql13-13.10-3.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2023-02-13 14:28:03 UTC 
SUSE-SU-2023:0393-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1208102
CVE References: CVE-2022-41862
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    postgresql15-15.2-3.6.1
SUSE OpenStack Cloud 9 (src):    postgresql15-15.2-3.6.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    postgresql15-15.2-3.6.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    postgresql15-15.2-3.6.1
SUSE Linux Enterprise Server 12-SP5 (src):    postgresql15-15.2-3.6.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    postgresql15-15.2-3.6.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    postgresql15-15.2-3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2023-02-13 14:29:48 UTC 
SUSE-SU-2023:0392-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1208102
CVE References: CVE-2022-41862
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    postgresql14-14.7-3.20.1
SUSE Linux Enterprise Server 12-SP5 (src):    postgresql14-14.7-3.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2023-02-13 14:30:37 UTC 
SUSE-SU-2023:0390-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1208102
CVE References: CVE-2022-41862
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    postgresql12-12.14-3.36.1
SUSE Linux Enterprise Server 12-SP5 (src):    postgresql12-12.14-3.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2023-02-20 11:20:20 UTC 
SUSE-SU-2023:0450-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1208102
CVE References: CVE-2022-41862
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    postgresql12-12.14-150200.8.41.1
SUSE Linux Enterprise Server for SAP 15-SP3 (src):    postgresql12-12.14-150200.8.41.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    postgresql12-12.14-150200.8.41.1
SUSE Linux Enterprise Server 15-SP3-LTSS (src):    postgresql12-12.14-150200.8.41.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    postgresql12-12.14-150200.8.41.1
SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (src):    postgresql12-12.14-150200.8.41.1
SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (src):    postgresql12-12.14-150200.8.41.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    postgresql12-12.14-150200.8.41.1
SUSE Enterprise Storage 7.1 (src):    postgresql12-12.14-150200.8.41.1
SUSE Enterprise Storage 7 (src):    postgresql12-12.14-150200.8.41.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2023-02-22 16:30:05 UTC 
SUSE-SU-2023:0479-1: An update that solves one vulnerability and has one fix can now be installed.

Category: security (important)
Bug References: 1205300, 1208102
CVE References: CVE-2022-41862
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): postgresql12-12.14-150100.3.37.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): postgresql12-12.14-150100.3.37.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): postgresql12-12.14-150100.3.37.1
SUSE CaaS Platform 4.0 (src): postgresql12-12.14-150100.3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-02-28 12:30:08 UTC 
SUSE-SU-2023:0569-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1208102
CVE References: CVE-2022-41862
Sources used:
openSUSE Leap 15.4 (src): postgresql15-15.2-150200.5.6.1
Basesystem Module 15-SP4 (src): postgresql15-15.2-150200.5.6.1
SUSE Package Hub 15 15-SP4 (src): postgresql15-15.2-150200.5.6.1
Server Applications Module 15-SP4 (src): postgresql15-15.2-150200.5.6.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): postgresql15-15.2-150200.5.6.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): postgresql15-15.2-150200.5.6.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): postgresql15-15.2-150200.5.6.1
SUSE Linux Enterprise Real Time 15 SP3 (src): postgresql15-15.2-150200.5.6.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): postgresql15-15.2-150200.5.6.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): postgresql15-15.2-150200.5.6.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): postgresql15-15.2-150200.5.6.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): postgresql15-15.2-150200.5.6.1
SUSE Manager Proxy 4.2 (src): postgresql15-15.2-150200.5.6.1
SUSE Manager Retail Branch Server 4.2 (src): postgresql15-15.2-150200.5.6.1
SUSE Manager Server 4.2 (src): postgresql15-15.2-150200.5.6.1
SUSE Enterprise Storage 7.1 (src): postgresql15-15.2-150200.5.6.1
SUSE Enterprise Storage 7 (src): postgresql15-15.2-150200.5.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2023-03-01 12:30:05 UTC 
SUSE-SU-2023:0583-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1208102
CVE References: CVE-2022-41862
Sources used:
openSUSE Leap 15.4 (src): postgresql13-13.10-150200.5.37.1
Legacy Module 15-SP4 (src): postgresql13-13.10-150200.5.37.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): postgresql13-13.10-150200.5.37.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): postgresql13-13.10-150200.5.37.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): postgresql13-13.10-150200.5.37.1
SUSE Linux Enterprise Real Time 15 SP3 (src): postgresql13-13.10-150200.5.37.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): postgresql13-13.10-150200.5.37.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): postgresql13-13.10-150200.5.37.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): postgresql13-13.10-150200.5.37.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): postgresql13-13.10-150200.5.37.1
SUSE Manager Proxy 4.2 (src): postgresql13-13.10-150200.5.37.1
SUSE Manager Retail Branch Server 4.2 (src): postgresql13-13.10-150200.5.37.1
SUSE Manager Server 4.2 (src): postgresql13-13.10-150200.5.37.1
SUSE Enterprise Storage 7.1 (src): postgresql13-13.10-150200.5.37.1
SUSE Enterprise Storage 7 (src): postgresql13-13.10-150200.5.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2023-03-10 16:30:11 UTC 
SUSE-SU-2023:0705-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1208102
CVE References: CVE-2022-41862
Sources used:
openSUSE Leap 15.4 (src): postgresql14-14.7-150200.5.23.1
Basesystem Module 15-SP4 (src): postgresql14-14.7-150200.5.23.1
SUSE Package Hub 15 15-SP4 (src): postgresql14-14.7-150200.5.23.1
Server Applications Module 15-SP4 (src): postgresql14-14.7-150200.5.23.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): postgresql14-14.7-150200.5.23.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): postgresql14-14.7-150200.5.23.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): postgresql14-14.7-150200.5.23.1
SUSE Linux Enterprise Real Time 15 SP3 (src): postgresql14-14.7-150200.5.23.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): postgresql14-14.7-150200.5.23.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): postgresql14-14.7-150200.5.23.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): postgresql14-14.7-150200.5.23.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): postgresql14-14.7-150200.5.23.1
SUSE Manager Proxy 4.2 (src): postgresql14-14.7-150200.5.23.1
SUSE Manager Retail Branch Server 4.2 (src): postgresql14-14.7-150200.5.23.1
SUSE Manager Server 4.2 (src): postgresql14-14.7-150200.5.23.1
SUSE Enterprise Storage 7.1 (src): postgresql14-14.7-150200.5.23.1
SUSE Enterprise Storage 7 (src): postgresql14-14.7-150200.5.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Robert Frohl 2024-05-03 15:01:51 UTC 
done, closing