Arch Linux Security Advisory ASA-202011-14 ========================================== Severity: High Date : 2020-11-17 CVE-ID : CVE-2020-25694 CVE-2020-25695 CVE-2020-25696 Package : postgresql Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1276 Summary ======= The package postgresql before version 12.5-1 is vulnerable to multiple issues including sandbox escape, arbitrary code execution and silent downgrade. Resolution ========== Upgrade to 12.5-1. # pacman -Syu "postgresql>=12.5-1" The problems have been fixed upstream in version 12.5. Workaround ========== None. Description =========== - CVE-2020-25694 (silent downgrade) A security issue has been found in PostgreSQL before 12.5. Many PostgreSQL-provided client applications have options that create additional database connections. Some of those applications reuse only the basic connection parameters (e.g. host, user, port), dropping others. If this drops a security-relevant parameter (e.g. channel_binding, sslmode, requirepeer, gssencmode), the attacker has an opportunity to complete a MITM attack or observe cleartext transmission. Affected applications are clusterdb, pg_dump, pg_restore, psql, reindexdb, and vacuumdb. The vulnerability arises only if one invokes an affected client application with a connection string containing a security-relevant parameter. - CVE-2020-25695 (sandbox escape) A security issue has been found in PostgreSQL before 12.5, where an attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. While promptly updating PostgreSQL is the best remediation for most users, a user unable to do that can work around the vulnerability by disabling autovacuum and not manually running ANALYZE, CLUSTER, REINDEX, CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, or a restore from output of the pg_dump command. Performance may degrade quickly under this workaround. VACUUM without the FULL option is safe, and all commands are fine when a trusted user owns the target object. - CVE-2020-25696 (arbitrary code execution) A security issue has been found in PostgreSQL before 12.5, where psql's \gset allows overwriting specially treated variables. The \gset meta- command, which sets psql variables based on query results, does not distinguish variables that control psql behavior. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. Using \gset with a prefix not found among specially treated variables, e.g. any lowercase string, precludes the attack in an unpatched psql. Impact ====== An attacker in position of man-in-the-middle might be able to access sensitive information or even alter SQL commands. A remote, authenticated attacker might be able to escape the PG sandbox and execute arbitrary code on the server. References ========== https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/ https://security.archlinux.org/CVE-2020-25694 https://security.archlinux.org/CVE-2020-25695 https://security.archlinux.org/CVE-2020-25696