Debian Bug report logs - #278336
postgresql: Insecure creation of temporary files

version graph

Package: postgresql; Maintainer for postgresql is Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org>; Source for postgresql is src:postgresql-common.

Reported by: Stephen Quinney <stephen@jadevine.org.uk>

Date: Tue, 26 Oct 2004 08:33:03 UTC

Severity: critical

Tags: security, woody

Merged with 278262

Found in versions 7.3.4-9, 7.4.5-3

Fixed in versions postgresql/7.4.6-1, postgresql/7.2.1-2woody6

Done: Martin Pitt <mpitt@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Oliver Elphick <Oliver.Elphick@lfix.co.uk>:
Bug#278336; Package postgresql. Full text and rfc822 format available.

Acknowledgement sent to Stephen Quinney <stephen@jadevine.org.uk>:
New Bug report received and forwarded. Copy sent to Oliver Elphick <Oliver.Elphick@lfix.co.uk>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stephen Quinney <stephen@jadevine.org.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: postgresql: Insecure creation of temporary files
Date: Tue, 26 Oct 2004 09:25:30 +0100
Package: postgresql
Version: 7.4.5-3
Severity: critical
Tags: security
Justification: causes serious data loss

According to http://www.postgresql.org/news/234.html postgresql
contains "A vulnerability exists due to the insecure creation of
temporary files, which could possibly let a malicious user overwrite
arbitrary files."

This affects versions 7.2.5, 7.3.7 and 7.4.5, which means it affects
woody, sarge and sid.

It is rated as a "medium risk", there is currently no known
exploit. It is also mentioned at:

http://www.us-cert.gov/cas/bulletins/SB04-280.html#postgre

The report also mentions that in these releases there is a potential
'data loss' bug that was recently identified:

"Repair possible failure to update hint bits on disk Under rare
circumstances this oversight could lead to "could not access
transaction status" failures, which qualifies it as a
potential-data-loss bug."

It seems to me that the combination of these two bugs warrant a
critical severity Debian bug. I have looked and cannot see anything in
the changelogs to say that these have been fixed in Debian.

Stephen Quinney

 
-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.9
Locale: LANG=C, LC_CTYPE=C

Versions of packages postgresql depends on:
ii  adduser          3.59                    Add and remove users and groups
ii  debconf [debconf 1.4.30.8                Debian configuration management sy
ii  debianutils      2.8.4                   Miscellaneous utilities specific t
ii  libc6            2.3.2.ds1-18            GNU C Library: Shared libraries an
ii  libcomerr2       1.35-6                  The Common Error Description libra
ii  libkrb53         1.3.4-4                 MIT Kerberos runtime libraries
ii  libpam0g         0.76-22                 Pluggable Authentication Modules l
ii  libperl5.8       5.8.4-2.3               Shared Perl library
ii  libpq3           7.4.5-3                 Shared library libpq.so.3 for Post
ii  libreadline4     4.3-11                  GNU readline and history libraries
ii  libssl0.9.7      0.9.7d-5                SSL shared libraries
ii  mailx            1:8.1.2-0.20040524cvs-1 A simple mail user agent
ii  postgresql-clien 7.4.5-3                 Front-end programs for PostgreSQL
ii  procps           1:3.2.1-2               The /proc file system utilities
ii  python2.3        2.3.4-13                An interactive high-level object-o
ii  ucf              1.09                    Update Configuration File: preserv
ii  zlib1g           1:1.2.2-1               compression library - runtime

-- debconf information excluded



Information forwarded to debian-bugs-dist@lists.debian.org, Oliver Elphick <Oliver.Elphick@lfix.co.uk>:
Bug#278336; Package postgresql. Full text and rfc822 format available.

Acknowledgement sent to olly@lfix.co.uk:
Extra info received and forwarded to list. Copy sent to Oliver Elphick <Oliver.Elphick@lfix.co.uk>. Full text and rfc822 format available.

Message #10 received at 278336@bugs.debian.org (full text, mbox):

From: Oliver Elphick <olly@lfix.co.uk>
To: Stephen Quinney <stephen@jadevine.org.uk>, 278336@bugs.debian.org
Subject: Re: Bug#278336: postgresql: Insecure creation of temporary files
Date: Tue, 26 Oct 2004 11:37:57 +0100
On Tue, 2004-10-26 at 09:25 +0100, Stephen Quinney wrote:
> According to http://www.postgresql.org/news/234.html postgresql
> contains "A vulnerability exists due to the insecure creation of
> temporary files, which could possibly let a malicious user overwrite
> arbitrary files."
...
> The report also mentions that in these releases there is a potential
> 'data loss' bug that was recently identified:
...
> It seems to me that the combination of these two bugs warrant a
> critical severity Debian bug. I have looked and cannot see anything in
> the changelogs to say that these have been fixed in Debian.

There is a new upstream bugfix release, which will shortly be packaged.

-- 
Oliver Elphick                                          olly@lfix.co.uk
Isle of Wight                              http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA  92C8 39E7 280E 3631 3F0E  1EC0 5664 7A2F A543 10EA
                 ========================================
     "Whosoever therefore shall be ashamed of me and of my 
      words in this adulterous and sinful generation; of him
      also shall the Son of man be ashamed, when he cometh 
      in the glory of his Father with the holy angels."     
                                 Mark 8:38 




Information forwarded to debian-bugs-dist@lists.debian.org, Oliver Elphick <Oliver.Elphick@lfix.co.uk>:
Bug#278336; Package postgresql. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Oliver Elphick <Oliver.Elphick@lfix.co.uk>. Full text and rfc822 format available.

Message #15 received at 278336@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 278336@bugs.debian.org
Subject: Re: Bug#278336: postgresql: Insecure creation of temporary files
Date: Tue, 26 Oct 2004 13:20:58 +0200
[Message part 1 (text/plain, inline)]
Hi Oliver!

I will prepare a new Ubuntu revision anyway, I will upload the same
into Sid. But I got as many as six new security bugs today, so I will
still need some hours to process them.

Oliver, can you please deal with the stable version and with the
security team in the meanwhile? If you don't have time, I will do it
after fixing sid, but that might still take a few hours.

Thanks,

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Oliver Elphick <Oliver.Elphick@lfix.co.uk>:
Bug#278336; Package postgresql. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Oliver Elphick <Oliver.Elphick@lfix.co.uk>. Full text and rfc822 format available.

Message #20 received at 278336@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 278336@bugs.debian.org
Subject: Re: Bug#278336: postgresql: Insecure creation of temporary files
Date: Tue, 26 Oct 2004 14:12:20 +0200
[Message part 1 (text/plain, inline)]
Hi!

Oliver Elphick [2004-10-26 11:37 +0100]:
> On Tue, 2004-10-26 at 09:25 +0100, Stephen Quinney wrote:
> > According to http://www.postgresql.org/news/234.html postgresql
> > contains "A vulnerability exists due to the insecure creation of
> > temporary files, which could possibly let a malicious user overwrite
> > arbitrary files."
> ...
> > The report also mentions that in these releases there is a potential
> > 'data loss' bug that was recently identified:
> ...
> > It seems to me that the combination of these two bugs warrant a
> > critical severity Debian bug. I have looked and cannot see anything in
> > the changelogs to say that these have been fixed in Debian.
> 
> There is a new upstream bugfix release, which will shortly be packaged.

I will package 7.4.6 for sid and upload it soon, if you agree.

Unfortunately the upstream guys replaced one insecure thing by another
one:

---------------------- snip ------------------------------------------
$ diff -ru make_oidjoins_check.7.4.5 make_oidjoins_check.7.4.6
--- make_oidjoins_check.7.4.5   2002-09-05 21:57:32.000000000 +0200
+++ make_oidjoins_check.7.4.6   2004-10-26 13:58:02.595132512 +0200
@@ -10,27 +10,32 @@
 # Caution: you may need to use GNU awk.
 AWK=${AWK:-awk}

-trap "rm -f /tmp/$$ /tmp/$$a /tmp/$$b" 0 1 2 3 15
+INPUTFILE="tmp$$a"
+DUPSFILE="tmp$$b"
+NONDUPSFILE="tmp$$c"
+rm -f $INPUTFILE $DUPSFILE $NONDUPSFILE
+
+trap "rm -f $INPUTFILE $DUPSFILE $NONDUPSFILE" 0 1 2 3 15

 # Read input
-cat "$@" >/tmp/$$
+cat "$@" >$INPUTFILE
[...]
---------------------- snip ------------------------------------------

They still construct temporary files with "$$", which is insecure. I
will change that to something sane using mktemp and submit the patch
upstream.

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Oliver Elphick <Oliver.Elphick@lfix.co.uk>:
Bug#278336; Package postgresql. Full text and rfc822 format available.

Acknowledgement sent to olly@lfix.co.uk:
Extra info received and forwarded to list. Copy sent to Oliver Elphick <Oliver.Elphick@lfix.co.uk>. Full text and rfc822 format available.

Message #25 received at 278336@bugs.debian.org (full text, mbox):

From: Oliver Elphick <olly@lfix.co.uk>
To: Martin Pitt <mpitt@debian.org>, 278336@bugs.debian.org
Subject: Re: Bug#278336: postgresql: Insecure creation of temporary files
Date: Tue, 26 Oct 2004 13:26:15 +0100
On Tue, 2004-10-26 at 14:12 +0200, Martin Pitt wrote:
> I will package 7.4.6 for sid and upload it soon, if you agree.

Go ahead.

> Unfortunately the upstream guys replaced one insecure thing by another
> one:
...
> They still construct temporary files with "$$", which is insecure. I
> will change that to something sane using mktemp and submit the patch
> upstream.

mktemp is fine for us, but I believe it is not portable across all Pg
platforms.

-- 
Oliver Elphick                                          olly@lfix.co.uk
Isle of Wight                              http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA  92C8 39E7 280E 3631 3F0E  1EC0 5664 7A2F A543 10EA
                 ========================================
     "Whosoever therefore shall be ashamed of me and of my 
      words in this adulterous and sinful generation; of him
      also shall the Son of man be ashamed, when he cometh 
      in the glory of his Father with the holy angels."     
                                 Mark 8:38 




Merged 278262 278336. Request was from Martin Pitt <mpitt@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Martin Pitt <mpitt@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stephen Quinney <stephen@jadevine.org.uk>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 278262-close@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 278262-close@bugs.debian.org
Subject: Bug#278262: fixed in postgresql 7.4.6-1
Date: Wed, 27 Oct 2004 06:47:12 -0400
Source: postgresql
Source-Version: 7.4.6-1

We believe that the bug you reported is fixed in the latest version of
postgresql, which is due to be installed in the Debian FTP archive:

libecpg-dev_7.4.6-1_i386.deb
  to pool/main/p/postgresql/libecpg-dev_7.4.6-1_i386.deb
libecpg4_7.4.6-1_i386.deb
  to pool/main/p/postgresql/libecpg4_7.4.6-1_i386.deb
libpgtcl-dev_7.4.6-1_i386.deb
  to pool/main/p/postgresql/libpgtcl-dev_7.4.6-1_i386.deb
libpgtcl_7.4.6-1_i386.deb
  to pool/main/p/postgresql/libpgtcl_7.4.6-1_i386.deb
libpq3_7.4.6-1_i386.deb
  to pool/main/p/postgresql/libpq3_7.4.6-1_i386.deb
postgresql-client_7.4.6-1_i386.deb
  to pool/main/p/postgresql/postgresql-client_7.4.6-1_i386.deb
postgresql-contrib_7.4.6-1_i386.deb
  to pool/main/p/postgresql/postgresql-contrib_7.4.6-1_i386.deb
postgresql-dev_7.4.6-1_i386.deb
  to pool/main/p/postgresql/postgresql-dev_7.4.6-1_i386.deb
postgresql-doc_7.4.6-1_all.deb
  to pool/main/p/postgresql/postgresql-doc_7.4.6-1_all.deb
postgresql_7.4.6-1.diff.gz
  to pool/main/p/postgresql/postgresql_7.4.6-1.diff.gz
postgresql_7.4.6-1.dsc
  to pool/main/p/postgresql/postgresql_7.4.6-1.dsc
postgresql_7.4.6-1_i386.deb
  to pool/main/p/postgresql/postgresql_7.4.6-1_i386.deb
postgresql_7.4.6.orig.tar.gz
  to pool/main/p/postgresql/postgresql_7.4.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 278262@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Pitt <mpitt@debian.org> (supplier of updated postgresql package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 27 Oct 2004 12:08:01 +0200
Source: postgresql
Binary: postgresql-client libecpg4 libpgtcl-dev libpq3 postgresql-doc libecpg-dev postgresql-dev postgresql libpgtcl postgresql-contrib
Architecture: source i386 all
Version: 7.4.6-1
Distribution: unstable
Urgency: medium
Maintainer: Oliver Elphick <Oliver.Elphick@lfix.co.uk>
Changed-By: Martin Pitt <mpitt@debian.org>
Description: 
 libecpg-dev - Shared library libecpg.so for PostgreSQL - development files
 libecpg4   - Shared library libecpg.so.4 for PostgreSQL
 libpgtcl   - Tcl procedural language, library and front-end for PostgreSQL
 libpgtcl-dev - Tcl library for PostgreSQL - development files
 libpq3     - Shared library libpq.so.3 for PostgreSQL
 postgresql - Object-relational SQL database, descended from POSTGRES
 postgresql-client - Front-end programs for PostgreSQL
 postgresql-contrib - Additional facilities for PostgreSQL
 postgresql-dev - Header files for libpq (postgresql library)
 postgresql-doc - Documentation for the PostgreSQL database
Closes: 273837 278262 278318 278336
Changes: 
 postgresql (7.4.6-1) unstable; urgency=medium
 .
   * New upstream security and bug fix release
     - fix several bugs causing potential data loss and security
       vulnerabilities. Closes: #278336, #278262
     - removed patch 15outer_join (applied upstream)
   * debian/rules: do not install the make_oidjoins_check script any more, it
     has still unsafe temporary file handling and nobody needs it anyway
   * postgresql-dev now depends on libkrb5-dev
   * postgresql-contrib.logrotate: added 'missingok' flag. Closes: #278318
   * added Czech debconf translations; thanks to Miroslav Kure. Closes: #273837
Files: 
 5a04e30763ba323a497854a96cc4bf13 973 misc optional postgresql_7.4.6-1.dsc
 89524ceeebb534fa00e2c6d5643ad47d 9922560 misc optional postgresql_7.4.6.orig.tar.gz
 ff2eeed17cc43b595280a88aef5aca8d 145072 misc optional postgresql_7.4.6-1.diff.gz
 3d7f991b3d8e1ee9091d6b907b4853ed 2382962 doc optional postgresql-doc_7.4.6-1_all.deb
 322d32290a8963076d7b08e5e30a2721 3727328 misc optional postgresql_7.4.6-1_i386.deb
 be25832b0fc0cce93ab30498785a2257 487350 misc optional postgresql-client_7.4.6-1_i386.deb
 cdc84e40bd4fb47af26834db99065fa8 504866 libdevel optional postgresql-dev_7.4.6-1_i386.deb
 4743945ab08638100653af40a8e1533b 108530 libs optional libpq3_7.4.6-1_i386.deb
 bcc6a830cebe94b1e4db8dae168128c8 86276 libs optional libecpg4_7.4.6-1_i386.deb
 90240228d637a01d98337510b9a557b7 195152 libdevel optional libecpg-dev_7.4.6-1_i386.deb
 4e6b4707cdec2a7823081f9eeb666b0b 70362 libs optional libpgtcl_7.4.6-1_i386.deb
 dc8c4dd0f217a4f57045bfa8784e43ff 47664 libdevel optional libpgtcl-dev_7.4.6-1_i386.deb
 c38065d9440eb97e2c01cfef041aab03 574910 misc optional postgresql-contrib_7.4.6-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBf3iGDecnbV4Fd/IRAqO0AJ9FRhZ8ruXwiiosLkT1eP+I9ERinwCdGeEA
SOi681QB8zkxGKqsy/qThyI=
=RuAS
-----END PGP SIGNATURE-----




Message #33 received at 278336-close@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 278336-close@bugs.debian.org
Subject: Bug#278336: fixed in postgresql 7.4.6-1
Date: Wed, 27 Oct 2004 06:47:12 -0400
Source: postgresql
Source-Version: 7.4.6-1

We believe that the bug you reported is fixed in the latest version of
postgresql, which is due to be installed in the Debian FTP archive:

libecpg-dev_7.4.6-1_i386.deb
  to pool/main/p/postgresql/libecpg-dev_7.4.6-1_i386.deb
libecpg4_7.4.6-1_i386.deb
  to pool/main/p/postgresql/libecpg4_7.4.6-1_i386.deb
libpgtcl-dev_7.4.6-1_i386.deb
  to pool/main/p/postgresql/libpgtcl-dev_7.4.6-1_i386.deb
libpgtcl_7.4.6-1_i386.deb
  to pool/main/p/postgresql/libpgtcl_7.4.6-1_i386.deb
libpq3_7.4.6-1_i386.deb
  to pool/main/p/postgresql/libpq3_7.4.6-1_i386.deb
postgresql-client_7.4.6-1_i386.deb
  to pool/main/p/postgresql/postgresql-client_7.4.6-1_i386.deb
postgresql-contrib_7.4.6-1_i386.deb
  to pool/main/p/postgresql/postgresql-contrib_7.4.6-1_i386.deb
postgresql-dev_7.4.6-1_i386.deb
  to pool/main/p/postgresql/postgresql-dev_7.4.6-1_i386.deb
postgresql-doc_7.4.6-1_all.deb
  to pool/main/p/postgresql/postgresql-doc_7.4.6-1_all.deb
postgresql_7.4.6-1.diff.gz
  to pool/main/p/postgresql/postgresql_7.4.6-1.diff.gz
postgresql_7.4.6-1.dsc
  to pool/main/p/postgresql/postgresql_7.4.6-1.dsc
postgresql_7.4.6-1_i386.deb
  to pool/main/p/postgresql/postgresql_7.4.6-1_i386.deb
postgresql_7.4.6.orig.tar.gz
  to pool/main/p/postgresql/postgresql_7.4.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 278336@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Pitt <mpitt@debian.org> (supplier of updated postgresql package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 27 Oct 2004 12:08:01 +0200
Source: postgresql
Binary: postgresql-client libecpg4 libpgtcl-dev libpq3 postgresql-doc libecpg-dev postgresql-dev postgresql libpgtcl postgresql-contrib
Architecture: source i386 all
Version: 7.4.6-1
Distribution: unstable
Urgency: medium
Maintainer: Oliver Elphick <Oliver.Elphick@lfix.co.uk>
Changed-By: Martin Pitt <mpitt@debian.org>
Description: 
 libecpg-dev - Shared library libecpg.so for PostgreSQL - development files
 libecpg4   - Shared library libecpg.so.4 for PostgreSQL
 libpgtcl   - Tcl procedural language, library and front-end for PostgreSQL
 libpgtcl-dev - Tcl library for PostgreSQL - development files
 libpq3     - Shared library libpq.so.3 for PostgreSQL
 postgresql - Object-relational SQL database, descended from POSTGRES
 postgresql-client - Front-end programs for PostgreSQL
 postgresql-contrib - Additional facilities for PostgreSQL
 postgresql-dev - Header files for libpq (postgresql library)
 postgresql-doc - Documentation for the PostgreSQL database
Closes: 273837 278262 278318 278336
Changes: 
 postgresql (7.4.6-1) unstable; urgency=medium
 .
   * New upstream security and bug fix release
     - fix several bugs causing potential data loss and security
       vulnerabilities. Closes: #278336, #278262
     - removed patch 15outer_join (applied upstream)
   * debian/rules: do not install the make_oidjoins_check script any more, it
     has still unsafe temporary file handling and nobody needs it anyway
   * postgresql-dev now depends on libkrb5-dev
   * postgresql-contrib.logrotate: added 'missingok' flag. Closes: #278318
   * added Czech debconf translations; thanks to Miroslav Kure. Closes: #273837
Files: 
 5a04e30763ba323a497854a96cc4bf13 973 misc optional postgresql_7.4.6-1.dsc
 89524ceeebb534fa00e2c6d5643ad47d 9922560 misc optional postgresql_7.4.6.orig.tar.gz
 ff2eeed17cc43b595280a88aef5aca8d 145072 misc optional postgresql_7.4.6-1.diff.gz
 3d7f991b3d8e1ee9091d6b907b4853ed 2382962 doc optional postgresql-doc_7.4.6-1_all.deb
 322d32290a8963076d7b08e5e30a2721 3727328 misc optional postgresql_7.4.6-1_i386.deb
 be25832b0fc0cce93ab30498785a2257 487350 misc optional postgresql-client_7.4.6-1_i386.deb
 cdc84e40bd4fb47af26834db99065fa8 504866 libdevel optional postgresql-dev_7.4.6-1_i386.deb
 4743945ab08638100653af40a8e1533b 108530 libs optional libpq3_7.4.6-1_i386.deb
 bcc6a830cebe94b1e4db8dae168128c8 86276 libs optional libecpg4_7.4.6-1_i386.deb
 90240228d637a01d98337510b9a557b7 195152 libdevel optional libecpg-dev_7.4.6-1_i386.deb
 4e6b4707cdec2a7823081f9eeb666b0b 70362 libs optional libpgtcl_7.4.6-1_i386.deb
 dc8c4dd0f217a4f57045bfa8784e43ff 47664 libdevel optional libpgtcl-dev_7.4.6-1_i386.deb
 c38065d9440eb97e2c01cfef041aab03 574910 misc optional postgresql-contrib_7.4.6-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBf3iGDecnbV4Fd/IRAqO0AJ9FRhZ8ruXwiiosLkT1eP+I9ERinwCdGeEA
SOi681QB8zkxGKqsy/qThyI=
=RuAS
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Oliver Elphick <Oliver.Elphick@lfix.co.uk>:
Bug#278336; Package postgresql. Full text and rfc822 format available.

Acknowledgement sent to Stephen Quinney <stephen@jadevine.org.uk>:
Extra info received and forwarded to list. Copy sent to Oliver Elphick <Oliver.Elphick@lfix.co.uk>. Full text and rfc822 format available.

Message #38 received at 278336@bugs.debian.org (full text, mbox):

From: Stephen Quinney <stephen@jadevine.org.uk>
To: 278336@bugs.debian.org
Cc: Martin Pitt <mpitt@debian.org>
Subject: Re: Bug#278336 acknowledged by developer (Bug#278262: fixed in postgresql 7.4.6-1)
Date: Wed, 27 Oct 2004 12:28:07 +0100
On Wed, Oct 27, 2004 at 04:03:06AM -0700, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> #278336: postgresql: Insecure creation of temporary files,
> which was filed against the postgresql package.
> 
> It has been closed by one of the developers, namely
> Martin Pitt <mpitt@debian.org>.

Can you please confirm that this also been fixed for postgresql 7.2 in
woody?

Thanks,

Stephen Quinney



Information forwarded to debian-bugs-dist@lists.debian.org, Oliver Elphick <Oliver.Elphick@lfix.co.uk>:
Bug#278336; Package postgresql. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Oliver Elphick <Oliver.Elphick@lfix.co.uk>. Full text and rfc822 format available.

Message #43 received at 278336@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Stephen Quinney <stephen@jadevine.org.uk>, 278336@bugs.debian.org
Subject: Re: Bug#278336 acknowledged by developer (Bug#278262: fixed in postgresql 7.4.6-1)
Date: Wed, 27 Oct 2004 13:30:51 +0200
[Message part 1 (text/plain, inline)]
Hi Stephen!

Stephen Quinney [2004-10-27 12:28 +0100]:
> On Wed, Oct 27, 2004 at 04:03:06AM -0700, Debian Bug Tracking System wrote:
> > This is an automatic notification regarding your Bug report
> > #278336: postgresql: Insecure creation of temporary files,
> > which was filed against the postgresql package.
> > 
> > It has been closed by one of the developers, namely
> > Martin Pitt <mpitt@debian.org>.
> 
> Can you please confirm that this also been fixed for postgresql 7.2 in
> woody?

Packages are built and the security team is informed; it will
probably be uploaded today or tomorrow. However, since it is not yet
done, I reopened the bug and tagged it "woody, pending".

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from Martin Pitt <mpitt@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: woody, pending Request was from Martin Pitt <mpitt@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Martin Pitt <mpitt@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stephen Quinney <stephen@jadevine.org.uk>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #52 received at 278336-done@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 278336-done@bugs.debian.org
Subject: Fwd: Accepted postgresql 7.2.1-2woody6 (i386 source all)
Date: Fri, 29 Oct 2004 12:41:01 +0200
[Message part 1 (text/plain, inline)]
Hi!

The woody version is published, so this bug can be closed.

Martin

----- Forwarded message from Martin Pitt <mpitt@debian.org> -----

From: Martin Pitt <mpitt@debian.org>
To: debian-changes@lists.debian.org
Subject: Accepted postgresql 7.2.1-2woody6 (i386 source all)
Date: Fri, 29 Oct 2004 06:17:12 -0400
X-Spam-Status: No, hits=-1.5 required=4.0 tests=AWL autolearn=no version=2.64

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 26 Oct 2004 15:54:22 +0200
Source: postgresql
Binary: libpgtcl postgresql pgaccess odbc-postgresql libpgperl postgresql-client libecpg3 postgresql-contrib postgresql-dev postgresql-doc python-pygresql libpgsql2
Architecture: source all i386
Version: 7.2.1-2woody6
Distribution: stable-security
Urgency: high
Maintainer: Martin Pitt <mpitt@debian.org>
Changed-By: Martin Pitt <mpitt@debian.org>
Description: 
 libecpg3   - Shared library libecpg.so.3 for PostgreSQL
 libpgperl  - Perl modules for PostgreSQL.
 libpgsql2  - Shared library libpq.so.2 for PostgreSQL
 libpgtcl   - Tcl/Tk library and front-end for PostgreSQL.
 odbc-postgresql - ODBC support for PostgreSQL
 pgaccess   - Tk/Tcl front-end for PostgreSQL database
 postgresql - Object-relational SQL database, descended from POSTGRES.
 postgresql-client - Front-end programs for PostgreSQL
 postgresql-contrib - Additional facilities for PostgreSQL
 postgresql-dev - Header files for libpq (postgresql library)
 postgresql-doc - Documentation for the PostgreSQL database.
 python-pygresql - PostgreSQL module for Python
Changes: 
 postgresql (7.2.1-2woody6) stable-security; urgency=high
 .
   * Security upload to fix insecure temporary file handling in
     contrib/findoidjoins/make_oidjoins_check:
     - use version from upstream release 7.2.6 as basis (introduces proper
       variables for the file names instead of repeatedly constructing them
       inline)
     - upstream still uses the $$ method for constructing file names; changed
       that to use mktemp
   * References:
     CAN-2004-0977
     http://www.postgresql.org/news/234.html
     http://bugs.debian.org/278336
Files: 
 ded5f8b8dc34a7e1916526cc4fd7dc5a 966 misc optional postgresql_7.2.1-2woody6.dsc
 deb2918afe376395a218ebb3af0a58f2 119740 misc optional postgresql_7.2.1-2woody6.diff.gz
 761ab47664aa2091451117b36c1ed27a 2069286 doc optional postgresql-doc_7.2.1-2woody6_all.deb
 43435859901064f480b7d4075806c318 1553990 misc optional postgresql_7.2.1-2woody6_i386.deb
 8a7f14be36ffcc3680019d17922608c5 281148 misc optional postgresql-client_7.2.1-2woody6_i386.deb
 0fd18eb00f7af4abc562fd38faec2856 497868 devel optional postgresql-dev_7.2.1-2woody6_i386.deb
 65fbeef01507d3da9ec33d841eb7c3f7 65928 libs optional libpgsql2_7.2.1-2woody6_i386.deb
 10c495dd0a58995507af82394fc7365e 30622 libs optional libecpg3_7.2.1-2woody6_i386.deb
 0d398d95a78ff34eed1af80cbb2bb1ac 54504 libs optional libpgtcl_7.2.1-2woody6_i386.deb
 d18dd3267716ed11c73fec4887a765d3 61308 libs optional libpgperl_7.2.1-2woody6_i386.deb
 1ea1649f9652636f2542e3512f8dec4e 426178 misc optional pgaccess_7.2.1-2woody6_i386.deb
 1d10d4b588aed5583446d33370f1f019 328138 misc optional postgresql-contrib_7.2.1-2woody6_i386.deb
 cf5ade712d103c69025f99aeedc02b4f 61412 misc optional python-pygresql_7.2.1-2woody6_i386.deb
 e4e91e0d6d8fd7e97e66c2f7e113ace2 201794 libs optional odbc-postgresql_7.2.1-2woody6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBfrrYDecnbV4Fd/IRAri4AKDRngAZaQZBdFhBtQvqezeBF0QVSACgwz5S
GGsy2fe5eW2aBPAMmMN6SK4=
=KOx2
-----END PGP SIGNATURE-----


Accepted:
libecpg3_7.2.1-2woody6_i386.deb
  to pool/main/p/postgresql/libecpg3_7.2.1-2woody6_i386.deb
libpgperl_7.2.1-2woody6_i386.deb
  to pool/main/p/postgresql/libpgperl_7.2.1-2woody6_i386.deb
libpgsql2_7.2.1-2woody6_i386.deb
  to pool/main/p/postgresql/libpgsql2_7.2.1-2woody6_i386.deb
libpgtcl_7.2.1-2woody6_i386.deb
  to pool/main/p/postgresql/libpgtcl_7.2.1-2woody6_i386.deb
odbc-postgresql_7.2.1-2woody6_i386.deb
  to pool/main/p/postgresql/odbc-postgresql_7.2.1-2woody6_i386.deb
pgaccess_7.2.1-2woody6_i386.deb
  to pool/main/p/postgresql/pgaccess_7.2.1-2woody6_i386.deb
postgresql-client_7.2.1-2woody6_i386.deb
  to pool/main/p/postgresql/postgresql-client_7.2.1-2woody6_i386.deb
postgresql-contrib_7.2.1-2woody6_i386.deb
  to pool/main/p/postgresql/postgresql-contrib_7.2.1-2woody6_i386.deb
postgresql-dev_7.2.1-2woody6_i386.deb
  to pool/main/p/postgresql/postgresql-dev_7.2.1-2woody6_i386.deb
postgresql-doc_7.2.1-2woody6_all.deb
  to pool/main/p/postgresql/postgresql-doc_7.2.1-2woody6_all.deb
postgresql_7.2.1-2woody6.diff.gz
  to pool/main/p/postgresql/postgresql_7.2.1-2woody6.diff.gz
postgresql_7.2.1-2woody6.dsc
  to pool/main/p/postgresql/postgresql_7.2.1-2woody6.dsc
postgresql_7.2.1-2woody6_i386.deb
  to pool/main/p/postgresql/postgresql_7.2.1-2woody6_i386.deb
python-pygresql_7.2.1-2woody6_i386.deb
  to pool/main/p/postgresql/python-pygresql_7.2.1-2woody6_i386.deb



----- End forwarded message -----

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 17:41:30 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.