Postgres Pro
Downloads
Home   >   mailing lists

Thread: Backport of CVE-2024-10978 fix to older pgsql versions (11, 9.6, and 9.4)

Backport of CVE-2024-10978 fix to older pgsql versions (11, 9.6, and 9.4)

From
Roberto C. Sánchez
Date:
Greetings pgsql devs,

I would appreciate a review of my strategy for backporting the commits
related to CVE-2024-10978. (I am working with versions 11, 9.6, and 9.4,
for some older Debian releases.)

My conclusion is that of the two commits associated with CVE-2024-10978,
both are required in 11 and 9.6, but only one is required in 9.4.

I searched the list archives to see if there was a previous discussion
related to this and I found none. The only mention of CVE-2024-10978 was
the release announcement.

Details:

I started with the patches for version 12. These commits:
4c9d96f74ba4e7d01c086ca54f217e242dd65fae
c463338656ac47e5210fcf9fbf7d20efccce8de8

The log message for c463338656ac47e5210fcf9fbf7d20efccce8de8 includes
this bit:

----------
If cherry-picking the CVE-2024-10978 fixes, default to including this,
too.  (This fixes an unintended side effect of fixing CVE-2024-10978.)
----------

Having spent a fair amount of time working on these patches, I have
successfully backported them to 11 and 9.6, but I encountered a problem
with 9.4. After analyzing the changes, I believe that the regression
which c463338656ac47e5210fcf9fbf7d20efccce8de8 is intended to address
does not affect 9.4. The basis for this belief is that after observing
the failure of the new setconfig regression test during the build of
9.4, I backed all of 4c9d96f74ba4e7d01c086ca54f217e242dd65fae and the
non-test portion of c463338656ac47e5210fcf9fbf7d20efccce8de8,
re-executed the build and observed the same failure.

The failure I observed occurs in the pg_upgrade test, under the heading
"Performing Upgrade" in the output:

Restoring global objects in the new cluster
*failure*

The end of ./build/contrib/pg_upgrade/pg_upgrade_utility.log has the
following:

ALTER ROLE "sbuild" WITH SUPERUSER INHERIT CREATEROLE CREATEDB LOGIN REPLICATION;
ALTER ROLE
ALTER ROLE "regress_authenticated_user_sr" SET "role" TO 'regress_current_user';

This is the same failure in both cases for 9.4 (both CVE-2024-10978
commits applied, and neither applied).

Is it then correct to conclude the behavior which regressed in 9.6 and
newer as a result of 4c9d96f74ba4e7d01c086ca54f217e242dd65fae was
introduced after 9.4? And that hence in the case of backporting to 9.4
that c463338656ac47e5210fcf9fbf7d20efccce8de8 can be left out?

Regards,

-Roberto

-- 
Roberto C. Sánchez