Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen).

The remote host is affected by the vulnerability described in GLSA-201408-15 (PostgreSQL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PostgreSQL. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote authenticated attacker may be able to create a Denial of       Service condition, bypass security restrictions, or have other       unspecified impact.
  Workaround :

    There is no known workaround at this time.

postgresql was updated to version 9.1.9 (bnc#812525) :

  - CVE-2013-1899: Fix insecure parsing of server     command-line switches. A connection request containing a     database name that begins with '-' could be crafted to     damage or destroy files within the server's data     directory, even if the request is eventually rejected.

  - CVE-2013-1900: Reset OpenSSL randomness state in each     postmaster child process. This avoids a scenario wherein     random numbers generated by 'contrib/pgcrypto' functions     might be relatively easy for another database user to     guess. The risk is only significant when the postmaster     is configured with ssl = on but most connections don't     use SSL encryption.

  - CVE-2013-1901: Make REPLICATION privilege checks test     current user not authenticated user. An unprivileged     database user could exploit this mistake to call     pg_start_backup() or pg_stop_backup(), thus possibly     interfering with creation of routine backups.

  - See the release notes for the rest of the changes:
    http://www.postgresql.org/docs/9.1/static/release-9-1-9.
    html /usr/share/doc/packages/postgresql91/HISTORY

postgresql was updated to version 9.2.4 (bnc#812525) :

  - CVE-2013-1899: Fix insecure parsing of server     command-line switches. A connection request containing a     database name that begins with '-' could be crafted to     damage or destroy files within the server's data     directory, even if the request is eventually rejected.

  - CVE-2013-1900: Reset OpenSSL randomness state in each     postmaster child process. This avoids a scenario wherein     random numbers generated by 'contrib/pgcrypto' functions     might be relatively easy for another database user to     guess. The risk is only significant when the postmaster     is configured with ssl = on but most connections don't     use SSL encryption.

  - CVE-2013-1901: Make REPLICATION privilege checks test     current user not authenticated user. An unprivileged     database user could exploit this mistake to call     pg_start_backup() or pg_stop_backup(), thus possibly     interfering with creation of routine backups.

  - See the release notes for the rest of the changes:
    http://www.postgresql.org/docs/9.2/static/release-9-2-4.
    html /usr/share/doc/packages/postgresql92/HISTORY

The remote Mac OS X 10.8 host has a version of OS X Server installed that is prior to 2.2.2. It is, therefore, affected by the following vulnerabilities :

  - Two vulnerabilities exist in the included ClamAV     software, the most serious of which could allow an     attacker to execute arbitrary code remotely.
    (CVE-2013-2020 / CVE-2013-2021)

  - Three vulnerabilities exist in the included PostgreSQL     software, the most serious of which could result in     data corruption or privilege escalation.
    (CVE-2013-1899 / CVE-2013-1900 / CVE-2013-1901)

  - Multiple cross-site scripting issues exist in the     included Wiki Server software (CVE-2013-1034)

The remote host is missing Mac OS X security update 2013-004 that fixes multiple security issues. 

The remote host is running a version of Mac OS X 10.8 that is older than 10.8.5. The newer version contains numerous security-related fixes for the following components :

  - Apache
  - Bind
  - Certificate Trust Policy
  - CoreGraphics
  - ImageIO
  - Installer
  - IPSec
  - Kernel
  - Mobile Device Management
  - OpenSSL
  - PHP
  - PostgreSQL
  - Power Management
  - QuickTime
  - Screen Lock
  - sudo

 This update also addresses an issue in which certain Unicode strings could cause applications to unexpectedly quit.

 Note that successful exploitation of the most serious issues could result in arbitrary code execution.

The remote host is running a version of Mac OS X 10.6 or 10.7 that does not have Security Update 2013-004 applied.  This update contains several security-related fixes for the following component :

  - Apache
  - Bind
  - Certificate Trust Policy
  - ClamAV
  - Installer
  - IPSec
  - Mobile Device Management
  - OpenSSL
  - PHP
  - PostgreSQL
  - QuickTime
  - sudo

Note that successful exploitation of the most serious issues could result in arbitrary code execution.

The remote host is running a version of Mac OS X 10.8.x that is prior to 10.8.5. The newer version contains multiple security-related fixes for the following components :

  - Apache
  - Bind
  - Certificate Trust Policy
  - CoreGraphics
  - ImageIO
  - Installer
  - IPSec
  - Kernel
  - Mobile Device Management
  - OpenSSL
  - PHP
  - PostgreSQL
  - Power Management
  - QuickTime
  - Screen Lock
  - sudo

This update also addresses an issue in which certain Unicode strings could cause applications to unexpectedly quit.

Note that successful exploitation of the most serious issues could result in arbitrary code execution.

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a '-' (hyphen).

PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions.

PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the 'contrib/pgcrypto functions.'

- Update to PostgreSQL 9.2.4, for various fixes described     at     http://www.postgresql.org/docs/9.2/static/release-9-2-4.
    html including the fixes for CVE-2013-1899,     CVE-2013-1900, CVE-2013-1901

  - fix build for aarch64 and ppc64p7

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities has been discovered and corrected in postgresql :

PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticated users to cause a denial of service (server crash) or read sensitive process memory via a crafted SQL command, which triggers an array index error and an out-of-bounds read (CVE-2013-0255).

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a - (hyphen) (CVE-2013-1899).

PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the contrib/pgcrypto functions. (CVE-2013-1900).

PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions (CVE-2013-1901).

This advisory provides the latest versions of PostgreSQL that is not vulnerable to these issues.

The version of PostgreSQL installed on the remote host is 9.0.x prior to 9.0.13, 9.1.x prior to 9.1.9 or 9.2.x prior to 9.2.4.  As such, it is potentially affected by a file deletion vulnerability.  A remote, unauthenticated attacker, could damage or destroy files within a server's data directory by requesting a database name that begins with '-'.

PostgreSQL project reports :

The PostgreSQL Global Development Group has released a security update to all current versions of the PostgreSQL database system, including versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update fixes a high-exposure security vulnerability in versions 9.0 and later. All users of the affected versions are strongly urged to apply the update
*immediately*.

A major security issue (for versions 9.x only) fixed in this release, [CVE-2013-1899](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013
-1899), makes it possible for a connection request containing a database name that begins with '-' to be crafted that can damage or destroy files within a server's data directory. Anyone with access to the port the PostgreSQL server listens on can initiate this request.
This issue was discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source Software Center.

Two lesser security fixes are also included in this release :
[CVE-2013-1900](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013
-1900), wherein random numbers generated by contrib/pgcrypto functions may be easy for another database user to guess (all versions), and [CVE-2013-1901](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013
-1901), which mistakenly allows an unprivileged user to run commands that could interfere with in-progress backups (for versions 9.x only).

This update to version 9.1.9 fixes :

  - Fix insecure parsing of server command-line switches.
    (CVE-2013-1899)

  - Reset OpenSSL randomness state in each postmaster child     process. (CVE-2013-1900)

  - Make REPLICATION privilege checks test current user not     authenticated user. (CVE-2013-1901)

- Update to PostgreSQL 9.1.9, for various fixes described     at     http://www.postgresql.org/docs/9.1/static/release-9-1-9.
    html including the fixes for CVE-2013-1899,     CVE-2013-1900, CVE-2013-1901

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Versions of PostgreSQL earlier than 9.1.9 or 9.2.4 and are potentially affected by the following vulnerabilities :

  - A denial of service when parsing server command-line switches. (CVE-2013-1899)

  - An information disclosure due to an error in the 'contrib\pgcrypto' functions. (CVE-2013-1900)

  - An insecure temporary file-creation, specifically occurs when a file with a predictable filename in the '/tmp' directory is created. (CVE-2013-1902)

  - A password disclosure vulnerability occurs due to the application passing the database superuser passwords to a script, specifically exists in the graphical installers package. (CVE-2013-1093)

Versions of PostgreSQL earlier than 9.1.9 or 9.2.4 and are potentially affected by the following vulnerabilities :

  - A denial of service when parsing server command-line switches. (CVE-2013-1899)

  - An information disclosure due to an error in the 'contrib\pgcrypto' functions. (CVE-2013-1900)

  - Is is prone to a security-bypass, the server component fails to properly handle REPLICATION privilege checks for the current user. (CVE-2013-1901)

  - An insecure temporary file-creation, specifically occurs when a file with a predictable filename in the '/tmp' directory is created. (CVE-2013-1902)

  - A password disclosure vulnerability occurs due to the application passing the database superuser passwords to a script, specifically exists in the graphical installers package. (CVE-2013-1093)

Mitsumasa Kondo and Kyotaro Horiguchi discovered that PostgreSQL incorrectly handled certain connection requests containing database names starting with a dash. A remote attacker could use this flaw to damage or destroy files within a server's data directory. This issue only applied to Ubuntu 11.10, Ubuntu 12.04 LTS, and Ubuntu 12.10.
(CVE-2013-1899)

Marko Kreen discovered that PostgreSQL incorrectly generated random numbers. An authenticated attacker could use this flaw to possibly guess another database user's random numbers. (CVE-2013-1900)

Noah Misch discovered that PostgreSQL incorrectly handled certain privilege checks. An unprivileged attacker could use this flaw to possibly interfere with in-progress backups. This issue only applied to Ubuntu 11.10, Ubuntu 12.04 LTS, and Ubuntu 12.10. (CVE-2013-1901).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
77459	GLSA-201408-15 : PostgreSQL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
74963	openSUSE Security Update : postgresql91 (openSUSE-SU-2013:0627-1)	Nessus	SuSE Local Security Checks	high
74962	openSUSE Security Update : postgresql92 (openSUSE-SU-2013:0628-1)	Nessus	SuSE Local Security Checks	high
69932	Mac OS X : OS X Server < 2.2.2 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
8008	Mac OS X 10.8 < 10.8.5 Multiple Vulnerabilities (Security Update 2013-004)	Nessus Network Monitor	Web Clients	critical
69878	Mac OS X Multiple Vulnerabilities (Security Update 2013-004)	Nessus	MacOS X Local Security Checks	critical
69877	Mac OS X 10.8.x < 10.8.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
69737	Amazon Linux AMI : postgresql9 (ALAS-2013-178)	Nessus	Amazon Linux Local Security Checks	high
66168	Fedora 19 : postgresql-9.2.4-1.fc19 (2013-6148)	Nessus	Fedora Local Security Checks	high
66154	Mandriva Linux Security Advisory : postgresql (MDVSA-2013:142)	Nessus	Mandriva Local Security Checks	high
65855	PostgreSQL 9.0 < 9.0.13 / 9.1 < 9.1.9 / 9.2 < 9.2.4 File Deletion	Nessus	Databases	medium
65841	FreeBSD : PostgreSQL -- anonymous remote access data corruption vulnerability (3f332f16-9b6b-11e2-8fe9-08002798f6ff)	Nessus	FreeBSD Local Security Checks	high
65829	SuSE 11.2 Security Update : PostgreSQL (SAT Patch Number 7585)	Nessus	SuSE Local Security Checks	high
65828	Fedora 17 : postgresql-9.1.9-1.fc17 (2013-5000)	Nessus	Fedora Local Security Checks	high
65827	Fedora 18 : postgresql-9.2.4-1.fc18 (2013-4951)	Nessus	Fedora Local Security Checks	high
6745	PostgreSQL < 9.0.13 Multiple Vulnerabilities	Nessus Network Monitor	Database	medium
6744	PostgreSQL < 9.1.9 / 9.2.4 Multiple Vulnerabilities	Nessus Network Monitor	Database	medium
65818	Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : postgresql-8.3, postgresql-8.4, postgresql-9.1 vulnerabilities (USN-1789-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2013-1899

high

Tenable Plugins

high

high

high

high

critical

critical

critical

high

high

high

medium

high

high

high

high

medium

medium

high