Hello Devs,
I am investigating backporting the fixes for CVE-2022-1552 to 9.6 and
9.4 as part of Debian LTS and Extended LTS. I am aware that these
releases are no longer supported upstream, but I have made an attempt at
adapting commits ef792f7856dea2576dcd9cab92b2b05fe955696b and
f26d5702857a9c027f84850af48b0eea0f3aa15c from the REL_10_STABLE branch.
I would appreciate a review of the attached patches and any comments on
things that may have been missed and/or adapted improperly.
The first thing I did was to adapt the full patches, with functional
changes and regression tests. Since amcheck was new to version 10, I
dropped that part of the patch. Additionally, since partitioned tables
were new in 10 I dropped those parts of the tests. The absence of block
range indices in 9.4 means I also dropped that part of the change and
associated test as well.
Once everything built successfully, I built again with only the
regression tests to confirm that the vulnerability was presented and
triggerred by the regression test [*].
When building with only the adapted regression tests, the 9.6 build
failed with this in the test output:
+ ERROR: sro_ifun(10) called by pbuilder
+ CONTEXT: PL/pgSQL function sro_ifun(integer) line 4 at ASSERT
This seems to indicate that the vulnerability was encountered and that
the function was called as the invoking user rather than the owning
user. Naturally, there were further differneces in the test output
owing to the index creation failure.
For 9.4, the error looked like this:
+ ERROR: called by pbuilder
As a result of ASSERT not being present in 9.4 I had to resort to an IF
statement with a RAISE. However, it appears to be the identical
problem.
There are 4 patches attached to this mail, one for each of the two
commits referenced above as adapted for 9.6 and 9.4. Please advise on
whether adjustments are needed or whether I can proceed with publishing
updated 9.6 and 9.4 packages for Debian with said patches.
Regards,
-Roberto
[*] Side note: my approach revealed that the adapted regression tests
trigger the vulnerability in both 9.6 and 9.4. However, the SUSE
security information page for CVE-2022-1552 [0] lists 9.6 as "not
affected". Presumably this is based on the language in the upstream
advisory "Versions Affected: 10 - 14."
[0] https://www.suse.com/security/cve/CVE-2022-1552.html
--
Roberto C. Sánchez