SB2019071737 - Fedora 30 update for libpq, postgresql
Published: July 17, 2019 Updated: April 25, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Memory leak (CVE-ID: CVE-2019-10129)
CWE-ID: CWE-401 - Missing release of memory after effective lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to read parts of system memory.
The vulnerability exists due memory leak when processing INSERT queries. A remote authenticated user can execute a specially crafted INSERT statement to a partitioned table and read parts of memory.
2) Stack-based buffer overflow (CVE-ID: CVE-2019-10164)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing users passwords. A remote authenticated user can change his/her password to a specially crafted string, trigger stack-based buffer overflow and execute arbitrary code on the target system or crash the PostgreSQL process.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.