#VU32711 Permissions, Privileges, and Access Controls in PostgreSQL - CVE-2013-1901

Description

The vulnerability allows a remote #AU# to manipulate data.

PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions. Per http://www.ubuntu.com/usn/USN-1789-1/ "A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.10 Ubuntu 12.04 LTS Ubuntu 11.10 Ubuntu 10.04 LTS Ubuntu 8.04 LTS"

Remediation

External links

• http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
• http://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html
• http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html
• http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html
• http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html
• http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html
• http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html
• http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html
• http://support.apple.com/kb/HT5880
• http://support.apple.com/kb/HT5892
• http://www.debian.org/security/2013/dsa-2658
• http://www.mandriva.com/security/advisories?name=MDVSA-2013:142
• http://www.postgresql.org/about/news/1456/
• http://www.postgresql.org/docs/current/static/release-9-1-9.html
• http://www.postgresql.org/docs/current/static/release-9-2-4.html
• http://www.ubuntu.com/usn/USN-1789-1