Version in base suite: 200+deb10u2 Base version: postgresql-common_200+deb10u2 Target version: postgresql-common_200+deb10u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/postgresql-common/postgresql-common_200+deb10u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/p/postgresql-common/postgresql-common_200+deb10u3.dsc debian/changelog | 10 ++++++++++ pg_ctlcluster | 41 ++++++++++++++++++++++++++++++++--------- 2 files changed, 42 insertions(+), 9 deletions(-) diff -Nru postgresql-common-200+deb10u2/debian/changelog postgresql-common-200+deb10u3/debian/changelog --- postgresql-common-200+deb10u2/debian/changelog 2019-07-25 21:04:54.000000000 +0000 +++ postgresql-common-200+deb10u3/debian/changelog 2019-11-12 14:00:36.000000000 +0000 @@ -1,3 +1,13 @@ +postgresql-common (200+deb10u3) buster-security; urgency=medium + + * pg_ctlcluster: Drop privileges before creating socket and stats temp + directories outside /var/run/postgresql. The default configuration is not + affected by this change. Users with directories on volatile storage + (tmpfs) in other locations have to make sure the parent directory is + writable for the cluster owner. (CVE-2019-3466, discovered by Rich Mirch) + + -- Christoph Berg Tue, 12 Nov 2019 15:00:36 +0100 + postgresql-common (200+deb10u2) buster; urgency=high DATA LOSS WARNING: pg_upgradecluster from postgresql-common 200, diff -Nru postgresql-common-200+deb10u2/pg_ctlcluster postgresql-common-200+deb10u3/pg_ctlcluster --- postgresql-common-200+deb10u2/pg_ctlcluster 2019-07-25 20:56:31.000000000 +0000 +++ postgresql-common-200+deb10u3/pg_ctlcluster 2019-11-12 14:00:36.000000000 +0000 @@ -443,16 +443,29 @@ } } -# recreate /var/run/postgresql -if ($action ne 'stop' && ! -d $info{'socketdir'}) { - system 'install', '-d', '-m', 2775, - '-o', $info{'owneruid'}, '-g', $info{'ownergid'}, $info{'socketdir'}; -} +if ($action ne 'stop') { + # recreate /var/run/postgresql while possibly still running as root + if (! -d '/var/run/postgresql') { + system 'install', '-d', '-m', 2775, '-o', 'postgres', '-g', 'postgres', '/var/run/postgresql'; + } -# recreate stats_temp_directory -if ($action ne 'stop' && $info{config}->{stats_temp_directory} && ! -d $info{config}->{stats_temp_directory}) { - system 'install', '-d', '-m', 750, - '-o', $info{'owneruid'}, '-g', $info{'ownergid'}, $info{config}->{stats_temp_directory}; + # allow creating socket directories below /var/run/postgresql for any user + if ($info{socketdir} =~ m!^(/var)/run/postgresql/[\w_.-]+$! and ! -d $info{socketdir}) { + if (mkdir $info{socketdir}, 02775) { # don't use "install" here as it would allow stealing existing directories + chown $info{owneruid}, $info{ownergid}, $info{socketdir}; + } else { + error "Could not create $info{socketdir}: $!"; + } + } + + # allow creating stats_temp_directory below /var/run/postgresql for any user + if ($info{config}->{stats_temp_directory} and $info{config}->{stats_temp_directory}=~ m!^(/var)/run/postgresql/[\w_.-]+$! and ! -d $info{config}->{stats_temp_directory}) { + if (mkdir $info{config}->{stats_temp_directory}, 0750) { # don't use "install" here as it would allow stealing existing directories + chown $info{owneruid}, $info{ownergid}, $info{config}->{stats_temp_directory}; + } else { + error "Could not create $info{config}->{stats_temp_directory}: $!"; + } + } } if ($> == 0) { @@ -476,6 +489,16 @@ (getpwuid $info{'owneruid'})[0].') or root'; } +# create socket directory (if it wasn't already created in /var/run/postgresql by the code above) +if ($action ne 'stop' && ! -d $info{socketdir}) { + system 'install', '-d', '-m', 2775, $info{socketdir}; +} + +# create stats_temp_directory (if it wasn't already created in /var/run/postgresql by the code above) +if ($action ne 'stop' && $info{config}->{stats_temp_directory} && ! -d $info{config}->{stats_temp_directory}) { + system 'install', '-d', '-m', 750, $info{config}->{stats_temp_directory}; +} + $pg_ctl = $bindir ? "$bindir/pg_ctl" : get_program_path ('pg_ctl', $version); error "Could not find pg_ctl executable for version $version" unless ($pg_ctl);