CVE-2017-12172

Priority
Description
PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x
before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a
non-root operating system account, and database superusers have effective
ability to run arbitrary code under that system account. PostgreSQL
provides a script for starting the database server during system boot.
Packages of PostgreSQL for many operating systems provide their own,
packager-authored startup implementations. Several implementations use a
log file name that the database superuser can replace with a symbolic link.
As root, they open(), chmod() and/or chown() this log file name. This often
suffices for the database superuser to escalate to root privileges when
root starts the server.
Notes
mdeslaurthis script isn't installed by the packaging
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not shipped)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [code not shipped])
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (code not shipped)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not shipped)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code not shipped)
More Information

Updated: 2020-01-29 19:57:55 UTC (commit 768ceb2fdee6790d707d0f681e1b54916744af1e)