CVE-2017-12172 (retired)

Priority
Description
PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x
before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a
non-root operating system account, and database superusers have effective
ability to run arbitrary code under that system account. PostgreSQL
provides a script for starting the database server during system boot.
Packages of PostgreSQL for many operating systems provide their own,
packager-authored startup implementations. Several implementations use a
log file name that the database superuser can replace with a symbolic link.
As root, they open(), chmod() and/or chown() this log file name. This often
suffices for the database superuser to escalate to root privileges when
root starts the server.
Notes
 mdeslaur> this script isn't installed by the packaging
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not shipped)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (code not shipped)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (code not shipped)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not shipped)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (code not shipped)
More Information

Updated: 2019-03-26 12:24:36 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)