PostgreSQL patches XML flaws

PostgreSQL_Logoh-online: A flaw in the built-in XML functionality of PostgreSQL (CVE-2012-3488) and another in its optional XSLT handling (CVE-2012-3489) have been patched, and the developers have released updated versions of the open source database with relevant fixes. The holes being patched are related to insecure use of the widely used libxml2 and libxslt open source libraries and the PostgreSQL developers advise anyone using those libraries to check their systems for similar problems.

Both problems in PostgreSQL allow authenticated users of the database to read arbitrary files on the system, and the XSLT flaw allows writing of files. Details are limited, but the release notes for 9.1.5 note how xml_parse() and xslt_process() could be used to access information about files or parts of those files.

To fix the problem, the PostgreSQL developers have released versions 9.1.5, 9.0.9, 8.4.13 and 8.3.20 and urge users to “update their installations at the first available opportunity”. The updates do break some backward compatibility though: users who rely on the built-in XML functionality to validate external DTDs will have to implement a workaround and users who use xslt_process() to fetch documents from external URLs will no longer be able to do so. The developers say they regret having to disable this functionality, but have to do so “to maintain our security standards”.

They also note that these fixes are “substantially similar” to issues in WebKit (CVE-2011-1774), XMLsec (CVE-2011-1425) and PHP5 (CVE-2012-0057). Developers who use libxml2 and libxslt should probably take note of this and check to see if they are exposed to any issues through their use of the libraries.

The update to PostgreSQL also includes several fixes for version 9.1 of the open source database and a number of fixes for older versions. These include corrections to time zone data, documentation corrections, Python/Unicode fixes, a correction to log rotation and reduced data loss when replication failovers among others. As the update is a minor update, users need only shutdown the database, install the new binaries and restart.

Leave a Reply