Scripting handwork rg. PostgreSQL bug CVE-2017-7547


PostgreSQL has just detected to a really bad information disclosure bug, CVE-2017-7547.

Unfortunately upgrading to a fixed version (for Debian see their security-tracker on CVE-2017-7547) is not enough, existing installations need manual work, as described in PostgreSQL's own news article 1772 describes. That howto is not only less then optimal (first half of step 4 should happen before step 3 for easier scripting) there does not seem to be a script yet.

Therefore I decided to create the following scripts ...

Scripted Solution (for 'main' cluster)

pg_fix_usermappings.sql code

For manual execution and the interested here is what our full script (see below) puts in /tmp/pg_fix_user_mappings.sql and "executes" on all databases after making additional config changes to and restarting postgres:

SET search_path = pg_catalog;

CREATE OR REPLACE VIEW pg_user_mappings AS
    U.oid       AS umid,
    S.oid       AS srvid,
    S.srvname   AS srvname,
    U.umuser    AS umuser,
    CASE WHEN U.umuser = 0 THEN
    END AS usename,
      (U.umuser <> 0 AND A.rolname = current_user AND (pg_has_role(S.srvowner, 'USAGE')
        OR has_server_privilege(S.oid, 'USAGE')))
      OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
      OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
    THEN U.umoptions
    ELSE NULL END AS umoptions
  FROM pg_user_mapping U
  LEFT JOIN pg_authid A ON (A.oid = U.umuser) 
  JOIN pg_foreign_server S ON (U.umserver = S.oid);

What happens in

The script performs the following operations:

  • Some santiy checks. It's safe to call the script without any parameters
  • Create /tmp/pg_fix_user_mappings.sql (see above)
  • Copy postgres.conf to postgres.conf.bak
  • Patch postgresql.conf with allow_system_table_mods=true
  • Restart postgres
  • Sleep 60 seconds, because postgres start asynchronously
  • Enable changes to template0
  • Apply/tmp/pg_fix_user_mappings.sql to ALL databases
  • Disable changes to template0
  • Restore postgresql.conf.bak to postgres.conf
  • Restart postgres again download & execution

To try to fix your PostgreSQL installation in a debian or similar environment:

Overall (several variants, read before execution)

# download
#sudo apt-get install ca-certificates
wget \
  -O /tmp/

# make it executable, for user postgres
chmod ugo+rx /tmp/

# it's safe to call the script without any parameters ...

# think about version
ls -ld /etc/postgresql/*
dpkg -l |egrep " postgresql-9.[0-9] "

# execute for 9.6 as non root logging the output
export MYPGVER=9.6
( sudo sudo -u postgres /tmp/ ${MYPGVER} ) \
  2>&1 |tee /var/tmp/pg_fix_usermappings_${MYPGVER}.log

# after success maybe document
sudo mv -v /tmp/ /var/tmp/pg_fix_usermappings*.log /var/log/postgresql/