CVE-2016-5424

NameCVE-2016-5424
DescriptionPostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-592-1, DSA-3646-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
postgresql-9.1 (PTS)wheezy9.1.21-0+deb7u1vulnerable
wheezy (security)9.1.24lts2-0+deb7u1fixed
jessie9.1.22-0+deb8u1fixed
jessie (security)9.1.16-0+deb8u1fixed
postgresql-9.4 (PTS)jessie (security), jessie9.4.15-0+deb8u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
postgresql-9.1source(unstable)(unfixed)medium
postgresql-9.1sourcejessie(not affected)
postgresql-9.1sourcewheezy9.1.23-0+deb7u1mediumDLA-592-1
postgresql-9.4source(unstable)(unfixed)medium
postgresql-9.4sourcejessie9.4.9-0+deb8u1mediumDSA-3646-1
postgresql-9.5source(unstable)9.5.4-1medium

Notes

[jessie] - postgresql-9.1 <not-affected> (postgresql-9.1 in jessie only provides PL/Perl)
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=fcd15f13581f6d75c63d213220d5a94889206c1b
https://www.postgresql.org/about/news/1688/

Search for package or bug name: Reporting problems