CVE-2019-9193 about COPY FROM/TO PROGRAM

От: Daniel Verite
Тема: CVE-2019-9193 about COPY FROM/TO PROGRAM
Дата: ,
Msg-id: e6251b54-78f4-4ec0-8e22-8c4179f0e817@manitou-mail.org
(см: обсуждение, исходный текст)
Ответы: Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Tom Lane)
Список: pgsql-general

Скрыть дерево обсуждения

CVE-2019-9193 about COPY FROM/TO PROGRAM  ("Daniel Verite", )
 Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Tom Lane, )
  Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Magnus Hagander, )
   Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Tom Lane, )
    Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  ("Jonathan S. Katz", )
     Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Michael Paquier, )
      Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  ("Brad Nicholson", )
       Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Andres Freund, )
        Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Magnus Hagander, )
         Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  ("Jonathan S. Katz", )
        Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Jeff Janes, )
         Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Robert Treat, )
       Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Jeremy Schneider, )
        Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Tom Lane, )
         Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Magnus Hagander, )
          Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Andres Freund, )
      Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  ("Jonathan S. Katz", )
     Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Magnus Hagander, )
    Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Alvaro Herrera, )

Hi,

I've noticed this post being currently shared on social media:


https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2019-9193-authenticated-arbitrary-command-execution-on-postgresql-9-3/

The claim that COPY FROM PROGRAM warrants a CVE seems groundless
because you need to be superuser in the first place to do that.

Apparently these guys have not figured out that a superuser can
also inject arbitrary code with CREATE EXTENSION or even CREATE
FUNCTION since forever, or maybe that will be for a future post?

The CVE itself has not been published, in the sense that it's not
on https://cve.mitre.org, but the ID is reserved.

I don't know if there are precedents of people claiming
CVE entries on Postgres without seemingly reaching out to the
community first. Should something be done proactively about
that particular claim?


Best regards,
--
Daniel Vérité
PostgreSQL-powered mailer: http://www.manitou-mail.org
Twitter: @DanielVerite




В списке pgsql-general по дате сообщения:

От: Gmail
Дата:
Сообщение: Re: stale WAL files?
От: Samuel Williams
Дата:
Сообщение: Re: libpq read/write