On Sat, Mar 30, 2019 at 10:16 PM Tom Lane <t...@sss.pgh.pa.us> wrote:
> "Daniel Verite" <dan...@manitou-mail.org> writes: > > I've noticed this post being currently shared on social media: > > > > https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2019-9193-authenticated-arbitrary-command-execution-on-postgresql-9-3/ > > > The claim that COPY FROM PROGRAM warrants a CVE seems groundless > > because you need to be superuser in the first place to do that. > > Yeah; this is supposing that there is a security boundary between > Postgres superusers and the OS account running the server, which > there is not. We could hardly have features like untrusted PLs > if we were trying to maintain such a boundary. > > > I don't know if there are precedents of people claiming > > CVE entries on Postgres without seemingly reaching out to the > > community first. Should something be done proactively about > > that particular claim? > > Well, it's odd, because somebody at trustwave (not the actual > author of this "research") did reach out to the pgsql-security > list, and we discussed with him that it wasn't a violation of > Postgres' security model, and he agreed. But then they've > posted this anyway. Left hand doesn't talk to right hand there, > apparently. > I wonder if we need to prepare some sort of official response to that. I was considering writing up a blog post about it, but maybe we need something more official? -- Magnus Hagander Me: https://www.hagander.net/ <http://www.hagander.net/> Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
