Re: CVE-2019-9193 about COPY FROM/TO PROGRAM - Mailing list pgsql-general

From Andres Freund
Subject Re: CVE-2019-9193 about COPY FROM/TO PROGRAM
Date
Msg-id 20190404203648.ntgxb26qpg4d4mgb@alap3.anarazel.de
Whole thread Raw
In response to Re: CVE-2019-9193 about COPY FROM/TO PROGRAM  (Magnus Hagander <magnus@hagander.net>)
List pgsql-general
Hi

On 2019-04-04 21:50:41 +0200, Magnus Hagander wrote:
> On Thu, Apr 4, 2019 at 9:45 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> 
> > Jeremy Schneider <schnjere@amazon.com> writes:
> > > I'm all for having clear documentation about the security model in
> > > PostgreSQL, but I personally wouldn't be in favor of adding extra
> > > wording to the docs just to pacify concerns about a CVE which may have
> > > been erroneously granted by an assigning authority, who possibly should
> > > have done better due diligence reviewing the content. Particularly if
> > > there's any possibility that the decision to assign the number can be
> > > appealed/changed, though admittedly I know very little about the CVE
> > > process.
> >
> > Just FYI, we have filed a dispute with Mitre about the CVE, and also
> > reached out to trustwave to try to find out why they filed the CVE
> > despite the earlier private discussion.
> >
> 
> The original author has also pretty much acknowledged in comments on his
> blog and on twitter that it's not actually a vulnerability. (He doesn't
> agree with the design decision, which is apparently enough for a high
> scoring CVE registration).

Btw, the xp_cmdshell thing the author references several times?
It can be enabled via tsql if you have a privileged account.


https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-2017

and it allows to execute shell code (as a specified user) even when not
a sysadmin:

https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017#xp_cmdshell-proxy-account

Greetings,

Andres Freund



pgsql-general by date:

Previous
From: Kevin Brannen
Date:
Subject: RE: Recommendation to run vacuum FULL in parallel
Next
From: Peter Eisentraut
Date:
Subject: Re: logical replication - negative bitmapset member not allowed