CVE-2019-9193: Not a Security Vulnerability - Mailing list pgsql-announce

From Tom Lane
Subject CVE-2019-9193: Not a Security Vulnerability
Date
Msg-id 8145.1554391535@sss.pgh.pa.us
Whole thread Raw
List pgsql-announce
There is widespread mention in the media of a security vulnerability in
PostgreSQL, registered as CVE-2019-9193.  The PostgreSQL Security Team
would like to emphasize that this is **not a security vulnerability**.
We believe the CVE entry was filed in error.  We have contacted the
reporter to investigate the issue.

The COPY .. PROGRAM feature explicitly states that it can only be executed
by database users that have been granted superuser privileges or the
default role `pg_execute_server_program`.  By design, this feature allows
one who is granted superuser or `pg_execute_server_program` to perform
actions as the operating system user the PostgreSQL server runs under
(normally "postgres").  The default roles `pg_read_server_files` and
`pg_write_server_files` that are mentioned in the CVE do not grant
permission for a database user to use COPY .. PROGRAM.

By design, there exists no security boundary between a database superuser
and the operating system user the server runs under.  As such, by design
the PostgreSQL server is not allowed to run as an operating system
superuser (e.g. "root").  The features for COPY .. PROGRAM added in
PostgreSQL 9.3 did not change any of the above, but added a new command
within the same security boundaries that already existed.

We encourage all users of PostgreSQL to follow the best practice that is
to never grant superuser access to remote or otherwise untrusted users.
This is a standard security operating procedure that is followed in system
administration and extends to database administration as well.

If you have more questions about this, we invite you to reach out to
members of the community through one of our support resources:

https://www.postgresql.org/support/

Links
-----
* COPY Documentation: https://www.postgresql.org/docs/current/sql-copy.html
* CVE-2019-9193: https://nvd.nist.gov/vuln/detail/CVE-2019-9193
* Security Page: https://www.postgresql.org/support/security/
* Support: https://www.postgresql.org/support/
* Follow @postgresql on Twitter: https://twitter.com/postgresql

            regards, tom lane



pgsql-announce by date:

Previous
From: Daniele Varrazzo
Date:
Subject: Psycopg 2.8 released
Next
From: David Fetter
Date:
Subject: == PostgreSQL Weekly News - April 7, 2019 ==