CVE-2019-9193 about COPY FROM/TO PROGRAM - Mailing list pgsql-general

From Daniel Verite
Subject CVE-2019-9193 about COPY FROM/TO PROGRAM
Date
Msg-id e6251b54-78f4-4ec0-8e22-8c4179f0e817@manitou-mail.org
Whole thread Raw
Responses Re: CVE-2019-9193 about COPY FROM/TO PROGRAM
List pgsql-general
Hi,

I've noticed this post being currently shared on social media:


https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2019-9193-authenticated-arbitrary-command-execution-on-postgresql-9-3/

The claim that COPY FROM PROGRAM warrants a CVE seems groundless
because you need to be superuser in the first place to do that.

Apparently these guys have not figured out that a superuser can
also inject arbitrary code with CREATE EXTENSION or even CREATE
FUNCTION since forever, or maybe that will be for a future post?

The CVE itself has not been published, in the sense that it's not
on https://cve.mitre.org, but the ID is reserved.

I don't know if there are precedents of people claiming
CVE entries on Postgres without seemingly reaching out to the
community first. Should something be done proactively about
that particular claim?


Best regards,
--
Daniel Vérité
PostgreSQL-powered mailer: http://www.manitou-mail.org
Twitter: @DanielVerite



pgsql-general by date:

Previous
From: Gmail
Date:
Subject: Re: stale WAL files?
Next
From: Tom Lane
Date:
Subject: Re: CVE-2019-9193 about COPY FROM/TO PROGRAM