Hi,
I've noticed this post being currently shared on social media:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2019-9193-authenticated-arbitrary-command-execution-on-postgresql-9-3/
The claim that COPY FROM PROGRAM warrants a CVE seems groundless
because you need to be superuser in the first place to do that.
Apparently these guys have not figured out that a superuser can
also inject arbitrary code with CREATE EXTENSION or even CREATE
FUNCTION since forever, or maybe that will be for a future post?
The CVE itself has not been published, in the sense that it's not
on https://cve.mitre.org, but the ID is reserved.
I don't know if there are precedents of people claiming
CVE entries on Postgres without seemingly reaching out to the
community first. Should something be done proactively about
that particular claim?
Best regards,
--
Daniel Vérité
PostgreSQL-powered mailer: http://www.manitou-mail.org
Twitter: @DanielVerite