"Daniel Verite" <daniel@xxxxxxxxxxxxxxxx> writes: > I've noticed this post being currently shared on social media: > https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2019-9193-authenticated-arbitrary-command-execution-on-postgresql-9-3/ > The claim that COPY FROM PROGRAM warrants a CVE seems groundless > because you need to be superuser in the first place to do that. Yeah; this is supposing that there is a security boundary between Postgres superusers and the OS account running the server, which there is not. We could hardly have features like untrusted PLs if we were trying to maintain such a boundary. > I don't know if there are precedents of people claiming > CVE entries on Postgres without seemingly reaching out to the > community first. Should something be done proactively about > that particular claim? Well, it's odd, because somebody at trustwave (not the actual author of this "research") did reach out to the pgsql-security list, and we discussed with him that it wasn't a violation of Postgres' security model, and he agreed. But then they've posted this anyway. Left hand doesn't talk to right hand there, apparently. regards, tom lane
