On Sat, Mar 30, 2019 at 10:16 PM Tom Lane <tgl@xxxxxxxxxxxxx> wrote:
"Daniel Verite" <daniel@xxxxxxxxxxxxxxxx> writes:
> I've noticed this post being currently shared on social media:
> https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2019-9193-authenticated-arbitrary-command-execution-on-postgresql-9-3/
> The claim that COPY FROM PROGRAM warrants a CVE seems groundless
> because you need to be superuser in the first place to do that.
Yeah; this is supposing that there is a security boundary between
Postgres superusers and the OS account running the server, which
there is not. We could hardly have features like untrusted PLs
if we were trying to maintain such a boundary.
> I don't know if there are precedents of people claiming
> CVE entries on Postgres without seemingly reaching out to the
> community first. Should something be done proactively about
> that particular claim?
Well, it's odd, because somebody at trustwave (not the actual
author of this "research") did reach out to the pgsql-security
list, and we discussed with him that it wasn't a violation of
Postgres' security model, and he agreed. But then they've
posted this anyway. Left hand doesn't talk to right hand there,
apparently.
I wonder if we need to prepare some sort of official response to that.
I was considering writing up a blog post about it, but maybe we need something more official?
