Re: CVE-2019-9193 about COPY FROM/TO PROGRAM

From: Jeremy Schneider <schnjere(at)amazon(dot)com>
To: Brad Nicholson <bradn(at)ca(dot)ibm(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>
Cc: Daniel Verite <daniel(at)manitou-mail(dot)org>, "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org>, Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-general <pgsql-general(at)lists(dot)postgresql(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Subject: Re: CVE-2019-9193 about COPY FROM/TO PROGRAM
Date: 2019-04-04 19:34:04
Message-ID: 038270ec-28c8-1082-7fbc-8d5df3cbdbd0@amazon.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On 4/2/19 05:35, Brad Nicholson wrote:
> A blog post would be nice, but it seems to me have something about this
> clearly in the manual would be best, assuming it's not there already.  I
> took a quick look, and couldn't find anything.

For the record, I don't see any warnings at all in the Oracle docs about
this. Maybe I'm remembering wrong, but I think it's exactly the same
situation there - anyone with full administrative privileges can use
DBMS_SCHEDULER to run OS executables. And I don't think there's a way to
configure Oracle to disable this for people logging in over the network
with administrative privileges.

https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_SCHEDULER.html#GUID-F41A5779-1915-4D5D-A7F5-87727320B742

I'm all for having clear documentation about the security model in
PostgreSQL, but I personally wouldn't be in favor of adding extra
wording to the docs just to pacify concerns about a CVE which may have
been erroneously granted by an assigning authority, who possibly should
have done better due diligence reviewing the content. Particularly if
there's any possibility that the decision to assign the number can be
appealed/changed, though admittedly I know very little about the CVE
process.

Or if this is a legitimate CVE, and if I'm remembering correctly about
Oracle, then maybe the CVE needs to be expanded to cover that database too?

-Jeremy

--
Jeremy Schneider
Database Engineer
Amazon Web Services

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Tom Lane 2019-04-04 19:45:41 Re: CVE-2019-9193 about COPY FROM/TO PROGRAM
Previous Message Alvaro Herrera 2019-04-04 19:01:26 Re: query logging of prepared statements