Re: CVE-2019-9193 about COPY FROM/TO PROGRAM

On Sat, Mar 30, 2019 at 10:16 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> "Daniel Verite" <daniel(at)manitou-mail(dot)org> writes:
> > I've noticed this post being currently shared on social media:
>
> >
> https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2019-9193-authenticated-arbitrary-command-execution-on-postgresql-9-3/
>
> > The claim that COPY FROM PROGRAM warrants a CVE seems groundless
> > because you need to be superuser in the first place to do that.
>
> Yeah; this is supposing that there is a security boundary between
> Postgres superusers and the OS account running the server, which
> there is not. We could hardly have features like untrusted PLs
> if we were trying to maintain such a boundary.
>
> > I don't know if there are precedents of people claiming
> > CVE entries on Postgres without seemingly reaching out to the
> > community first. Should something be done proactively about
> > that particular claim?
>
> Well, it's odd, because somebody at trustwave (not the actual
> author of this "research") did reach out to the pgsql-security
> list, and we discussed with him that it wasn't a violation of
> Postgres' security model, and he agreed. But then they've
> posted this anyway. Left hand doesn't talk to right hand there,
> apparently.
>

I wonder if we need to prepare some sort of official response to that.

I was considering writing up a blog post about it, but maybe we need
something more official?

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>