Re: CVE-2019-9193 about COPY FROM/TO PROGRAM

On Thu, Apr 4, 2019 at 9:45 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> Jeremy Schneider <schnjere(at)amazon(dot)com> writes:
> > I'm all for having clear documentation about the security model in
> > PostgreSQL, but I personally wouldn't be in favor of adding extra
> > wording to the docs just to pacify concerns about a CVE which may have
> > been erroneously granted by an assigning authority, who possibly should
> > have done better due diligence reviewing the content. Particularly if
> > there's any possibility that the decision to assign the number can be
> > appealed/changed, though admittedly I know very little about the CVE
> > process.
>
> Just FYI, we have filed a dispute with Mitre about the CVE, and also
> reached out to trustwave to try to find out why they filed the CVE
> despite the earlier private discussion.
>

The original author has also pretty much acknowledged in comments on his
blog and on twitter that it's not actually a vulnerability. (He doesn't
agree with the design decision, which is apparently enough for a high
scoring CVE registration).

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>