Bug 1695982 (CVE-2019-9193)
Summary: | CVE-2019-9193 postgresql: Command injection via "COPY TO/FROM PROGRAM" function | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | anon.amish, bkearney, dajohnso, databases-maint, dbaker, devrim, dmetzger, gacton, gblomqui, gmainwar, gmccullo, gtanzill, hhorak, jfrey, jhardy, jlaska, jmlich83, jorton, jprause, jstanek, kdixon, mike, obarenbo, panovotn, pkajaba, pkubat, praiskup, ratamir, roliveri, simaishi, tgl, tlestach |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-04-04 17:03:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1695983, 1695984, 1695985 | ||
Bug Blocks: | 1695986 |
Description
Pedro Sampaio
2019-04-04 01:23:54 UTC
Created mingw-postgresql tracking bugs for this issue: Affects: epel-7 [bug 1695984] Affects: fedora-all [bug 1695985] Created postgresql tracking bugs for this issue: Affects: fedora-all [bug 1695983] The position of the Postgres project is that this CVE was written by somebody who hasn't troubled to understand Postgres' security model. There is no bug, and we are thinking of filing a dispute of the CVE with Mitre. There's an unofficial response from another core member here: https://blog.hagander.net/when-a-vulnerability-is-not-a-vulnerability-244/ Another public discussion is here: https://www.postgresql.org/message-id/flat/e6251b54-78f4-4ec0-8e22-8c4179f0e817%40manitou-mail.org The official response, if any, is likely to consist of improving the documentation to make it clear that there's no security boundary between database superusers and the OS account running the server. You can more or less understand that from existing statements in the docs, but we haven't spelled it out in exactly those words. As the reported behaviour is actually expected (and documented) functionality, and the CVE seems to be filed by error/misunderstanding, I'm closing this as not a bug. Read official upstream response here: https://www.postgresql.org/about/news/1935/ Statement: The PostgreSQL Project does not consider this to be a vulnerability. By design, database super users have full rights to the context that PostgreSQL executes within, including reading & writing all files and code execution. See External References for more details. Red Hat Product Security concurs with upstream's assessment that this is not a vulnerability. Customers are advised to follow best practice when configuring PostgreSQL, which includes allocating only the minimum privileges to users. Super user privileges in particular must be very carefully controlled. External References: https://www.postgresql.org/about/news/1935/ |