Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 237681

Summary: CVE-2007-2138 PostgreSQL security-definer function privilege escalation
Product: [Retired] Red Hat Web Application Stack Reporter: Josh Bressers <bressers>
Component: postgresqlAssignee: Tom Lane <tgl>
Status: CLOSED ERRATA QA Contact: Gurhan Ozen <gozen>
Severity: medium Docs Contact:
Priority: medium    
Version: v1CC: hhorak, jburke
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20070423,reported=20070419,source=redhat
Fixed In Version: RHSA-2007-0337 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-03 12:35:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2007-04-24 18:42:40 UTC 
+++ This bug was initially created as a clone of Bug #237680 +++

Quoting the PostgreSQL release notes:
http://www.postgresql.org/docs/8.2/static/release-8-2-4.html

    Support explicit placement of the temporary-table schema within search_path, 
    and disable searching it for functions and operators (Tom)

    This is needed to allow a security-definer function to set a truly secure 
    value of search_path. Without it, an unprivileged SQL user can use temporary 
    objects to execute code with the privileges of the security-definer function 
    (CVE-2007-2138). See CREATE FUNCTION for more information.
Comment 6 Red Hat Bugzilla 2007-05-03 12:35:16 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0337.html