CVE-2019-9193: Not a Security Vulnerability

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-announce(at)postgresql(dot)org
Subject: CVE-2019-9193: Not a Security Vulnerability
Date: 2019-04-04 15:25:35
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-announce

There is widespread mention in the media of a security vulnerability in
PostgreSQL, registered as CVE-2019-9193. The PostgreSQL Security Team
would like to emphasize that this is **not a security vulnerability**.
We believe the CVE entry was filed in error. We have contacted the
reporter to investigate the issue.

The COPY .. PROGRAM feature explicitly states that it can only be executed
by database users that have been granted superuser privileges or the
default role `pg_execute_server_program`. By design, this feature allows
one who is granted superuser or `pg_execute_server_program` to perform
actions as the operating system user the PostgreSQL server runs under
(normally "postgres"). The default roles `pg_read_server_files` and
`pg_write_server_files` that are mentioned in the CVE do not grant
permission for a database user to use COPY .. PROGRAM.

By design, there exists no security boundary between a database superuser
and the operating system user the server runs under. As such, by design
the PostgreSQL server is not allowed to run as an operating system
superuser (e.g. "root"). The features for COPY .. PROGRAM added in
PostgreSQL 9.3 did not change any of the above, but added a new command
within the same security boundaries that already existed.

We encourage all users of PostgreSQL to follow the best practice that is
to never grant superuser access to remote or otherwise untrusted users.
This is a standard security operating procedure that is followed in system
administration and extends to database administration as well.

If you have more questions about this, we invite you to reach out to
members of the community through one of our support resources:

* COPY Documentation:
* CVE-2019-9193:
* Security Page:
* Support:
* Follow @postgresql on Twitter:

regards, tom lane

Browse pgsql-announce by date

  From Date Subject
Next Message David Fetter 2019-04-08 01:40:17 == PostgreSQL Weekly News - April 7, 2019 ==
Previous Message Daniele Varrazzo 2019-04-04 13:06:11 Psycopg 2.8 released