Debian 8: DLA-1874-1 Critical: PostgreSQL Arbitrary SQL Execution
debian lts
August 9, 2019
* CVE-2019-10208: `TYPE` in `pg_temp` executes arbitrary SQL during `SECURITY DEFINER` execution Versions Affected: 9.4 - 11
Topics Covered
Summary
Given a suitable `SECURITY DEFINER` function, an attacker can execute
arbitrary SQL under the identity of the function owner. An attack
requires `EXECUTE` permission on the function, which must itself contain
a function call having inexact argument type match. For example,
`length('foo'::varchar)` and `length('foo')` are inexact, while
`length('foo'::text)` is exact. As part of exploiting this
vulnerability, the attacker uses `CREATE DOMAIN` to create a type in a
`pg_temp` schema. The attack pattern and fix are similar to that for
CVE-2007-2138.
Writing `SECURITY DEFINER` functions continues to require following the
considerations noted in the documentation:
https://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY
The PostgreSQL project thanks Tom Lane for reporting this problem.
For Debian 8 "Jessie", this problem has been fixed in version
9.4.24-0+deb8u1.
We recommend that you upgrade your postgresql-9.4 packages.
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
<pre><font face="Courier">Package: postgresql-9.4
Version: 9.4.24-0+deb8u1
CVE ID: CVE-2019-10208
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!