Note: This is an archival copy of Security Sun Alert 200713 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000565.1.
Article ID : 1000565.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-05-28
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in PostgreSQL SECURITY DEFINER Functions May Allow Escalation of Privileges


Release Phase

Solaris 10 Operating System

Bug Id

Date of Workaround Release

Date of Resolved Release


SECURITY DEFINER functions are special PostgreSQL functions which perform certain designated activities with special privileges. A security vulnerability in the PostgreSQL database server (see postgres(1)) may allow a local or remote PostgreSQL user who has authenticated with the PostgreSQL server to inject crafted objects (for example, functions, tables, or operators) and affect the execution of existing SECURITY DEFINER functions. This would allow that user to control the database and execute code with the elevated privileges of the owner of the SECURITY DEFINER function, or to shadow any table with their own modified version and inject it for processing by a SECURITY DEFINER function.

This issue is described in the following documents:

CVE-2007-2138 at

PostgreSQL Security Information at

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 123590-05

x86 Platform

  • Solaris 10 without patch 123591-05


  1. Solaris 8 and 9 do not ship with PostgreSQL and are thus not impacted by this issue.
  2. This issue affects PostgreSQL versions 7.3.x prior to 7.3.19, 7.4.x prior to 7.4.17, 8.0.x prior to 8.0.13, 8.1.x prior to 8.1.9 and 8.2.x prior to 8.2.4.
  3. Any user exploiting this vulnerability must have an account on the SQLserver and must have permissions to run SECURITY DEFINER functions owned by another user.

The SECURITY DEFINER property of functions is similar to the setuid(2) feature in Unix Operating Systems. This property allows users to execute functions with the privileges of the owner of the functions rather than with the privileges of the user invoking the function.

To determine the list of SECURITY DEFINER functions on the database, the following SQL command can be run:

    SELECT pg_proc.proname, pg_namespace.nspname, pg_user.usename \
    FROM pg_proc JOIN pg_namespace ON pg_proc.pronamespace=pg_namespace.oid \
    JOIN pg_user ON pg_proc.proowner=pg_user.usesysid WHERE prosecdef='t';

To determine the version of PostgreSQL on the system, the following command can be run:

    $ /usr/bin/postgres --version
    postgres (PostgreSQL) 8.1.3


There are no predictable symptoms that would indicate the described issue has been exploited.


There is no workaround for this issue. Please see the Resolution section below.


This issue is resolved in the following releases:

SPARC Platform

  • Solaris 10 with patch 123590-05 or later

x86 Platform

  • Solaris 10 with patch 123591-05 or later

Modification History
Date: 29-MAY-2007
  • Updated Contributing Factors and Resolution sections
  • State: Resolved




This solution has no attachment