Note: This is an archival copy of Security Sun Alert 200713 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000565.1.
Solaris 10 Operating System
Date of Workaround Release
Date of Resolved Release
SECURITY DEFINER functions are special PostgreSQL functions which perform certain designated activities with special privileges. A security vulnerability in the PostgreSQL database server (see postgres(1)) may allow a local or remote PostgreSQL user who has authenticated with the PostgreSQL server to inject crafted objects (for example, functions, tables, or operators) and affect the execution of existing SECURITY DEFINER functions. This would allow that user to control the database and execute code with the elevated privileges of the owner of the SECURITY DEFINER function, or to shadow any table with their own modified version and inject it for processing by a SECURITY DEFINER function.
This issue is described in the following documents:
CVE-2007-2138 at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2138
PostgreSQL Security Information at http://www.postgresql.org/about/news.791
This issue can occur in the following releases:
The SECURITY DEFINER property of functions is similar to the setuid(2) feature in Unix Operating Systems. This property allows users to execute functions with the privileges of the owner of the functions rather than with the privileges of the user invoking the function.
To determine the list of SECURITY DEFINER functions on the database, the following SQL command can be run:
SELECT pg_proc.proname, pg_namespace.nspname, pg_user.usename \ FROM pg_proc JOIN pg_namespace ON pg_proc.pronamespace=pg_namespace.oid \ JOIN pg_user ON pg_proc.proowner=pg_user.usesysid WHERE prosecdef='t';
To determine the version of PostgreSQL on the system, the following command can be run:
$ /usr/bin/postgres --version postgres (PostgreSQL) 8.1.3
There are no predictable symptoms that would indicate the described issue has been exploited.
There is no workaround for this issue. Please see the Resolution section below.
This issue is resolved in the following releases:
This solution has no attachment