Note: This is an archival copy of Security Sun Alert 200713 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000565.1.
Article ID : 1000565.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-05-28
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in PostgreSQL SECURITY DEFINER Functions May Allow Escalation of Privileges

Category
Security

Release Phase
Resolved

Product
Solaris 10 Operating System

Bug Id
6546373

Date of Workaround Release
26-APR-2007

Date of Resolved Release
29-MAY-2007

Impact

SECURITY DEFINER functions are special PostgreSQL functions which perform certain designated activities with special privileges. A security vulnerability in the PostgreSQL database server (see postgres(1)) may allow a local or remote PostgreSQL user who has authenticated with the PostgreSQL server to inject crafted objects (for example, functions, tables, or operators) and affect the execution of existing SECURITY DEFINER functions. This would allow that user to control the database and execute code with the elevated privileges of the owner of the SECURITY DEFINER function, or to shadow any table with their own modified version and inject it for processing by a SECURITY DEFINER function.

This issue is described in the following documents:

CVE-2007-2138 at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2138

PostgreSQL Security Information at http://www.postgresql.org/about/news.791


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 123590-05

x86 Platform

  • Solaris 10 without patch 123591-05

Notes:

  1. Solaris 8 and 9 do not ship with PostgreSQL and are thus not impacted by this issue.
  2. This issue affects PostgreSQL versions 7.3.x prior to 7.3.19, 7.4.x prior to 7.4.17, 8.0.x prior to 8.0.13, 8.1.x prior to 8.1.9 and 8.2.x prior to 8.2.4.
  3. Any user exploiting this vulnerability must have an account on the SQLserver and must have permissions to run SECURITY DEFINER functions owned by another user.

The SECURITY DEFINER property of functions is similar to the setuid(2) feature in Unix Operating Systems. This property allows users to execute functions with the privileges of the owner of the functions rather than with the privileges of the user invoking the function.

To determine the list of SECURITY DEFINER functions on the database, the following SQL command can be run:

    SELECT pg_proc.proname, pg_namespace.nspname, pg_user.usename \
    FROM pg_proc JOIN pg_namespace ON pg_proc.pronamespace=pg_namespace.oid \
    JOIN pg_user ON pg_proc.proowner=pg_user.usesysid WHERE prosecdef='t';

To determine the version of PostgreSQL on the system, the following command can be run:

    $ /usr/bin/postgres --version
    postgres (PostgreSQL) 8.1.3

Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited.


Workaround

There is no workaround for this issue. Please see the Resolution section below.


Resolution

This issue is resolved in the following releases:

SPARC Platform

  • Solaris 10 with patch 123590-05 or later

x86 Platform

  • Solaris 10 with patch 123591-05 or later


Modification History
Date: 29-MAY-2007
  • Updated Contributing Factors and Resolution sections
  • State: Resolved

 



References

123590-05
123591-05




Attachments
This solution has no attachment