CVE-2019-10208

Priority
Description
Given a suitable SECURITY DEFINER function, an attacker can execute
arbitrary SQL under the identity of the function owner. An attack
requires EXECUTE permission on the function, which must itself contain
a function call having inexact argument type match. For example,
length('foo'::varchar) and length('foo') are inexact, while
length('foo'::text) is exact. As part of exploiting this vulnerability,
the attacker uses CREATE DOMAIN to create a type in a pg_temp schema.
The attack pattern and fix are similar to that for CVE-2007-2138.
Ubuntu-Description
Tom Lane discovered that PostgreSQL did not properly restrict
functions declared as "SECURITY DEFINER". An attacker could use this
to execute arbitrary SQL with the permissions of the function owner.
Notes
 leosilva> since 9.3 is not supported anymore by upstream
 leosilva> and for now we don't have how to patch it
 leosilva> I'm marking it as deferred.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):released (10.10-0ubuntu0.18.04.1)
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Package
Upstream:released (11.5-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):released (11.5-0ubuntu0.19.04.1)
Ubuntu 19.10 (Eoan):released (11.5-1)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):ignored
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):deferred (2019-08-23)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (9.5.19-0ubuntu0.16.04.1)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
More Information

Updated: 2019-09-19 14:50:13 UTC (commit d32ebc32606b9517c6fa7d65a15441e2a57a6de5)