SECURITY DEFINER functions are special PostgreSQL functions which perform certain designated activities with special privileges. A security vulnerability in the PostgreSQL database server (see postgres(1)) may allow a local or remote PostgreSQL user who has authenticated with the PostgreSQL server to inject crafted objects (for example, functions, tables, or operators) and affect the execution of existing SECURITY DEFINER functions. This would allow that user to control the database and execute code with the elevated privileges of the owner of the SECURITY DEFINER function, or to shadow any table with their own modified version and inject it for processing by a SECURITY DEFINER function.

This issue is described in the following documents:

CVE-2007-2138 at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2138

PostgreSQL Security Information at http://www.postgresql.org/about/news.791

This issue can occur in the following releases:

SPARC Platform

• Solaris 10 without patch 123590-05

x86 Platform

• Solaris 10 without patch 123591-05

Notes:

1. Solaris 8 and 9 do not ship with PostgreSQL and are thus not impacted by this issue.
2. This issue affects PostgreSQL versions 7.3.x prior to 7.3.19, 7.4.x prior to 7.4.17, 8.0.x prior to 8.0.13, 8.1.x prior to 8.1.9 and 8.2.x prior to 8.2.4.
3. Any user exploiting this vulnerability must have an account on the SQLserver and must have permissions to run SECURITY DEFINER functions owned by another user.

The SECURITY DEFINER property of functions is similar to the setuid(2) feature in Unix Operating Systems. This property allows users to execute functions with the privileges of the owner of the functions rather than with the privileges of the user invoking the function.

To determine the list of SECURITY DEFINER functions on the database, the following SQL command can be run:

    SELECT pg_proc.proname, pg_namespace.nspname, pg_user.usename \
      FROM pg_proc JOIN pg_namespace ON pg_proc.pronamespace=pg_namespace.oid \
      JOIN pg_user ON pg_proc.proowner=pg_user.usesysid WHERE prosecdef='t';

To determine the version of PostgreSQL on the system, the following command can be run:

    $ /usr/bin/postgres --version
    postgres (PostgreSQL) 8.1.3

There are no predictable symptoms that would indicate the described issue has been exploited.

There is no workaround for this issue. Please see the Resolution section below.

This issue is resolved in the following releases:

SPARC Platform

• Solaris 10 with patch 123590-05 or later

x86 Platform

• Solaris 10 with patch 123591-05 or later

• Updated Contributing Factors and Resolution sections
• State: Resolved

This solution has no attachment