It literally is working as documented. You can disagree with that design (IMO a bad argument, because the ability to extend postgres with additional functionality at runtime is a significant reason for its success). But that does NOT make it a security issue.
Conversation
Claiming it as a remotely exploitable security issue is just disingenuous bullshit. You could just have blogged about a, in your view, poor design choice and that'd be entirely fair game.
1
5
Seriously, we allow superusers to do all kind of things. Execute user defined functions in languages running without sandboxes (there's also sandboxed languages, which non-superusers can use). Create new base types, which rely on C functions in extension libraries. DROP all data.
1
1
3
What you're saying is that, despite all that being documented, it's a security issue that we allow it. That just doesn't make sense.
1
2
IOW: Don't give superusers permissions to users that don't need it, and don't run your applications as a superuser.
2
7
This Tweet was deleted by the Tweet author. Learn more
Replying to
You got a CVE for it. Describing a design disagreement / feature wish as a security vulnerability.
1
It certainly sounds like a pretty bad abuse of the cve system, which is designed to help people track actual vulnerabilities. For clicks? Or something else? At least it is costing many hours of work from unpaid volunteers, there is that...
2
4
11
The actual vulnerability here is the security researcher DoS'ing a lot of database engineers and dba's who could've done something productive today
3
11
This Tweet was deleted by the Tweet author. Learn more
That's disingenuous. We can agree to disagree about it being a concern as such. What's at issue here is the CVE specifically, which imposes costs on the PostgreSQL project, without any benefits.
...and when something is a real vulnerability, or if more research is needed, the community gladly works with the reporter, outlines disclosures, and provides credit: postgresql.org/support/securi
This is not a CVE, this an opinion on a documented feature. The CVE should be retracted.
4
9
I know of several projects that call CVE's "Invoice numbers", because all they seem to be good for is charging some jerk a bunch of money.
1
Sadly true, it's a too important system to have trust eroded
1