FreeBSD: VID-9DE4C1C1-B9EE-11E9-82AA-6CC21735F730 (CVE-2019-10209): PostgresSQL -- TYPE in pg_temp execute arbitrary SQL during `SECURITY DEFINER` execution

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-9DE4C1C1-B9EE-11E9-82AA-6CC21735F730:

The PostgreSQL project reports:

Versions Affected: 9.4 - 11

Given a suitable `SECURITY DEFINER` function, an attacker can execute arbitrary

SQL under the identity of the function owner. An attack requires `EXECUTE`

permission on the function, which must itself contain a function call having

inexact argument type match. For example, `length('foo'::varchar)` and

`length('foo')` are inexact, while `length('foo'::text)` is exact.

As part of exploiting this vulnerability, the attacker uses `CREATE DOMAIN`

to create a type in a `pg_temp` schema. The attack pattern and fix are similar

to that for CVE-2007-2138.

Writing `SECURITY DEFINER` functions continues to require following

the considerations noted in the documentation:

https://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY

Versions Affected: 11

In a database containing hypothetical, user-defined hash equality operators,

an attacker could read arbitrary bytes of server memory. For an attack to

become possible, a superuser would need to create unusual operators.

It is possible for operators not purpose-crafted for attack to have

the properties that enable an attack, but we are not aware of specific examples.