CVE 2010-3433
The PL/perl and PL/Tcl implementations in PostgreSQL 7.4 before 7.4.30, 8.0 before 8.0.26, 8.1 before 8.1.22, 8.2 before 8.2.18, 8.3 before 8.3.12, 8.4 before 8.4.5, and 9.0 before 9.0.1 do not properly protect script execution by a different SQL user identity within the same session, which allows remote authenticated users to gain privileges via crafted script code in a SECURITY DEFINER function, as demonstrated by (1) redefining standard functions or (2) redefining operators, a different vulnerability than CVE-2010-1168, CVE-2010-1169, CVE-2010-1170, and CVE-2010-1447.
Related bugs and status
CVE-2010-3433 (Candidate) is related to these bugs:
Bug #655293: New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.4 (Ubuntu) | High | Fix Released | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.4 (Ubuntu Karmic) | Undecided | Fix Released | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.4 (Ubuntu Lucid) | High | Fix Released | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.4 (Ubuntu Maverick) | High | Fix Released | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.4 (Ubuntu Dapper) | Undecided | Invalid | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.4 (Ubuntu Hardy) | Undecided | Invalid | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.4 (Ubuntu Jaunty) | Undecided | Invalid | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.3 (Ubuntu) | Undecided | Invalid | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.3 (Ubuntu Dapper) | Undecided | Invalid | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.3 (Ubuntu Hardy) | High | Fix Released | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.3 (Ubuntu Jaunty) | High | Fix Released | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.3 (Ubuntu Karmic) | Undecided | Invalid | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.3 (Ubuntu Lucid) | Undecided | Invalid | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.3 (Ubuntu Maverick) | Undecided | Invalid | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.1 (Ubuntu) | Undecided | Invalid | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.1 (Ubuntu Dapper) | High | Fix Released | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.1 (Ubuntu Hardy) | Undecided | Invalid | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.1 (Ubuntu Jaunty) | Undecided | Invalid | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.1 (Ubuntu Karmic) | Undecided | Invalid | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.1 (Ubuntu Lucid) | Undecided | Invalid | ||
| 655293 | New security/bug fix releases: 8.4.5, 8.3.12, 8.1.22 | postgresql-8.1 (Ubuntu Maverick) | Undecided | Invalid | ||
See the 
CVE page on Mitre.org
for more details.
