The Postgresql team announced earlier today the release of patches for its popular open source database. The description of the vulnerability sounds quite scary. An attacker may cause corruption to the database, or if the attacker is able to log in, the attacker may then escalate privileges and in some cases execute arbitrary code.

The vulnerability is triggered by connecting to the database and specifying a database name that starts with a "-". This database does not have to exist for the vulnerability to be triggered. The database name starting with a "-" is then parsed as a command line argument and can be used to corrupt the database. 

There was some controversy about how the bug was handled by the postgresql team. But overall, they appear to have done a good job in patching this quickly. For the last few days, the postgresql source code repository was not viewable to prevent an early release of the vulnerability.

Of course, nobody should allow direct connections to the database from the Internet, but this bug may be exploitable after for example compromising a web server with a postgresql backend (a simple SQL injection is probably not enough, but other exploits that modify the database connect string could be used).

So in short: patch 

References:

http://seclists.org/bugtraq/2013/Apr/26
http://www.postgresql.org/support/security/faq/2013-04-04/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter