]> git.ipfire.org Git - thirdparty/postgresql.git/commit
Replace last PushOverrideSearchPath() call with set_config_option().
authorNoah Misch <noah@leadboat.com>
Mon, 8 May 2023 13:14:07 +0000 (06:14 -0700)
committerNoah Misch <noah@leadboat.com>
Mon, 8 May 2023 13:14:11 +0000 (06:14 -0700)
commitdbd5795e7539ec9e15c0d4ed2d05b1b18d2a3b09
treea3e3c6e7fd55be595f0234b2546c468e6bb4242c
parent8229bfe91def5878b498996ab24b62950edd9e40
Replace last PushOverrideSearchPath() call with set_config_option().

The two methods don't cooperate, so set_config_option("search_path",
...) has been ineffective under non-empty overrideStack.  This defect
enabled an attacker having database-level CREATE privilege to execute
arbitrary code as the bootstrap superuser.  While that particular attack
requires v13+ for the trusted extension attribute, other attacks are
feasible in all supported versions.

Standardize on the combination of NewGUCNestLevel() and
set_config_option("search_path", ...).  It is newer than
PushOverrideSearchPath(), more-prevalent, and has no known
disadvantages.  The "override" mechanism remains for now, for
compatibility with out-of-tree code.  Users should update such code,
which likely suffers from the same sort of vulnerability closed here.
Back-patch to v11 (all supported versions).

Alexander Lakhin.  Reported by Alexander Lakhin.

Security: CVE-2023-2454
contrib/seg/Makefile
contrib/seg/expected/security.out [new file with mode: 0644]
contrib/seg/sql/security.sql [new file with mode: 0644]
src/backend/catalog/namespace.c
src/backend/commands/schemacmds.c
src/test/regress/expected/namespace.out
src/test/regress/sql/namespace.sql