]> git.ipfire.org Git - thirdparty/postgresql.git/commit
projects / thirdparty / postgresql.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d7d9dc1) | patch
In security-restricted operations, block enqueue of at-commit user code.
authorNoah Misch <noah@leadboat.com>
Mon, 9 Nov 2020 15:32:09 +0000 (07:32 -0800)
committerNoah Misch <noah@leadboat.com>
Mon, 9 Nov 2020 15:32:13 +0000 (07:32 -0800)
commitf97ecea1ed7b09c6f1398540a1d72a57eee70c9f
tree43eaaa756106d8e2c43b3720de80a3012eb4f511tree
parentd7d9dc144075c8d4b37c38397709d178db14d0c0commit | diff
In security-restricted operations, block enqueue of at-commit user code.

Specifically, this blocks DECLARE ... WITH HOLD and firing of deferred
triggers within index expressions and materialized view queries.  An
attacker having permission to create non-temp objects in at least one
schema could execute arbitrary SQL functions under the identity of the
bootstrap superuser.  One can work around the vulnerability by disabling
autovacuum and not manually running ANALYZE, CLUSTER, REINDEX, CREATE
INDEX, VACUUM FULL, or REFRESH MATERIALIZED VIEW.  (Don't restore from
pg_dump, since it runs some of those commands.)  Plain VACUUM (without
FULL) is safe, and all commands are fine when a trusted user owns the
target object.  Performance may degrade quickly under this workaround,
however.  Back-patch to 9.5 (all supported versions).

Reviewed by Robert Haas.  Reported by Etienne Stalmans.

Security: CVE-2020-25695
contrib/postgres_fdw/connection.c diff | blob | blame | history
src/backend/access/transam/xact.c diff | blob | blame | history
src/backend/commands/portalcmds.c diff | blob | blame | history
src/backend/commands/trigger.c diff | blob | blame | history
src/test/regress/expected/privileges.out diff | blob | blame | history
src/test/regress/sql/privileges.sql diff | blob | blame | history
Mirror of https://git.postgresql.org/git/postgresql.git