From: Alvaro Herrera Date: Mon, 10 Feb 2020 14:47:09 +0000 (-0300) Subject: Fix priv checks for ALTER DEPENDS ON EXTENSION X-Git-Tag: REL_13_BETA1~741 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b048f558dd7c26a0c630a2cff29d3d8981eaf6b9;p=thirdparty%2Fpostgresql.git Fix priv checks for ALTER DEPENDS ON EXTENSION Marking an object as dependant on an extension did not have any privilege check whatsoever; this allowed any user to mark objects as droppable by anyone able to DROP EXTENSION, which could be used to cause system-wide havoc. Disallow by checking that the calling user owns the mentioned object. (No constraints are placed on the extension.) Security: CVE-2020-1720 Reported-by: Tom Lane Discussion: 31605.1566429043@sss.pgh.pa.us --- diff --git a/src/backend/commands/alter.c b/src/backend/commands/alter.c index fca85ba2c17..1cb84182b05 100644 --- a/src/backend/commands/alter.c +++ b/src/backend/commands/alter.c @@ -438,6 +438,17 @@ ExecAlterObjectDependsStmt(AlterObjectDependsStmt *stmt, ObjectAddress *refAddre get_object_address_rv(stmt->objectType, stmt->relation, (List *) stmt->object, &rel, AccessExclusiveLock, false); + /* + * Verify that the user is entitled to run the command. + * + * We don't check any privileges on the extension, because that's not + * needed. The object owner is stipulating, by running this command, that + * the extension owner can drop the object whenever they feel like it, + * which is not considered a problem. + */ + check_object_ownership(GetUserId(), + stmt->objectType, address, stmt->object, rel); + /* * If a relation was involved, it would have been opened and locked. We * don't need the relation here, but we'll retain the lock until commit.