From 2864bfcceb1138bb9bc98ee27645be57c27d7491 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 26 Feb 2024 10:14:40 +0300 Subject: [PATCH] - Run REFRESH MATERIALIZED VIEW CONCURRENTLY in right security context --- SOURCES/CVE-2023-5869.patch | 87 +++++++++++++++++++++++++++++++++++++ SPECS/postgresql.spec | 10 ++++- 2 files changed, 96 insertions(+), 1 deletion(-) create mode 100644 SOURCES/CVE-2023-5869.patch diff --git a/SOURCES/CVE-2023-5869.patch b/SOURCES/CVE-2023-5869.patch new file mode 100644 index 0000000..d07ea5f --- /dev/null +++ b/SOURCES/CVE-2023-5869.patch @@ -0,0 +1,87 @@ +From 2699fc035a75d0774c1f013e9320882287f78adb Mon Sep 17 00:00:00 2001 +From: Heikki Linnakangas +Date: Mon, 5 Feb 2024 11:01:23 +0200 +Subject: [PATCH] Run REFRESH MATERIALIZED VIEW CONCURRENTLY in right security + context + +The internal commands in REFRESH MATERIALIZED VIEW CONCURRENTLY are +correctly executed in SECURITY_RESTRICTED_OPERATION mode, except for +creating the temporary "diff" table, because you cannot create +temporary tables in SRO mode. But creating the temporary "diff" table +is a pretty complex CTAS command that selects from another temporary +table created earlier in the command. If you can cajole that CTAS +command to execute code defined by the table owner, the table owner +can run code with the privileges of the user running the REFRESH +command. + +The proof-of-concept reported to the security team relied on CREATE +RULE to convert the internally-built temp table to a view. That's not +possible since commit b23cd185fd, and I was not able to find a +different way to turn the SELECT on the temp table into code +execution, so as far as I know this is only exploitable in v15 and +below. That's a fiddly assumption though, so apply this patch to +master and all stable versions. + +Thanks to Pedro Gallegos for the report. + +Security: CVE-2023-5869 +Reviewed-by: Noah Misch +--- + src/backend/commands/matview.c | 33 ++++++++++++++++++++++++++------- + 1 file changed, 26 insertions(+), 7 deletions(-) + +diff --git a/src/backend/commands/matview.c b/src/backend/commands/matview.c +index e485661fa1..e87bdac285 100644 +--- a/src/backend/commands/matview.c ++++ b/src/backend/commands/matview.c +@@ -646,14 +646,35 @@ + errdetail("Row: %s", + SPI_getvalue(SPI_tuptable->vals[0], SPI_tuptable->tupdesc, 1)))); + } +- ++ /* ++ * Create the temporary "diff" table. ++ * ++ * Temporarily switch out of the SECURITY_RESTRICTED_OPERATION context, ++ * because you cannot create temp tables in SRO context. For extra ++ * paranoia, add the composite type column only after switching back to ++ * SRO context. ++ */ + SetUserIdAndSecContext(relowner, + save_sec_context | SECURITY_LOCAL_USERID_CHANGE); ++ resetStringInfo(&querybuf); ++ appendStringInfo(&querybuf, ++ "CREATE TEMP TABLE %s (tid pg_catalog.tid)", ++ diffname); ++ if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY) ++ elog(ERROR, "SPI_exec failed: %s", querybuf.data); ++ SetUserIdAndSecContext(relowner, ++ save_sec_context | SECURITY_RESTRICTED_OPERATION); ++ resetStringInfo(&querybuf); ++ appendStringInfo(&querybuf, ++ "ALTER TABLE %s ADD COLUMN newdata %s", ++ diffname, tempname); ++ if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY) ++ elog(ERROR, "SPI_exec failed: %s", querybuf.data); + + /* Start building the query for creating the diff table. */ + resetStringInfo(&querybuf); + appendStringInfo(&querybuf, +- "CREATE TEMP TABLE %s AS " ++ "INSERT INTO %s " + "SELECT mv.ctid AS tid, newdata.*::%s AS newdata " + "FROM %s mv FULL JOIN %s newdata ON (", + diffname, tempname, matviewname, tempname); +@@ -783,11 +804,9 @@ + "ORDER BY tid"); + + /* Create the temporary "diff" table. */ +- if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY) ++ if (SPI_exec(querybuf.data, 0) != SPI_OK_INSERT) + elog(ERROR, "SPI_exec failed: %s", querybuf.data); + +- SetUserIdAndSecContext(relowner, +- save_sec_context | SECURITY_RESTRICTED_OPERATION); + + /* + * We have no further use for data from the "full-data" temp table, but we diff --git a/SPECS/postgresql.spec b/SPECS/postgresql.spec index b8eb540..4dda928 100644 --- a/SPECS/postgresql.spec +++ b/SPECS/postgresql.spec @@ -59,7 +59,7 @@ Summary: PostgreSQL client programs Name: postgresql %global majorversion 10 Version: %{majorversion}.23 -Release: 3%{?dist} +Release: 4%{?dist}.alma.1 # The PostgreSQL license is very similar to other MIT licenses, but the OSI # recognizes it as an independent license, so we do as well. @@ -111,6 +111,9 @@ Patch10: postgresql-10.15-contrib-dblink-expected-out.patch Patch11: postgresql-10.23-CVE-2023-2454.patch Patch12: postgresql-10.23-CVE-2023-2455.patch Patch13: postgresql-10.23-CVE-2023-5869.patch +# Patches were taken from: +# https://git.postgresql.org/gitweb/?p=postgresql.git;a=patch;h=2699fc035a75d0774c1f013e9320882287f78adb +Patch14: CVE-2023-5869.patch BuildRequires: gcc BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk @@ -373,6 +376,7 @@ benchmarks. %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 # We used to run autoconf here, but there's no longer any real need to, # since Postgres ships with a reasonably modern configure script. @@ -1177,6 +1181,10 @@ make -C postgresql-setup-%{setup_version} check %changelog +* Mon Feb 26 2024 Eduard Abdullin - 10.23-4.alma.1 +- Run REFRESH MATERIALIZED VIEW CONCURRENTLY in right security + context + * Mon Dec 18 2023 Lubos Kloucek - 10.23-3 - Resolves: CVE-2023-5869