From 33b2c2cbf2eeb91acce749c7d9bcf2615719c219 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Reh=C3=A1k?= Date: Wed, 19 Jul 2023 15:35:08 +0100 Subject: [PATCH] fixup! Backport fixes for CVE-2023-2454 and CVE-2023-2455 Remove security test for CVE-2023-2454 The test uses syntax for CREATE TABLE which is not yet allowed in PostgreSQL 10 and it would be hard to backport such syntax. There is still one regression test that verifies whether CVE-2023-2454 is fixed. --- postgresql-10.23-CVE-2023-2454.patch | 89 ---------------------------- 1 file changed, 89 deletions(-) diff --git a/postgresql-10.23-CVE-2023-2454.patch b/postgresql-10.23-CVE-2023-2454.patch index cdc46b4..736790a 100644 --- a/postgresql-10.23-CVE-2023-2454.patch +++ b/postgresql-10.23-CVE-2023-2454.patch @@ -35,95 +35,6 @@ Security: CVE-2023-2454 create mode 100644 contrib/seg/expected/security.out create mode 100644 contrib/seg/sql/security.sql -diff --git a/contrib/seg/Makefile b/contrib/seg/Makefile -index c6c134b8f1..a1e49bf051 100644 ---- a/contrib/seg/Makefile -+++ b/contrib/seg/Makefile -@@ -14,7 +14,7 @@ PGFILEDESC = "seg - line segment data type" - DATA = seg--1.1.sql seg--1.0--1.1.sql seg--unpackaged--1.0.sql - PGFILEDESC = "seg - line segment data type" - --REGRESS = seg -+REGRESS = security seg - - EXTRA_CLEAN = y.tab.c y.tab.h - -diff --git a/contrib/seg/expected/security.out b/contrib/seg/expected/security.out -new file mode 100644 -index 0000000000..b47598d039 ---- /dev/null -+++ b/contrib/seg/expected/security.out -@@ -0,0 +1,32 @@ -+-- -+-- Test extension script protection against search path overriding -+-- -+CREATE ROLE regress_seg_role; -+SELECT current_database() AS datname \gset -+GRANT CREATE ON DATABASE :"datname" TO regress_seg_role; -+SET ROLE regress_seg_role; -+CREATE SCHEMA regress_seg_schema; -+CREATE FUNCTION regress_seg_schema.exfun(i int) RETURNS int AS $$ -+BEGIN -+ CREATE EXTENSION seg VERSION '1.2'; -+ -+ CREATE FUNCTION regress_seg_schema.compare(oid, regclass) RETURNS boolean AS -+ 'BEGIN RAISE EXCEPTION ''overloaded compare() called by %'', current_user; END;' LANGUAGE plpgsql; -+ -+ CREATE OPERATOR = (LEFTARG = oid, RIGHTARG = regclass, PROCEDURE = regress_seg_schema.compare); -+ -+ ALTER EXTENSION seg UPDATE TO '1.3'; -+ -+ RETURN i; -+END; $$ LANGUAGE plpgsql; -+CREATE SCHEMA test_schema -+CREATE TABLE t(i int) PARTITION BY RANGE (i) -+CREATE TABLE p1 PARTITION OF t FOR VALUES FROM (1) TO (regress_seg_schema.exfun(2)); -+DROP SCHEMA test_schema CASCADE; -+NOTICE: drop cascades to 3 other objects -+DETAIL: drop cascades to table test_schema.t -+drop cascades to extension seg -+drop cascades to operator test_schema.=(oid,regclass) -+RESET ROLE; -+DROP OWNED BY regress_seg_role; -+DROP ROLE regress_seg_role; -diff --git a/contrib/seg/sql/security.sql b/contrib/seg/sql/security.sql -new file mode 100644 -index 0000000000..7dfbbaa304 ---- /dev/null -+++ b/contrib/seg/sql/security.sql -@@ -0,0 +1,32 @@ -+-- -+-- Test extension script protection against search path overriding -+-- -+ -+CREATE ROLE regress_seg_role; -+SELECT current_database() AS datname \gset -+GRANT CREATE ON DATABASE :"datname" TO regress_seg_role; -+SET ROLE regress_seg_role; -+CREATE SCHEMA regress_seg_schema; -+ -+CREATE FUNCTION regress_seg_schema.exfun(i int) RETURNS int AS $$ -+BEGIN -+ CREATE EXTENSION seg VERSION '1.2'; -+ -+ CREATE FUNCTION regress_seg_schema.compare(oid, regclass) RETURNS boolean AS -+ 'BEGIN RAISE EXCEPTION ''overloaded compare() called by %'', current_user; END;' LANGUAGE plpgsql; -+ -+ CREATE OPERATOR = (LEFTARG = oid, RIGHTARG = regclass, PROCEDURE = regress_seg_schema.compare); -+ -+ ALTER EXTENSION seg UPDATE TO '1.3'; -+ -+ RETURN i; -+END; $$ LANGUAGE plpgsql; -+ -+CREATE SCHEMA test_schema -+CREATE TABLE t(i int) PARTITION BY RANGE (i) -+CREATE TABLE p1 PARTITION OF t FOR VALUES FROM (1) TO (regress_seg_schema.exfun(2)); -+ -+DROP SCHEMA test_schema CASCADE; -+RESET ROLE; -+DROP OWNED BY regress_seg_role; -+DROP ROLE regress_seg_role; diff --git a/src/backend/catalog/namespace.c b/src/backend/catalog/namespace.c index 14e57adee2..73ddb67882 100644 --- a/src/backend/catalog/namespace.c