Backport fixes for CVE-2023-2454 and CVE-2023-2455
Also updates postgresql-setup to 8.7, which fixes a problem during modular builds where modules dependent on this package fail to build due to a no longer valid rpm statement. See: https://github.com/devexp-db/postgresql-setup/pull/35. Resolves: #2207931
This commit is contained in:
parent
7ecbd3a0a1
commit
a92c0591c8
|
@ -1,21 +1,6 @@
|
||||||
/postgresql-10.14.tar.bz2
|
|
||||||
/postgresql-10.14.tar.bz2.sha256
|
|
||||||
/postgresql-9.2.24.tar.bz2
|
|
||||||
/postgresql-9.2.24.tar.bz2.sha256
|
|
||||||
/postgresql-setup-8.2.tar.gz
|
|
||||||
/postgresql-10.14-US.pdf
|
|
||||||
/postgresql-10.15.tar.bz2
|
|
||||||
/postgresql-10.15.tar.bz2.sha256
|
|
||||||
/postgresql-10.15-US.pdf
|
|
||||||
/postgresql-10.17.tar.bz2
|
|
||||||
/postgresql-10.17.tar.bz2.sha256
|
|
||||||
/postgresql-10.17-US.pdf
|
|
||||||
/postgresql-10.19.tar.bz2
|
|
||||||
/postgresql-10.19.tar.bz2.sha256
|
|
||||||
/postgresql-10.19-US.pdf
|
|
||||||
/postgresql-10.21.tar.bz2
|
|
||||||
/postgresql-10.21.tar.bz2.sha256
|
|
||||||
/postgresql-10.21-US.pdf
|
|
||||||
/postgresql-10.23.tar.bz2
|
/postgresql-10.23.tar.bz2
|
||||||
/postgresql-10.23.tar.bz2.sha256
|
/postgresql-10.23.tar.bz2.sha256
|
||||||
|
/postgresql-9.2.24.tar.bz2
|
||||||
|
/postgresql-9.2.24.tar.bz2.sha256
|
||||||
|
/postgresql-setup-8.7.tar.gz
|
||||||
/postgresql-10.23-US.pdf
|
/postgresql-10.23-US.pdf
|
||||||
|
|
|
@ -0,0 +1,338 @@
|
||||||
|
From 681d9e4621aac0a9c71364b6f54f00f6d8c4337f Mon Sep 17 00:00:00 2001
|
||||||
|
From 8d525d7b9545884a3e0d79adcd61543f9ae2ae28 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Noah Misch <noah@leadboat.com>
|
||||||
|
Date: Mon, 8 May 2023 06:14:07 -0700
|
||||||
|
Subject: Replace last PushOverrideSearchPath() call with
|
||||||
|
set_config_option().
|
||||||
|
|
||||||
|
The two methods don't cooperate, so set_config_option("search_path",
|
||||||
|
...) has been ineffective under non-empty overrideStack. This defect
|
||||||
|
enabled an attacker having database-level CREATE privilege to execute
|
||||||
|
arbitrary code as the bootstrap superuser. While that particular attack
|
||||||
|
requires v13+ for the trusted extension attribute, other attacks are
|
||||||
|
feasible in all supported versions.
|
||||||
|
|
||||||
|
Standardize on the combination of NewGUCNestLevel() and
|
||||||
|
set_config_option("search_path", ...). It is newer than
|
||||||
|
PushOverrideSearchPath(), more-prevalent, and has no known
|
||||||
|
disadvantages. The "override" mechanism remains for now, for
|
||||||
|
compatibility with out-of-tree code. Users should update such code,
|
||||||
|
which likely suffers from the same sort of vulnerability closed here.
|
||||||
|
Back-patch to v11 (all supported versions).
|
||||||
|
|
||||||
|
Alexander Lakhin. Reported by Alexander Lakhin.
|
||||||
|
|
||||||
|
Security: CVE-2023-2454
|
||||||
|
---
|
||||||
|
contrib/seg/Makefile | 2 +-
|
||||||
|
contrib/seg/expected/security.out | 32 ++++++++++++++++++
|
||||||
|
contrib/seg/sql/security.sql | 32 ++++++++++++++++++
|
||||||
|
src/backend/catalog/namespace.c | 4 +++
|
||||||
|
src/backend/commands/schemacmds.c | 37 ++++++++++++++------
|
||||||
|
src/test/regress/expected/namespace.out | 45 +++++++++++++++++++++++++
|
||||||
|
src/test/regress/sql/namespace.sql | 24 +++++++++++++
|
||||||
|
7 files changed, 165 insertions(+), 11 deletions(-)
|
||||||
|
create mode 100644 contrib/seg/expected/security.out
|
||||||
|
create mode 100644 contrib/seg/sql/security.sql
|
||||||
|
|
||||||
|
diff --git a/contrib/seg/Makefile b/contrib/seg/Makefile
|
||||||
|
index c6c134b8f1..a1e49bf051 100644
|
||||||
|
--- a/contrib/seg/Makefile
|
||||||
|
+++ b/contrib/seg/Makefile
|
||||||
|
@@ -14,7 +14,7 @@ PGFILEDESC = "seg - line segment data type"
|
||||||
|
DATA = seg--1.1.sql seg--1.0--1.1.sql seg--unpackaged--1.0.sql
|
||||||
|
PGFILEDESC = "seg - line segment data type"
|
||||||
|
|
||||||
|
-REGRESS = seg
|
||||||
|
+REGRESS = security seg
|
||||||
|
|
||||||
|
EXTRA_CLEAN = y.tab.c y.tab.h
|
||||||
|
|
||||||
|
diff --git a/contrib/seg/expected/security.out b/contrib/seg/expected/security.out
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..b47598d039
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/contrib/seg/expected/security.out
|
||||||
|
@@ -0,0 +1,32 @@
|
||||||
|
+--
|
||||||
|
+-- Test extension script protection against search path overriding
|
||||||
|
+--
|
||||||
|
+CREATE ROLE regress_seg_role;
|
||||||
|
+SELECT current_database() AS datname \gset
|
||||||
|
+GRANT CREATE ON DATABASE :"datname" TO regress_seg_role;
|
||||||
|
+SET ROLE regress_seg_role;
|
||||||
|
+CREATE SCHEMA regress_seg_schema;
|
||||||
|
+CREATE FUNCTION regress_seg_schema.exfun(i int) RETURNS int AS $$
|
||||||
|
+BEGIN
|
||||||
|
+ CREATE EXTENSION seg VERSION '1.2';
|
||||||
|
+
|
||||||
|
+ CREATE FUNCTION regress_seg_schema.compare(oid, regclass) RETURNS boolean AS
|
||||||
|
+ 'BEGIN RAISE EXCEPTION ''overloaded compare() called by %'', current_user; END;' LANGUAGE plpgsql;
|
||||||
|
+
|
||||||
|
+ CREATE OPERATOR = (LEFTARG = oid, RIGHTARG = regclass, PROCEDURE = regress_seg_schema.compare);
|
||||||
|
+
|
||||||
|
+ ALTER EXTENSION seg UPDATE TO '1.3';
|
||||||
|
+
|
||||||
|
+ RETURN i;
|
||||||
|
+END; $$ LANGUAGE plpgsql;
|
||||||
|
+CREATE SCHEMA test_schema
|
||||||
|
+CREATE TABLE t(i int) PARTITION BY RANGE (i)
|
||||||
|
+CREATE TABLE p1 PARTITION OF t FOR VALUES FROM (1) TO (regress_seg_schema.exfun(2));
|
||||||
|
+DROP SCHEMA test_schema CASCADE;
|
||||||
|
+NOTICE: drop cascades to 3 other objects
|
||||||
|
+DETAIL: drop cascades to table test_schema.t
|
||||||
|
+drop cascades to extension seg
|
||||||
|
+drop cascades to operator test_schema.=(oid,regclass)
|
||||||
|
+RESET ROLE;
|
||||||
|
+DROP OWNED BY regress_seg_role;
|
||||||
|
+DROP ROLE regress_seg_role;
|
||||||
|
diff --git a/contrib/seg/sql/security.sql b/contrib/seg/sql/security.sql
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..7dfbbaa304
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/contrib/seg/sql/security.sql
|
||||||
|
@@ -0,0 +1,32 @@
|
||||||
|
+--
|
||||||
|
+-- Test extension script protection against search path overriding
|
||||||
|
+--
|
||||||
|
+
|
||||||
|
+CREATE ROLE regress_seg_role;
|
||||||
|
+SELECT current_database() AS datname \gset
|
||||||
|
+GRANT CREATE ON DATABASE :"datname" TO regress_seg_role;
|
||||||
|
+SET ROLE regress_seg_role;
|
||||||
|
+CREATE SCHEMA regress_seg_schema;
|
||||||
|
+
|
||||||
|
+CREATE FUNCTION regress_seg_schema.exfun(i int) RETURNS int AS $$
|
||||||
|
+BEGIN
|
||||||
|
+ CREATE EXTENSION seg VERSION '1.2';
|
||||||
|
+
|
||||||
|
+ CREATE FUNCTION regress_seg_schema.compare(oid, regclass) RETURNS boolean AS
|
||||||
|
+ 'BEGIN RAISE EXCEPTION ''overloaded compare() called by %'', current_user; END;' LANGUAGE plpgsql;
|
||||||
|
+
|
||||||
|
+ CREATE OPERATOR = (LEFTARG = oid, RIGHTARG = regclass, PROCEDURE = regress_seg_schema.compare);
|
||||||
|
+
|
||||||
|
+ ALTER EXTENSION seg UPDATE TO '1.3';
|
||||||
|
+
|
||||||
|
+ RETURN i;
|
||||||
|
+END; $$ LANGUAGE plpgsql;
|
||||||
|
+
|
||||||
|
+CREATE SCHEMA test_schema
|
||||||
|
+CREATE TABLE t(i int) PARTITION BY RANGE (i)
|
||||||
|
+CREATE TABLE p1 PARTITION OF t FOR VALUES FROM (1) TO (regress_seg_schema.exfun(2));
|
||||||
|
+
|
||||||
|
+DROP SCHEMA test_schema CASCADE;
|
||||||
|
+RESET ROLE;
|
||||||
|
+DROP OWNED BY regress_seg_role;
|
||||||
|
+DROP ROLE regress_seg_role;
|
||||||
|
diff --git a/src/backend/catalog/namespace.c b/src/backend/catalog/namespace.c
|
||||||
|
index 14e57adee2..73ddb67882 100644
|
||||||
|
--- a/src/backend/catalog/namespace.c
|
||||||
|
+++ b/src/backend/catalog/namespace.c
|
||||||
|
@@ -3515,6 +3515,10 @@ OverrideSearchPathMatchesCurrent(OverrideSearchPath *path)
|
||||||
|
/*
|
||||||
|
* PushOverrideSearchPath - temporarily override the search path
|
||||||
|
*
|
||||||
|
+ * Do not use this function; almost any usage introduces a security
|
||||||
|
+ * vulnerability. It exists for the benefit of legacy code running in
|
||||||
|
+ * non-security-sensitive environments.
|
||||||
|
+ *
|
||||||
|
* We allow nested overrides, hence the push/pop terminology. The GUC
|
||||||
|
* search_path variable is ignored while an override is active.
|
||||||
|
*
|
||||||
|
diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
|
||||||
|
index 48590247f8..b6a71154a8 100644
|
||||||
|
--- a/src/backend/commands/schemacmds.c
|
||||||
|
+++ b/src/backend/commands/schemacmds.c
|
||||||
|
@@ -30,6 +30,7 @@
|
||||||
|
#include "commands/schemacmds.h"
|
||||||
|
#include "miscadmin.h"
|
||||||
|
#include "parser/parse_utilcmd.h"
|
||||||
|
+#include "parser/scansup.h"
|
||||||
|
#include "tcop/utility.h"
|
||||||
|
#include "utils/acl.h"
|
||||||
|
#include "utils/builtins.h"
|
||||||
|
@@ -53,14 +54,16 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
|
||||||
|
{
|
||||||
|
const char *schemaName = stmt->schemaname;
|
||||||
|
Oid namespaceId;
|
||||||
|
- OverrideSearchPath *overridePath;
|
||||||
|
List *parsetree_list;
|
||||||
|
ListCell *parsetree_item;
|
||||||
|
Oid owner_uid;
|
||||||
|
Oid saved_uid;
|
||||||
|
int save_sec_context;
|
||||||
|
+ int save_nestlevel;
|
||||||
|
+ char *nsp = namespace_search_path;
|
||||||
|
AclResult aclresult;
|
||||||
|
ObjectAddress address;
|
||||||
|
+ StringInfoData pathbuf;
|
||||||
|
|
||||||
|
GetUserIdAndSecContext(&saved_uid, &save_sec_context);
|
||||||
|
|
||||||
|
@@ -153,14 +156,26 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
|
||||||
|
CommandCounterIncrement();
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * Temporarily make the new namespace be the front of the search path, as
|
||||||
|
- * well as the default creation target namespace. This will be undone at
|
||||||
|
- * the end of this routine, or upon error.
|
||||||
|
+ * Prepend the new schema to the current search path.
|
||||||
|
+ *
|
||||||
|
+ * We use the equivalent of a function SET option to allow the setting to
|
||||||
|
+ * persist for exactly the duration of the schema creation. guc.c also
|
||||||
|
+ * takes care of undoing the setting on error.
|
||||||
|
*/
|
||||||
|
- overridePath = GetOverrideSearchPath(CurrentMemoryContext);
|
||||||
|
- overridePath->schemas = lcons_oid(namespaceId, overridePath->schemas);
|
||||||
|
- /* XXX should we clear overridePath->useTemp? */
|
||||||
|
- PushOverrideSearchPath(overridePath);
|
||||||
|
+ save_nestlevel = NewGUCNestLevel();
|
||||||
|
+
|
||||||
|
+ initStringInfo(&pathbuf);
|
||||||
|
+ appendStringInfoString(&pathbuf, quote_identifier(schemaName));
|
||||||
|
+
|
||||||
|
+ while (scanner_isspace(*nsp))
|
||||||
|
+ nsp++;
|
||||||
|
+
|
||||||
|
+ if (*nsp != '\0')
|
||||||
|
+ appendStringInfo(&pathbuf, ", %s", nsp);
|
||||||
|
+
|
||||||
|
+ (void) set_config_option("search_path", pathbuf.data,
|
||||||
|
+ PGC_USERSET, PGC_S_SESSION,
|
||||||
|
+ GUC_ACTION_SAVE, true, 0, false);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Report the new schema to possibly interested event triggers. Note we
|
||||||
|
@@ -215,8 +230,10 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
|
||||||
|
CommandCounterIncrement();
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Reset search path to normal state */
|
||||||
|
- PopOverrideSearchPath();
|
||||||
|
+ /*
|
||||||
|
+ * Restore the GUC variable search_path we set above.
|
||||||
|
+ */
|
||||||
|
+ AtEOXact_GUC(true, save_nestlevel);
|
||||||
|
|
||||||
|
/* Reset current user and security context */
|
||||||
|
SetUserIdAndSecContext(saved_uid, save_sec_context);
|
||||||
|
diff --git a/src/test/regress/expected/namespace.out b/src/test/regress/expected/namespace.out
|
||||||
|
index 2564d1b080..a62fd8ded0 100644
|
||||||
|
--- a/src/test/regress/expected/namespace.out
|
||||||
|
+++ b/src/test/regress/expected/namespace.out
|
||||||
|
@@ -1,6 +1,14 @@
|
||||||
|
--
|
||||||
|
-- Regression tests for schemas (namespaces)
|
||||||
|
--
|
||||||
|
+-- set the whitespace-only search_path to test that the
|
||||||
|
+-- GUC list syntax is preserved during a schema creation
|
||||||
|
+SELECT pg_catalog.set_config('search_path', ' ', false);
|
||||||
|
+ set_config
|
||||||
|
+------------
|
||||||
|
+
|
||||||
|
+(1 row)
|
||||||
|
+
|
||||||
|
CREATE SCHEMA test_schema_1
|
||||||
|
CREATE UNIQUE INDEX abc_a_idx ON abc (a)
|
||||||
|
CREATE VIEW abc_view AS
|
||||||
|
@@ -9,6 +17,43 @@ CREATE SCHEMA test_schema_1
|
||||||
|
a serial,
|
||||||
|
b int UNIQUE
|
||||||
|
);
|
||||||
|
+-- verify that the correct search_path restored on abort
|
||||||
|
+SET search_path to public;
|
||||||
|
+BEGIN;
|
||||||
|
+SET search_path to public, test_schema_1;
|
||||||
|
+CREATE SCHEMA test_schema_2
|
||||||
|
+ CREATE VIEW abc_view AS SELECT c FROM abc;
|
||||||
|
+ERROR: column "c" does not exist
|
||||||
|
+LINE 2: CREATE VIEW abc_view AS SELECT c FROM abc;
|
||||||
|
+ ^
|
||||||
|
+COMMIT;
|
||||||
|
+SHOW search_path;
|
||||||
|
+ search_path
|
||||||
|
+-------------
|
||||||
|
+ public
|
||||||
|
+(1 row)
|
||||||
|
+
|
||||||
|
+-- verify that the correct search_path preserved
|
||||||
|
+-- after creating the schema and on commit
|
||||||
|
+BEGIN;
|
||||||
|
+SET search_path to public, test_schema_1;
|
||||||
|
+CREATE SCHEMA test_schema_2
|
||||||
|
+ CREATE VIEW abc_view AS SELECT a FROM abc;
|
||||||
|
+SHOW search_path;
|
||||||
|
+ search_path
|
||||||
|
+-----------------------
|
||||||
|
+ public, test_schema_1
|
||||||
|
+(1 row)
|
||||||
|
+
|
||||||
|
+COMMIT;
|
||||||
|
+SHOW search_path;
|
||||||
|
+ search_path
|
||||||
|
+-----------------------
|
||||||
|
+ public, test_schema_1
|
||||||
|
+(1 row)
|
||||||
|
+
|
||||||
|
+DROP SCHEMA test_schema_2 CASCADE;
|
||||||
|
+NOTICE: drop cascades to view test_schema_2.abc_view
|
||||||
|
-- verify that the objects were created
|
||||||
|
SELECT COUNT(*) FROM pg_class WHERE relnamespace =
|
||||||
|
(SELECT oid FROM pg_namespace WHERE nspname = 'test_schema_1');
|
||||||
|
diff --git a/src/test/regress/sql/namespace.sql b/src/test/regress/sql/namespace.sql
|
||||||
|
index 6b12c96193..3474f5ecf4 100644
|
||||||
|
--- a/src/test/regress/sql/namespace.sql
|
||||||
|
+++ b/src/test/regress/sql/namespace.sql
|
||||||
|
@@ -2,6 +2,10 @@
|
||||||
|
-- Regression tests for schemas (namespaces)
|
||||||
|
--
|
||||||
|
|
||||||
|
+-- set the whitespace-only search_path to test that the
|
||||||
|
+-- GUC list syntax is preserved during a schema creation
|
||||||
|
+SELECT pg_catalog.set_config('search_path', ' ', false);
|
||||||
|
+
|
||||||
|
CREATE SCHEMA test_schema_1
|
||||||
|
CREATE UNIQUE INDEX abc_a_idx ON abc (a)
|
||||||
|
|
||||||
|
@@ -13,6 +17,26 @@ CREATE SCHEMA test_schema_1
|
||||||
|
b int UNIQUE
|
||||||
|
);
|
||||||
|
|
||||||
|
+-- verify that the correct search_path restored on abort
|
||||||
|
+SET search_path to public;
|
||||||
|
+BEGIN;
|
||||||
|
+SET search_path to public, test_schema_1;
|
||||||
|
+CREATE SCHEMA test_schema_2
|
||||||
|
+ CREATE VIEW abc_view AS SELECT c FROM abc;
|
||||||
|
+COMMIT;
|
||||||
|
+SHOW search_path;
|
||||||
|
+
|
||||||
|
+-- verify that the correct search_path preserved
|
||||||
|
+-- after creating the schema and on commit
|
||||||
|
+BEGIN;
|
||||||
|
+SET search_path to public, test_schema_1;
|
||||||
|
+CREATE SCHEMA test_schema_2
|
||||||
|
+ CREATE VIEW abc_view AS SELECT a FROM abc;
|
||||||
|
+SHOW search_path;
|
||||||
|
+COMMIT;
|
||||||
|
+SHOW search_path;
|
||||||
|
+DROP SCHEMA test_schema_2 CASCADE;
|
||||||
|
+
|
||||||
|
-- verify that the objects were created
|
||||||
|
SELECT COUNT(*) FROM pg_class WHERE relnamespace =
|
||||||
|
(SELECT oid FROM pg_namespace WHERE nspname = 'test_schema_1');
|
||||||
|
diff --git a/contrib/sepgsql/expected/ddl.out b/contrib/sepgsql/expected/ddl.out
|
||||||
|
index e8da587564..15d2b9c5e7 100644
|
||||||
|
--- a/contrib/sepgsql/expected/ddl.out
|
||||||
|
+++ b/contrib/sepgsql/expected/ddl.out
|
||||||
|
@@ -24,7 +24,6 @@ LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_reg
|
||||||
|
CREATE USER regress_sepgsql_test_user;
|
||||||
|
CREATE SCHEMA regtest_schema;
|
||||||
|
LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema"
|
||||||
|
-LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="public"
|
||||||
|
GRANT ALL ON SCHEMA regtest_schema TO regress_sepgsql_test_user;
|
||||||
|
SET search_path = regtest_schema, public;
|
||||||
|
CREATE TABLE regtest_table (x serial primary key, y text);
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
|
@ -0,0 +1,114 @@
|
||||||
|
From ca73753b090c33bc69ce299b4d7fff891a77b8ad Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tom Lane <tgl@sss.pgh.pa.us>
|
||||||
|
Date: Mon, 8 May 2023 10:12:44 -0400
|
||||||
|
Subject: Handle RLS dependencies in inlined set-returning
|
||||||
|
functions properly.
|
||||||
|
|
||||||
|
If an SRF in the FROM clause references a table having row-level
|
||||||
|
security policies, and we inline that SRF into the calling query,
|
||||||
|
we neglected to mark the plan as potentially dependent on which
|
||||||
|
role is executing it. This could lead to later executions in the
|
||||||
|
same session returning or hiding rows that should have been hidden
|
||||||
|
or returned instead.
|
||||||
|
|
||||||
|
Our thanks to Wolfgang Walther for reporting this problem.
|
||||||
|
|
||||||
|
Stephen Frost and Tom Lane
|
||||||
|
|
||||||
|
Security: CVE-2023-2455
|
||||||
|
---
|
||||||
|
src/backend/optimizer/util/clauses.c | 7 ++++++
|
||||||
|
src/test/regress/expected/rowsecurity.out | 27 +++++++++++++++++++++++
|
||||||
|
src/test/regress/sql/rowsecurity.sql | 20 +++++++++++++++++
|
||||||
|
3 files changed, 54 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/backend/optimizer/util/clauses.c b/src/backend/optimizer/util/clauses.c
|
||||||
|
index a9c7bc342e..11269fee3e 100644
|
||||||
|
--- a/src/backend/optimizer/util/clauses.c
|
||||||
|
+++ b/src/backend/optimizer/util/clauses.c
|
||||||
|
@@ -5205,6 +5205,13 @@ inline_set_returning_function(PlannerInfo *root, RangeTblEntry *rte)
|
||||||
|
*/
|
||||||
|
record_plan_function_dependency(root, func_oid);
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * We must also notice if the inserted query adds a dependency on the
|
||||||
|
+ * calling role due to RLS quals.
|
||||||
|
+ */
|
||||||
|
+ if (querytree->hasRowSecurity)
|
||||||
|
+ root->glob->dependsOnRole = true;
|
||||||
|
+
|
||||||
|
return querytree;
|
||||||
|
|
||||||
|
/* Here if func is not inlinable: release temp memory and return NULL */
|
||||||
|
diff --git a/src/test/regress/expected/rowsecurity.out b/src/test/regress/expected/rowsecurity.out
|
||||||
|
index 38f53ed486..e278346420 100644
|
||||||
|
--- a/src/test/regress/expected/rowsecurity.out
|
||||||
|
+++ b/src/test/regress/expected/rowsecurity.out
|
||||||
|
@@ -4427,6 +4427,33 @@ SELECT * FROM rls_tbl;
|
||||||
|
|
||||||
|
DROP TABLE rls_tbl;
|
||||||
|
RESET SESSION AUTHORIZATION;
|
||||||
|
+-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency
|
||||||
|
+create table rls_t (c text);
|
||||||
|
+insert into rls_t values ('invisible to bob');
|
||||||
|
+alter table rls_t enable row level security;
|
||||||
|
+grant select on rls_t to regress_rls_alice, regress_rls_bob;
|
||||||
|
+create policy p1 on rls_t for select to regress_rls_alice using (true);
|
||||||
|
+create policy p2 on rls_t for select to regress_rls_bob using (false);
|
||||||
|
+create function rls_f () returns setof rls_t
|
||||||
|
+ stable language sql
|
||||||
|
+ as $$ select * from rls_t $$;
|
||||||
|
+prepare q as select current_user, * from rls_f();
|
||||||
|
+set role regress_rls_alice;
|
||||||
|
+execute q;
|
||||||
|
+ current_user | c
|
||||||
|
+-------------------+------------------
|
||||||
|
+ regress_rls_alice | invisible to bob
|
||||||
|
+(1 row)
|
||||||
|
+
|
||||||
|
+set role regress_rls_bob;
|
||||||
|
+execute q;
|
||||||
|
+ current_user | c
|
||||||
|
+--------------+---
|
||||||
|
+(0 rows)
|
||||||
|
+
|
||||||
|
+RESET ROLE;
|
||||||
|
+DROP FUNCTION rls_f();
|
||||||
|
+DROP TABLE rls_t;
|
||||||
|
--
|
||||||
|
-- Clean up objects
|
||||||
|
--
|
||||||
|
diff --git a/src/test/regress/sql/rowsecurity.sql b/src/test/regress/sql/rowsecurity.sql
|
||||||
|
index 0fd0cded7d..3d664538a6 100644
|
||||||
|
--- a/src/test/regress/sql/rowsecurity.sql
|
||||||
|
+++ b/src/test/regress/sql/rowsecurity.sql
|
||||||
|
@@ -2127,6 +2127,26 @@ SELECT * FROM rls_tbl;
|
||||||
|
DROP TABLE rls_tbl;
|
||||||
|
RESET SESSION AUTHORIZATION;
|
||||||
|
|
||||||
|
+-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency
|
||||||
|
+create table rls_t (c text);
|
||||||
|
+insert into rls_t values ('invisible to bob');
|
||||||
|
+alter table rls_t enable row level security;
|
||||||
|
+grant select on rls_t to regress_rls_alice, regress_rls_bob;
|
||||||
|
+create policy p1 on rls_t for select to regress_rls_alice using (true);
|
||||||
|
+create policy p2 on rls_t for select to regress_rls_bob using (false);
|
||||||
|
+create function rls_f () returns setof rls_t
|
||||||
|
+ stable language sql
|
||||||
|
+ as $$ select * from rls_t $$;
|
||||||
|
+prepare q as select current_user, * from rls_f();
|
||||||
|
+set role regress_rls_alice;
|
||||||
|
+execute q;
|
||||||
|
+set role regress_rls_bob;
|
||||||
|
+execute q;
|
||||||
|
+
|
||||||
|
+RESET ROLE;
|
||||||
|
+DROP FUNCTION rls_f();
|
||||||
|
+DROP TABLE rls_t;
|
||||||
|
+
|
||||||
|
--
|
||||||
|
-- Clean up objects
|
||||||
|
--
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
|
@ -59,7 +59,7 @@ Summary: PostgreSQL client programs
|
||||||
Name: postgresql
|
Name: postgresql
|
||||||
%global majorversion 10
|
%global majorversion 10
|
||||||
Version: %{majorversion}.23
|
Version: %{majorversion}.23
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
|
|
||||||
# The PostgreSQL license is very similar to other MIT licenses, but the OSI
|
# The PostgreSQL license is very similar to other MIT licenses, but the OSI
|
||||||
# recognizes it as an independent license, so we do as well.
|
# recognizes it as an independent license, so we do as well.
|
||||||
|
@ -76,7 +76,7 @@ Url: http://www.postgresql.org/
|
||||||
%global prev_prefix %{_libdir}/pgsql/postgresql-%{prevmajorversion}
|
%global prev_prefix %{_libdir}/pgsql/postgresql-%{prevmajorversion}
|
||||||
%global precise_version %{?epoch:%epoch:}%version-%release
|
%global precise_version %{?epoch:%epoch:}%version-%release
|
||||||
|
|
||||||
%global setup_version 8.6
|
%global setup_version 8.7
|
||||||
|
|
||||||
%global service_name postgresql.service
|
%global service_name postgresql.service
|
||||||
Source0: https://ftp.postgresql.org/pub/source/v%{version}/postgresql-%{version}.tar.bz2
|
Source0: https://ftp.postgresql.org/pub/source/v%{version}/postgresql-%{version}.tar.bz2
|
||||||
|
@ -108,6 +108,8 @@ Patch6: postgresql-man.patch
|
||||||
Patch8: postgresql-no-libs.patch
|
Patch8: postgresql-no-libs.patch
|
||||||
Patch9: postgresql-server-pg_config.patch
|
Patch9: postgresql-server-pg_config.patch
|
||||||
Patch10: postgresql-10.15-contrib-dblink-expected-out.patch
|
Patch10: postgresql-10.15-contrib-dblink-expected-out.patch
|
||||||
|
Patch11: postgresql-10.23-CVE-2023-2454.patch
|
||||||
|
Patch12: postgresql-10.23-CVE-2023-2455.patch
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk
|
BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk
|
||||||
|
@ -367,6 +369,8 @@ benchmarks.
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
%patch9 -p1
|
%patch9 -p1
|
||||||
%patch10 -p1
|
%patch10 -p1
|
||||||
|
%patch11 -p1
|
||||||
|
%patch12 -p1
|
||||||
|
|
||||||
# We used to run autoconf here, but there's no longer any real need to,
|
# We used to run autoconf here, but there's no longer any real need to,
|
||||||
# since Postgres ships with a reasonably modern configure script.
|
# since Postgres ships with a reasonably modern configure script.
|
||||||
|
@ -1171,6 +1175,11 @@ make -C postgresql-setup-%{setup_version} check
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jul 19 2023 Dominik Rehák <drehak@redhat.com> - 10.23-2
|
||||||
|
- Backport fixes for CVE-2023-2454 and CVE-2023-2455
|
||||||
|
- Update postgresql-setup to 8.7 (https://github.com/devexp-db/postgresql-setup/pull/35)
|
||||||
|
- Resolves: #2207931
|
||||||
|
|
||||||
* Wed Nov 16 2022 Filip Januš <fjanus@redhat.com> - 10.23-1
|
* Wed Nov 16 2022 Filip Januš <fjanus@redhat.com> - 10.23-1
|
||||||
- Resolves: CVE-2022-2625
|
- Resolves: CVE-2022-2625
|
||||||
- Rebase to 10.23
|
- Rebase to 10.23
|
||||||
|
|
|
@ -2,5 +2,5 @@ SHA512 (postgresql-10.23.tar.bz2) = 9fd031cad0c3caacae105215167abd5dc4fdd15dea77
|
||||||
SHA512 (postgresql-10.23.tar.bz2.sha256) = 1b8f25bb914b9c87679ff688625889a96f2e0e836a9fd0f19dcdf4e74798d96980cb09cb485cff7069b9fe6b9d5c03e162eac9d0ecb205e8e3f0d83358f641d2
|
SHA512 (postgresql-10.23.tar.bz2.sha256) = 1b8f25bb914b9c87679ff688625889a96f2e0e836a9fd0f19dcdf4e74798d96980cb09cb485cff7069b9fe6b9d5c03e162eac9d0ecb205e8e3f0d83358f641d2
|
||||||
SHA512 (postgresql-9.2.24.tar.bz2) = a6f043e5ef5e12e23c1c43b26a5ecafce62f3a86f38b5b85e7cb0cb7aa376d40e460a526baf67ae40de40525e4744fb5e48650ee5e007db4ce9742fcf548bd56
|
SHA512 (postgresql-9.2.24.tar.bz2) = a6f043e5ef5e12e23c1c43b26a5ecafce62f3a86f38b5b85e7cb0cb7aa376d40e460a526baf67ae40de40525e4744fb5e48650ee5e007db4ce9742fcf548bd56
|
||||||
SHA512 (postgresql-9.2.24.tar.bz2.sha256) = 04e5ce7b8a4f8ef281cd3f59e18f41974356e92775c459de61383ba6254d84cb21a7d3a3506ec5416fc3e5090535d5961d9cc7cbe04591217aa9b9e142418170
|
SHA512 (postgresql-9.2.24.tar.bz2.sha256) = 04e5ce7b8a4f8ef281cd3f59e18f41974356e92775c459de61383ba6254d84cb21a7d3a3506ec5416fc3e5090535d5961d9cc7cbe04591217aa9b9e142418170
|
||||||
SHA512 (postgresql-setup-8.6.tar.gz) = dc687670cd58070512833271d8f3e7e4308c47cba1ad4c93e3d5f61acf07f390ed048f4d7f1567d2826f19a253562e13e56407dcf81a42f42c61ac96d8fe3178
|
SHA512 (postgresql-setup-8.7.tar.gz) = 741f036be517e7d9725e4f146ca7dac8b8a16b6a93d045a64ef268487f48faad6b08317b58e07ad16a31002d2a10de0ac32513a4935c3f22f48ec768a742d1fc
|
||||||
SHA512 (postgresql-10.23-US.pdf) = 561a7a0ebe539e7f4d7dff890fa14ac0d61e3e5a1a96b99304208208460d9d4d037e2d74766ae071ecbf3ecb22cee24b06b73226c4eafb5c5bb51896cbf441eb
|
SHA512 (postgresql-10.23-US.pdf) = 561a7a0ebe539e7f4d7dff890fa14ac0d61e3e5a1a96b99304208208460d9d4d037e2d74766ae071ecbf3ecb22cee24b06b73226c4eafb5c5bb51896cbf441eb
|
||||||
|
|
Loading…
Reference in New Issue