Compare commits
No commits in common. "a8-stream-10" and "c8-stream-10" have entirely different histories.
a8-stream-
...
c8-stream-
@ -1,87 +0,0 @@
|
|||||||
From 2699fc035a75d0774c1f013e9320882287f78adb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Heikki Linnakangas <heikki.linnakangas@iki.fi>
|
|
||||||
Date: Mon, 5 Feb 2024 11:01:23 +0200
|
|
||||||
Subject: [PATCH] Run REFRESH MATERIALIZED VIEW CONCURRENTLY in right security
|
|
||||||
context
|
|
||||||
|
|
||||||
The internal commands in REFRESH MATERIALIZED VIEW CONCURRENTLY are
|
|
||||||
correctly executed in SECURITY_RESTRICTED_OPERATION mode, except for
|
|
||||||
creating the temporary "diff" table, because you cannot create
|
|
||||||
temporary tables in SRO mode. But creating the temporary "diff" table
|
|
||||||
is a pretty complex CTAS command that selects from another temporary
|
|
||||||
table created earlier in the command. If you can cajole that CTAS
|
|
||||||
command to execute code defined by the table owner, the table owner
|
|
||||||
can run code with the privileges of the user running the REFRESH
|
|
||||||
command.
|
|
||||||
|
|
||||||
The proof-of-concept reported to the security team relied on CREATE
|
|
||||||
RULE to convert the internally-built temp table to a view. That's not
|
|
||||||
possible since commit b23cd185fd, and I was not able to find a
|
|
||||||
different way to turn the SELECT on the temp table into code
|
|
||||||
execution, so as far as I know this is only exploitable in v15 and
|
|
||||||
below. That's a fiddly assumption though, so apply this patch to
|
|
||||||
master and all stable versions.
|
|
||||||
|
|
||||||
Thanks to Pedro Gallegos for the report.
|
|
||||||
|
|
||||||
Security: CVE-2023-5869
|
|
||||||
Reviewed-by: Noah Misch
|
|
||||||
---
|
|
||||||
src/backend/commands/matview.c | 33 ++++++++++++++++++++++++++-------
|
|
||||||
1 file changed, 26 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/backend/commands/matview.c b/src/backend/commands/matview.c
|
|
||||||
index e485661fa1..e87bdac285 100644
|
|
||||||
--- a/src/backend/commands/matview.c
|
|
||||||
+++ b/src/backend/commands/matview.c
|
|
||||||
@@ -646,14 +646,35 @@
|
|
||||||
errdetail("Row: %s",
|
|
||||||
SPI_getvalue(SPI_tuptable->vals[0], SPI_tuptable->tupdesc, 1))));
|
|
||||||
}
|
|
||||||
-
|
|
||||||
+ /*
|
|
||||||
+ * Create the temporary "diff" table.
|
|
||||||
+ *
|
|
||||||
+ * Temporarily switch out of the SECURITY_RESTRICTED_OPERATION context,
|
|
||||||
+ * because you cannot create temp tables in SRO context. For extra
|
|
||||||
+ * paranoia, add the composite type column only after switching back to
|
|
||||||
+ * SRO context.
|
|
||||||
+ */
|
|
||||||
SetUserIdAndSecContext(relowner,
|
|
||||||
save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
|
|
||||||
+ resetStringInfo(&querybuf);
|
|
||||||
+ appendStringInfo(&querybuf,
|
|
||||||
+ "CREATE TEMP TABLE %s (tid pg_catalog.tid)",
|
|
||||||
+ diffname);
|
|
||||||
+ if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY)
|
|
||||||
+ elog(ERROR, "SPI_exec failed: %s", querybuf.data);
|
|
||||||
+ SetUserIdAndSecContext(relowner,
|
|
||||||
+ save_sec_context | SECURITY_RESTRICTED_OPERATION);
|
|
||||||
+ resetStringInfo(&querybuf);
|
|
||||||
+ appendStringInfo(&querybuf,
|
|
||||||
+ "ALTER TABLE %s ADD COLUMN newdata %s",
|
|
||||||
+ diffname, tempname);
|
|
||||||
+ if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY)
|
|
||||||
+ elog(ERROR, "SPI_exec failed: %s", querybuf.data);
|
|
||||||
|
|
||||||
/* Start building the query for creating the diff table. */
|
|
||||||
resetStringInfo(&querybuf);
|
|
||||||
appendStringInfo(&querybuf,
|
|
||||||
- "CREATE TEMP TABLE %s AS "
|
|
||||||
+ "INSERT INTO %s "
|
|
||||||
"SELECT mv.ctid AS tid, newdata.*::%s AS newdata "
|
|
||||||
"FROM %s mv FULL JOIN %s newdata ON (",
|
|
||||||
diffname, tempname, matviewname, tempname);
|
|
||||||
@@ -783,11 +804,9 @@
|
|
||||||
"ORDER BY tid");
|
|
||||||
|
|
||||||
/* Create the temporary "diff" table. */
|
|
||||||
- if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY)
|
|
||||||
+ if (SPI_exec(querybuf.data, 0) != SPI_OK_INSERT)
|
|
||||||
elog(ERROR, "SPI_exec failed: %s", querybuf.data);
|
|
||||||
|
|
||||||
- SetUserIdAndSecContext(relowner,
|
|
||||||
- save_sec_context | SECURITY_RESTRICTED_OPERATION);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* We have no further use for data from the "full-data" temp table, but we
|
|
@ -59,7 +59,7 @@ Summary: PostgreSQL client programs
|
|||||||
Name: postgresql
|
Name: postgresql
|
||||||
%global majorversion 10
|
%global majorversion 10
|
||||||
Version: %{majorversion}.23
|
Version: %{majorversion}.23
|
||||||
Release: 4%{?dist}.alma.1
|
Release: 3%{?dist}
|
||||||
|
|
||||||
# The PostgreSQL license is very similar to other MIT licenses, but the OSI
|
# The PostgreSQL license is very similar to other MIT licenses, but the OSI
|
||||||
# recognizes it as an independent license, so we do as well.
|
# recognizes it as an independent license, so we do as well.
|
||||||
@ -111,9 +111,6 @@ Patch10: postgresql-10.15-contrib-dblink-expected-out.patch
|
|||||||
Patch11: postgresql-10.23-CVE-2023-2454.patch
|
Patch11: postgresql-10.23-CVE-2023-2454.patch
|
||||||
Patch12: postgresql-10.23-CVE-2023-2455.patch
|
Patch12: postgresql-10.23-CVE-2023-2455.patch
|
||||||
Patch13: postgresql-10.23-CVE-2023-5869.patch
|
Patch13: postgresql-10.23-CVE-2023-5869.patch
|
||||||
# Patches were taken from:
|
|
||||||
# https://git.postgresql.org/gitweb/?p=postgresql.git;a=patch;h=2699fc035a75d0774c1f013e9320882287f78adb
|
|
||||||
Patch14: CVE-2023-5869.patch
|
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk
|
BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk
|
||||||
@ -376,7 +373,6 @@ benchmarks.
|
|||||||
%patch11 -p1
|
%patch11 -p1
|
||||||
%patch12 -p1
|
%patch12 -p1
|
||||||
%patch13 -p1
|
%patch13 -p1
|
||||||
%patch14 -p1
|
|
||||||
|
|
||||||
# We used to run autoconf here, but there's no longer any real need to,
|
# We used to run autoconf here, but there's no longer any real need to,
|
||||||
# since Postgres ships with a reasonably modern configure script.
|
# since Postgres ships with a reasonably modern configure script.
|
||||||
@ -1181,10 +1177,6 @@ make -C postgresql-setup-%{setup_version} check
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Feb 26 2024 Eduard Abdullin <eabdullin@almalinux.org> - 10.23-4.alma.1
|
|
||||||
- Run REFRESH MATERIALIZED VIEW CONCURRENTLY in right security
|
|
||||||
context
|
|
||||||
|
|
||||||
* Mon Dec 18 2023 Lubos Kloucek <lubos.kloucek@oracle.com> - 10.23-3
|
* Mon Dec 18 2023 Lubos Kloucek <lubos.kloucek@oracle.com> - 10.23-3
|
||||||
- Resolves: CVE-2023-5869
|
- Resolves: CVE-2023-5869
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user