- Run REFRESH MATERIALIZED VIEW CONCURRENTLY in right security

context
2024-02-26 10:17:44 +03:00
2 changed files with 96 additions and 1 deletions
--- a/SOURCES/CVE-2023-5869.patch
+++ b/SOURCES/CVE-2023-5869.patch
@ -0,0 +1,87 @@
+From 2699fc035a75d0774c1f013e9320882287f78adb Mon Sep 17 00:00:00 2001
+From: Heikki Linnakangas <heikki.linnakangas@iki.fi>
+Date: Mon, 5 Feb 2024 11:01:23 +0200
+Subject: [PATCH] Run REFRESH MATERIALIZED VIEW CONCURRENTLY in right security
+ context
+
+The internal commands in REFRESH MATERIALIZED VIEW CONCURRENTLY are
+correctly executed in SECURITY_RESTRICTED_OPERATION mode, except for
+creating the temporary "diff" table, because you cannot create
+temporary tables in SRO mode. But creating the temporary "diff" table
+is a pretty complex CTAS command that selects from another temporary
+table created earlier in the command. If you can cajole that CTAS
+command to execute code defined by the table owner, the table owner
+can run code with the privileges of the user running the REFRESH
+command.
+
+The proof-of-concept reported to the security team relied on CREATE
+RULE to convert the internally-built temp table to a view. That's not
+possible since commit b23cd185fd, and I was not able to find a
+different way to turn the SELECT on the temp table into code
+execution, so as far as I know this is only exploitable in v15 and
+below. That's a fiddly assumption though, so apply this patch to
+master and all stable versions.
+
+Thanks to Pedro Gallegos for the report.
+
+Security: CVE-2023-5869
+Reviewed-by: Noah Misch
+---
+ src/backend/commands/matview.c | 33 ++++++++++++++++++++++++++-------
+ 1 file changed, 26 insertions(+), 7 deletions(-)
+
+diff --git a/src/backend/commands/matview.c b/src/backend/commands/matview.c
+index e485661fa1..e87bdac285 100644
+--- a/src/backend/commands/matview.c
+++ b/src/backend/commands/matview.c
+@@ -646,14 +646,35 @@
+ 				 errdetail("Row: %s",
+ 						   SPI_getvalue(SPI_tuptable->vals[0], SPI_tuptable->tupdesc, 1))));
+ 	}
+-
+	/*
+	 * Create the temporary "diff" table.
+	 *
+	 * Temporarily switch out of the SECURITY_RESTRICTED_OPERATION context,
+	 * because you cannot create temp tables in SRO context.  For extra
+	 * paranoia, add the composite type column only after switching back to
+	 * SRO context.
+	 */
+ 	SetUserIdAndSecContext(relowner,
+ 						   save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
+	resetStringInfo(&querybuf);
+	appendStringInfo(&querybuf,
+					 "CREATE TEMP TABLE %s (tid pg_catalog.tid)",
+					 diffname);
+	if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY)
+		elog(ERROR, "SPI_exec failed: %s", querybuf.data);
+	SetUserIdAndSecContext(relowner,
+						   save_sec_context | SECURITY_RESTRICTED_OPERATION);
+	resetStringInfo(&querybuf);
+	appendStringInfo(&querybuf,
+					 "ALTER TABLE %s ADD COLUMN newdata %s",
+					 diffname, tempname);
+	if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY)
+		elog(ERROR, "SPI_exec failed: %s", querybuf.data);
+ 
+ 	/* Start building the query for creating the diff table. */
+ 	resetStringInfo(&querybuf);
+ 	appendStringInfo(&querybuf,
+-					 "CREATE TEMP TABLE %s AS "
+					 "INSERT INTO %s "
+ 					 "SELECT mv.ctid AS tid, newdata.*::%s AS newdata "
+ 					 "FROM %s mv FULL JOIN %s newdata ON (",
+ 					 diffname, tempname, matviewname, tempname);
+@@ -783,11 +804,9 @@
+ 						   "ORDER BY tid");
+ 
+ 	/* Create the temporary "diff" table. */
+-	if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY)
+	if (SPI_exec(querybuf.data, 0) != SPI_OK_INSERT)
+ 		elog(ERROR, "SPI_exec failed: %s", querybuf.data);
+ 
+-	SetUserIdAndSecContext(relowner,
+-						   save_sec_context | SECURITY_RESTRICTED_OPERATION);
+ 
+ 	/*
+ 	 * We have no further use for data from the "full-data" temp table, but we
--- a/SPECS/postgresql.spec
+++ b/SPECS/postgresql.spec
@ -59,7 +59,7 @@ Summary: PostgreSQL client programs
 Name: postgresql
 %global majorversion 10
 Version: %{majorversion}.23
-Release: 3%{?dist}
+Release: 4%{?dist}.alma.1

 # The PostgreSQL license is very similar to other MIT licenses, but the OSI
 # recognizes it as an independent license, so we do as well.
@ -111,6 +111,9 @@ Patch10: postgresql-10.15-contrib-dblink-expected-out.patch
 Patch11: postgresql-10.23-CVE-2023-2454.patch
 Patch12: postgresql-10.23-CVE-2023-2455.patch
 Patch13: postgresql-10.23-CVE-2023-5869.patch
+# Patches were taken from:
+# https://git.postgresql.org/gitweb/?p=postgresql.git;a=patch;h=2699fc035a75d0774c1f013e9320882287f78adb
+Patch14: CVE-2023-5869.patch

 BuildRequires: gcc
 BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk
@ -373,6 +376,7 @@ benchmarks.
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1

 # We used to run autoconf here, but there's no longer any real need to,
 # since Postgres ships with a reasonably modern configure script.
@ -1177,6 +1181,10 @@ make -C postgresql-setup-%{setup_version} check


 %changelog
+* Mon Feb 26 2024 Eduard Abdullin <eabdullin@almalinux.org> - 10.23-4.alma.1
+- Run REFRESH MATERIALIZED VIEW CONCURRENTLY in right security
+ context
+
 * Mon Dec 18 2023 Lubos Kloucek <lubos.kloucek@oracle.com> - 10.23-3
 - Resolves: CVE-2023-5869