Compare commits

...

1 Commits

Author SHA1 Message Date
2864bfcceb - Run REFRESH MATERIALIZED VIEW CONCURRENTLY in right security
context
2024-02-26 10:17:44 +03:00
2 changed files with 96 additions and 1 deletions

View File

@ -0,0 +1,87 @@
From 2699fc035a75d0774c1f013e9320882287f78adb Mon Sep 17 00:00:00 2001
From: Heikki Linnakangas <heikki.linnakangas@iki.fi>
Date: Mon, 5 Feb 2024 11:01:23 +0200
Subject: [PATCH] Run REFRESH MATERIALIZED VIEW CONCURRENTLY in right security
context
The internal commands in REFRESH MATERIALIZED VIEW CONCURRENTLY are
correctly executed in SECURITY_RESTRICTED_OPERATION mode, except for
creating the temporary "diff" table, because you cannot create
temporary tables in SRO mode. But creating the temporary "diff" table
is a pretty complex CTAS command that selects from another temporary
table created earlier in the command. If you can cajole that CTAS
command to execute code defined by the table owner, the table owner
can run code with the privileges of the user running the REFRESH
command.
The proof-of-concept reported to the security team relied on CREATE
RULE to convert the internally-built temp table to a view. That's not
possible since commit b23cd185fd, and I was not able to find a
different way to turn the SELECT on the temp table into code
execution, so as far as I know this is only exploitable in v15 and
below. That's a fiddly assumption though, so apply this patch to
master and all stable versions.
Thanks to Pedro Gallegos for the report.
Security: CVE-2023-5869
Reviewed-by: Noah Misch
---
src/backend/commands/matview.c | 33 ++++++++++++++++++++++++++-------
1 file changed, 26 insertions(+), 7 deletions(-)
diff --git a/src/backend/commands/matview.c b/src/backend/commands/matview.c
index e485661fa1..e87bdac285 100644
--- a/src/backend/commands/matview.c
+++ b/src/backend/commands/matview.c
@@ -646,14 +646,35 @@
errdetail("Row: %s",
SPI_getvalue(SPI_tuptable->vals[0], SPI_tuptable->tupdesc, 1))));
}
-
+ /*
+ * Create the temporary "diff" table.
+ *
+ * Temporarily switch out of the SECURITY_RESTRICTED_OPERATION context,
+ * because you cannot create temp tables in SRO context. For extra
+ * paranoia, add the composite type column only after switching back to
+ * SRO context.
+ */
SetUserIdAndSecContext(relowner,
save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
+ resetStringInfo(&querybuf);
+ appendStringInfo(&querybuf,
+ "CREATE TEMP TABLE %s (tid pg_catalog.tid)",
+ diffname);
+ if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY)
+ elog(ERROR, "SPI_exec failed: %s", querybuf.data);
+ SetUserIdAndSecContext(relowner,
+ save_sec_context | SECURITY_RESTRICTED_OPERATION);
+ resetStringInfo(&querybuf);
+ appendStringInfo(&querybuf,
+ "ALTER TABLE %s ADD COLUMN newdata %s",
+ diffname, tempname);
+ if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY)
+ elog(ERROR, "SPI_exec failed: %s", querybuf.data);
/* Start building the query for creating the diff table. */
resetStringInfo(&querybuf);
appendStringInfo(&querybuf,
- "CREATE TEMP TABLE %s AS "
+ "INSERT INTO %s "
"SELECT mv.ctid AS tid, newdata.*::%s AS newdata "
"FROM %s mv FULL JOIN %s newdata ON (",
diffname, tempname, matviewname, tempname);
@@ -783,11 +804,9 @@
"ORDER BY tid");
/* Create the temporary "diff" table. */
- if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY)
+ if (SPI_exec(querybuf.data, 0) != SPI_OK_INSERT)
elog(ERROR, "SPI_exec failed: %s", querybuf.data);
- SetUserIdAndSecContext(relowner,
- save_sec_context | SECURITY_RESTRICTED_OPERATION);
/*
* We have no further use for data from the "full-data" temp table, but we

View File

@ -59,7 +59,7 @@ Summary: PostgreSQL client programs
Name: postgresql Name: postgresql
%global majorversion 10 %global majorversion 10
Version: %{majorversion}.23 Version: %{majorversion}.23
Release: 3%{?dist} Release: 4%{?dist}.alma.1
# The PostgreSQL license is very similar to other MIT licenses, but the OSI # The PostgreSQL license is very similar to other MIT licenses, but the OSI
# recognizes it as an independent license, so we do as well. # recognizes it as an independent license, so we do as well.
@ -111,6 +111,9 @@ Patch10: postgresql-10.15-contrib-dblink-expected-out.patch
Patch11: postgresql-10.23-CVE-2023-2454.patch Patch11: postgresql-10.23-CVE-2023-2454.patch
Patch12: postgresql-10.23-CVE-2023-2455.patch Patch12: postgresql-10.23-CVE-2023-2455.patch
Patch13: postgresql-10.23-CVE-2023-5869.patch Patch13: postgresql-10.23-CVE-2023-5869.patch
# Patches were taken from:
# https://git.postgresql.org/gitweb/?p=postgresql.git;a=patch;h=2699fc035a75d0774c1f013e9320882287f78adb
Patch14: CVE-2023-5869.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk
@ -373,6 +376,7 @@ benchmarks.
%patch11 -p1 %patch11 -p1
%patch12 -p1 %patch12 -p1
%patch13 -p1 %patch13 -p1
%patch14 -p1
# We used to run autoconf here, but there's no longer any real need to, # We used to run autoconf here, but there's no longer any real need to,
# since Postgres ships with a reasonably modern configure script. # since Postgres ships with a reasonably modern configure script.
@ -1177,6 +1181,10 @@ make -C postgresql-setup-%{setup_version} check
%changelog %changelog
* Mon Feb 26 2024 Eduard Abdullin <eabdullin@almalinux.org> - 10.23-4.alma.1
- Run REFRESH MATERIALIZED VIEW CONCURRENTLY in right security
context
* Mon Dec 18 2023 Lubos Kloucek <lubos.kloucek@oracle.com> - 10.23-3 * Mon Dec 18 2023 Lubos Kloucek <lubos.kloucek@oracle.com> - 10.23-3
- Resolves: CVE-2023-5869 - Resolves: CVE-2023-5869