Fix priv checks for ALTER <object> DEPENDS ON EXTENSION Marking an object as dependant on an extension did not have any privilege check whatsoever; this allowed any user to mark objects as droppable by anyone able to DROP EXTENSION, which could be used to cause system-wide havoc. Disallow by checking that the calling user owns the mentioned object.
(No constraints are placed on the extension.) Security: CVE-2020-1720 Reported-by: Tom Lane Discussion: 31605.1566429...@sss.pgh.pa.us Branch ------ REL_10_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/ac1a998ed8c535a165e7f95179ee954df075f920 Modified Files -------------- src/backend/commands/alter.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
