Replace last PushOverrideSearchPath() call with set_config_option().
The two methods don't cooperate, so set_config_option("search_path",
...) has been ineffective under non-empty overrideStack. This defect
enabled an attacker having database-level CREATE privilege to execute
arbitrary code as the bootstrap superuser. While that particular attack
requires v13+ for the trusted extension attribute, other attacks are
feasible in all supported versions.
Standardize on the combination of NewGUCNestLevel() and
set_config_option("search_path", ...). It is newer than
PushOverrideSearchPath(), more-prevalent, and has no known
disadvantages. The "override" mechanism remains for now, for
compatibility with out-of-tree code. Users should update such code,
which likely suffers from the same sort of vulnerability closed here.
Back-patch to v11 (all supported versions).
Alexander Lakhin. Reported by Alexander Lakhin.
Security: CVE-2023-2454
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/681d9e4621aac0a9c71364b6f54f00f6d8c4337f
Modified Files
--------------
contrib/seg/Makefile | 2 +-
contrib/seg/expected/security.out | 32 +++++++++++++++++++++++
contrib/seg/sql/security.sql | 32 +++++++++++++++++++++++
src/backend/catalog/namespace.c | 4 +++
src/backend/commands/schemacmds.c | 37 +++++++++++++++++++--------
src/test/regress/expected/namespace.out | 45 +++++++++++++++++++++++++++++++++
src/test/regress/sql/namespace.sql | 24 ++++++++++++++++++
7 files changed, 165 insertions(+), 11 deletions(-)
