Fix privilege checks in pg_stats_ext and pg_stats_ext_exprs. The catalog view pg_stats_ext fails to consider privileges for expression statistics. The catalog view pg_stats_ext_exprs fails to consider privileges and row-level security policies. To fix, restrict the data in these views to table owners or roles that inherit privileges of the table owner. It may be possible to apply less restrictive privilege checks in some cases, but that is left as a future exercise. Furthermore, for pg_stats_ext_exprs, do not return data for tables with row-level security enabled, as is already done for pg_stats_ext.
On the back-branches, a fix-CVE-2024-4317.sql script is provided that will install into the "share" directory. This file can be used to apply the fix to existing clusters. Bumps catversion on 'master' branch only. Reported-by: Lukas Fittl Reviewed-by: Noah Misch, Tomas Vondra, Tom Lane Security: CVE-2024-4317 Backpatch-through: 14 Branch ------ REL_15_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/9cc2b62894de6a8b3d78d20bcd1a6647a7553a6c Modified Files -------------- doc/src/sgml/catalogs.sgml | 3 +- doc/src/sgml/system-views.sgml | 4 +- src/backend/catalog/Makefile | 3 +- src/backend/catalog/fix-CVE-2024-4317.sql | 117 ++++++++++++++++++++++++++++++ src/backend/catalog/system_views.sql | 11 +-- src/test/regress/expected/rules.out | 8 +- src/test/regress/expected/stats_ext.out | 43 +++++++++++ src/test/regress/sql/stats_ext.sql | 27 +++++++ 8 files changed, 199 insertions(+), 17 deletions(-)