On 18/05/2020 12:14, PG Bug reporting form wrote:
> The following bug has been logged on the website:
>
> Bug reference: 16448
> Logged by: yi Ding
> Email address: abcxiaod@126.com
> PostgreSQL version: 10.12
> Operating system: linux
> Description:
>
> A common user created a function in the public space and added some
> malicious codes in the function, when other users with superuser rights call
> this function, the malicious code will be executed , so as to achieve the
> purpose of remote malicious code execution.
>
> First, Non-superuser lh defines a function named upper, which contains
> the statement to modify user permissions.
> SQL:
> CREATE TABLE public.testlh AS SELECT ‘lh’::varchar AS contents;
> CREATE FUNCTION public.upper(varchar) RETURNS TEXT AS $$
> ALTER ROLE lh SUPERUSER;
> SELECT pg_catalog.upper($1);
> $$ LANGUAGE SQL VOLATILE;
>
> Second, Superuser pg01 will execute the above statement after calling the
> upper function, whice will change user lh to a super user.
See
https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058%3A_Protect_Your_Search_Path
- Heikki
