Fix priv checks for ALTER <object> DEPENDS ON EXTENSION
Marking an object as dependant on an extension did not have any
privilege check whatsoever; this allowed any user to mark objects as
droppable by anyone able to DROP EXTENSION, which could be used to cause
system-wide havoc. Disallow by checking that the calling user owns the
mentioned object.
(No constraints are placed on the extension.)
Security: CVE-2020-1720
Reported-by: Tom Lane
Discussion: 31605.1566429043@sss.pgh.pa.us
Branch
------
REL9_6_STABLE
Details
-------
https://git.postgresql.org/pg/commitdiff/e8b8eb937642f56725d4bc025ea7fa57caf6992c
Modified Files
--------------
src/backend/commands/alter.c | 13 +++++++++++++
1 file changed, 13 insertions(+)