Replace last PushOverrideSearchPath() call with set_config_option().
The two methods don't cooperate, so set_config_option("search_path",
...) has been ineffective under non-empty overrideStack. This defect
enabled an attacker having database-level CREATE privilege to execute
arbitrary code as the bootstrap superuser. While that particular attack
requires v13+ for the trusted extension attribute, other attacks are
feasible in all supported versions.
Standardize on the combination of NewGUCNestLevel() and
set_config_option("search_path", ...). It is newer than
PushOverrideSearchPath(), more-prevalent, and has no known
disadvantages. The "override" mechanism remains for now, for
compatibility with out-of-tree code. Users should update such code,
which likely suffers from the same sort of vulnerability closed here.
Back-patch to v11 (all supported versions).
Alexander Lakhin. Reported by Alexander Lakhin.
Security: CVE-2023-2454
Branch
------
REL_14_STABLE
Details
-------
https://git.postgresql.org/pg/commitdiff/01e8182c73b24ec45849e369ad8b3ecd4ed1ba2b
Modified Files
--------------
contrib/seg/Makefile | 2 +-
contrib/seg/expected/security.out | 32 +++++++++++++++++++++++
contrib/seg/sql/security.sql | 32 +++++++++++++++++++++++
src/backend/catalog/namespace.c | 4 +++
src/backend/commands/schemacmds.c | 37 +++++++++++++++++++--------
src/test/regress/expected/namespace.out | 45 +++++++++++++++++++++++++++++++++
src/test/regress/sql/namespace.sql | 24 ++++++++++++++++++
7 files changed, 165 insertions(+), 11 deletions(-)