diff options
author | Noah Misch <noah@leadboat.com> | 2023-05-08 06:14:07 -0700 |
---|---|---|
committer | Noah Misch <noah@leadboat.com> | 2023-05-08 06:14:07 -0700 |
commit | 681d9e4621aac0a9c71364b6f54f00f6d8c4337f (patch) | |
tree | 058735d8b659a1a69e6e296be14d59d45ff70b21 /contrib/auto_explain | |
parent | b8c3f6df85e78e09c9709fc895aced719aebd7f9 (diff) | |
download | postgresql-681d9e4621aac0a9c71364b6f54f00f6d8c4337f.tar.gz |
Replace last PushOverrideSearchPath() call with set_config_option().
The two methods don't cooperate, so set_config_option("search_path",
...) has been ineffective under non-empty overrideStack. This defect
enabled an attacker having database-level CREATE privilege to execute
arbitrary code as the bootstrap superuser. While that particular attack
requires v13+ for the trusted extension attribute, other attacks are
feasible in all supported versions.
Standardize on the combination of NewGUCNestLevel() and
set_config_option("search_path", ...). It is newer than
PushOverrideSearchPath(), more-prevalent, and has no known
disadvantages. The "override" mechanism remains for now, for
compatibility with out-of-tree code. Users should update such code,
which likely suffers from the same sort of vulnerability closed here.
Back-patch to v11 (all supported versions).
Alexander Lakhin. Reported by Alexander Lakhin.
Security: CVE-2023-2454
Diffstat (limited to 'contrib/auto_explain')
0 files changed, 0 insertions, 0 deletions