New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[YSQL] Import commit 'Replace last PushOverrideSearchPath() call with set_config_option().' from PG #17318
Closed
1 task done
Labels
2.14 Backport Required
2.16 Backport Required
2.18 Backport Required
area/ysql
Yugabyte SQL (YSQL)
kind/bug
This issue is a bug
priority/high
High Priority
Comments
dr0pdb
added
area/ysql
Yugabyte SQL (YSQL)
status/awaiting-triage
Issue awaiting triage
labels
May 12, 2023
yugabyte-ci
added
kind/bug
This issue is a bug
priority/medium
Medium priority issue
and removed
status/awaiting-triage
Issue awaiting triage
labels
May 12, 2023
dr0pdb
added a commit
that referenced
this issue
May 31, 2023
…h set_config_option().' from PG Summary: Original commit: `23cb8eaeb` Commit message was: ``` The two methods don't cooperate, so set_config_option("search_path", ...) has been ineffective under non-empty overrideStack. This defect enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. While that particular attack requires v13+ for the trusted extension attribute, other attacks are feasible in all supported versions. Standardize on the combination of NewGUCNestLevel() and set_config_option("search_path", ...). It is newer than PushOverrideSearchPath(), more-prevalent, and has no known disadvantages. The "override" mechanism remains for now, for compatibility with out-of-tree code. Users should update such code, which likely suffers from the same sort of vulnerability closed here. Back-patch to v11 (all supported versions). Alexander Lakhin. Reported by Alexander Lakhin. ``` Jira: DB-6538 Test Plan: `./yb_build.sh --java-test 'org.yb.pgsql.TestPgRegressPgMiscIndependent'` Note that I had to modify the expected output in the case of YB since 1. We do not support schema creation with elements 2. `Create Schema` in not transactional Reviewers: dmitry, skumar Reviewed By: dmitry Differential Revision: https://phorge.dev.yugabyte.com/D25820
yugabyte-ci
added
priority/high
High Priority
and removed
priority/medium
Medium priority issue
labels
May 31, 2023
dr0pdb
added a commit
that referenced
this issue
Jun 5, 2023
…Path() call with set_config_option().' from PG Summary: Original commit: dac89aa / D25820 Commit message was: ``` The two methods don't cooperate, so set_config_option("search_path", ...) has been ineffective under non-empty overrideStack. This defect enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. While that particular attack requires v13+ for the trusted extension attribute, other attacks are feasible in all supported versions. Standardize on the combination of NewGUCNestLevel() and set_config_option("search_path", ...). It is newer than PushOverrideSearchPath(), more-prevalent, and has no known disadvantages. The "override" mechanism remains for now, for compatibility with out-of-tree code. Users should update such code, which likely suffers from the same sort of vulnerability closed here. Back-patch to v11 (all supported versions). Alexander Lakhin. Reported by Alexander Lakhin. ``` Jira: DB-6538 Test Plan: `./yb_build.sh --java-test 'org.yb.pgsql.TestPgRegressPgMiscIndependent'` Note that I had to modify the expected output in the case of YB since 1. We do not support schema creation with elements 2. `Create Schema` in not transactional Reviewers: dmitry, skumar Reviewed By: dmitry Differential Revision: https://phorge.dev.yugabyte.com/D25900
dr0pdb
added a commit
that referenced
this issue
Jun 5, 2023
…Path() call with set_config_option().' from PG Summary: Original commit: dac89aa / D25820 Commit message was: ``` The two methods don't cooperate, so set_config_option("search_path", ...) has been ineffective under non-empty overrideStack. This defect enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. While that particular attack requires v13+ for the trusted extension attribute, other attacks are feasible in all supported versions. Standardize on the combination of NewGUCNestLevel() and set_config_option("search_path", ...). It is newer than PushOverrideSearchPath(), more-prevalent, and has no known disadvantages. The "override" mechanism remains for now, for compatibility with out-of-tree code. Users should update such code, which likely suffers from the same sort of vulnerability closed here. Back-patch to v11 (all supported versions). Alexander Lakhin. Reported by Alexander Lakhin. ``` Jira: DB-6538 Test Plan: `./yb_build.sh --java-test 'org.yb.pgsql.TestPgRegressPgMiscIndependent'` Note that I had to modify the expected output in the case of YB since 1. We do not support schema creation with elements 2. `Create Schema` in not transactional Reviewers: dmitry, skumar Reviewed By: dmitry Differential Revision: https://phorge.dev.yugabyte.com/D25899
dr0pdb
added a commit
that referenced
this issue
Jun 5, 2023
…Path() call with set_config_option().' from PG Summary: Original commit: dac89aa / D25820 Commit message was: ``` The two methods don't cooperate, so set_config_option("search_path", ...) has been ineffective under non-empty overrideStack. This defect enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. While that particular attack requires v13+ for the trusted extension attribute, other attacks are feasible in all supported versions. Standardize on the combination of NewGUCNestLevel() and set_config_option("search_path", ...). It is newer than PushOverrideSearchPath(), more-prevalent, and has no known disadvantages. The "override" mechanism remains for now, for compatibility with out-of-tree code. Users should update such code, which likely suffers from the same sort of vulnerability closed here. Back-patch to v11 (all supported versions). Alexander Lakhin. Reported by Alexander Lakhin. ``` Jira: DB-6538 Test Plan: `./yb_build.sh --java-test 'org.yb.pgsql.TestPgRegressPgMiscIndependent'` Note that I had to modify the expected output in the case of YB since 1. We do not support schema creation with elements 2. `Create Schema` in not transactional Reviewers: dmitry, skumar Reviewed By: dmitry Differential Revision: https://phorge.dev.yugabyte.com/D25898
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
2.14 Backport Required
2.16 Backport Required
2.18 Backport Required
area/ysql
Yugabyte SQL (YSQL)
kind/bug
This issue is a bug
priority/high
High Priority
Jira Link: DB-6538
Description
Import commit
Replace last PushOverrideSearchPath() call with set_config_option().
from PG.Upstream commit link: postgres/postgres@23cb8eaeb
This commit replaces the usage of a legacy function
PushOverrideSearchPath
withset_config_option
. This legacy function enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser on V13+. This fix was backpatched to PG 11 so that other similar attacks can be avoided in the future.As a result, it makes sense for us to also import it to be on the safer side.
Warning: Please confirm that this issue does not contain any sensitive information
The text was updated successfully, but these errors were encountered: