[YSQL] Import commit 'Replace last PushOverrideSearchPath() call with set_config_option().' from PG #17318
Closed
1 task done
Assignees
Labels
2.14 Backport Required
2.16 Backport Required
2.18 Backport Required
area/ysql
Yugabyte SQL (YSQL)
kind/bug
This issue is a bug
priority/high
High Priority
Comments
dr0pdb
added
area/ysql
yugabyte-ci
added
kind/bug
dr0pdb
added a commit
that referenced
this issue
May 31, 2023
…h set_config_option().' from PG
Summary:
Original commit: `23cb8eaeb`
Commit message was:
```
The two methods don't cooperate, so set_config_option("search_path",
...) has been ineffective under non-empty overrideStack. This defect
enabled an attacker having database-level CREATE privilege to execute
arbitrary code as the bootstrap superuser. While that particular attack
requires v13+ for the trusted extension attribute, other attacks are
feasible in all supported versions.
Standardize on the combination of NewGUCNestLevel() and
set_config_option("search_path", ...). It is newer than
PushOverrideSearchPath(), more-prevalent, and has no known
disadvantages. The "override" mechanism remains for now, for
compatibility with out-of-tree code. Users should update such code,
which likely suffers from the same sort of vulnerability closed here.
Back-patch to v11 (all supported versions).
Alexander Lakhin. Reported by Alexander Lakhin.
```
Jira: DB-6538
Test Plan:
`./yb_build.sh --java-test 'org.yb.pgsql.TestPgRegressPgMiscIndependent'`
Note that I had to modify the expected output in the case of YB since
1. We do not support schema creation with elements
2. `Create Schema` in not transactional
Reviewers: dmitry, skumar
Reviewed By: dmitry
Differential Revision: https://phorge.dev.yugabyte.com/D25820
yugabyte-ci
added
priority/high
dr0pdb
added a commit
that referenced
this issue
Jun 5, 2023
…Path() call with set_config_option().' from PG Summary: Original commit: dac89aa / D25820 Commit message was: ``` The two methods don't cooperate, so set_config_option("search_path", ...) has been ineffective under non-empty overrideStack. This defect enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. While that particular attack requires v13+ for the trusted extension attribute, other attacks are feasible in all supported versions. Standardize on the combination of NewGUCNestLevel() and set_config_option("search_path", ...). It is newer than PushOverrideSearchPath(), more-prevalent, and has no known disadvantages. The "override" mechanism remains for now, for compatibility with out-of-tree code. Users should update such code, which likely suffers from the same sort of vulnerability closed here. Back-patch to v11 (all supported versions). Alexander Lakhin. Reported by Alexander Lakhin. ``` Jira: DB-6538 Test Plan: `./yb_build.sh --java-test 'org.yb.pgsql.TestPgRegressPgMiscIndependent'` Note that I had to modify the expected output in the case of YB since 1. We do not support schema creation with elements 2. `Create Schema` in not transactional Reviewers: dmitry, skumar Reviewed By: dmitry Differential Revision: https://phorge.dev.yugabyte.com/D25900
dr0pdb
added a commit
that referenced
this issue
Jun 5, 2023
…Path() call with set_config_option().' from PG Summary: Original commit: dac89aa / D25820 Commit message was: ``` The two methods don't cooperate, so set_config_option("search_path", ...) has been ineffective under non-empty overrideStack. This defect enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. While that particular attack requires v13+ for the trusted extension attribute, other attacks are feasible in all supported versions. Standardize on the combination of NewGUCNestLevel() and set_config_option("search_path", ...). It is newer than PushOverrideSearchPath(), more-prevalent, and has no known disadvantages. The "override" mechanism remains for now, for compatibility with out-of-tree code. Users should update such code, which likely suffers from the same sort of vulnerability closed here. Back-patch to v11 (all supported versions). Alexander Lakhin. Reported by Alexander Lakhin. ``` Jira: DB-6538 Test Plan: `./yb_build.sh --java-test 'org.yb.pgsql.TestPgRegressPgMiscIndependent'` Note that I had to modify the expected output in the case of YB since 1. We do not support schema creation with elements 2. `Create Schema` in not transactional Reviewers: dmitry, skumar Reviewed By: dmitry Differential Revision: https://phorge.dev.yugabyte.com/D25899
dr0pdb
added a commit
that referenced
this issue
Jun 5, 2023
…Path() call with set_config_option().' from PG Summary: Original commit: dac89aa / D25820 Commit message was: ``` The two methods don't cooperate, so set_config_option("search_path", ...) has been ineffective under non-empty overrideStack. This defect enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. While that particular attack requires v13+ for the trusted extension attribute, other attacks are feasible in all supported versions. Standardize on the combination of NewGUCNestLevel() and set_config_option("search_path", ...). It is newer than PushOverrideSearchPath(), more-prevalent, and has no known disadvantages. The "override" mechanism remains for now, for compatibility with out-of-tree code. Users should update such code, which likely suffers from the same sort of vulnerability closed here. Back-patch to v11 (all supported versions). Alexander Lakhin. Reported by Alexander Lakhin. ``` Jira: DB-6538 Test Plan: `./yb_build.sh --java-test 'org.yb.pgsql.TestPgRegressPgMiscIndependent'` Note that I had to modify the expected output in the case of YB since 1. We do not support schema creation with elements 2. `Create Schema` in not transactional Reviewers: dmitry, skumar Reviewed By: dmitry Differential Revision: https://phorge.dev.yugabyte.com/D25898
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Jira Link: DB-6538
Description
Import commit
Replace last PushOverrideSearchPath() call with set_config_option().from PG.Upstream commit link: postgres/postgres@23cb8eaeb
This commit replaces the usage of a legacy function
PushOverrideSearchPathwithset_config_option. This legacy function enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser on V13+. This fix was backpatched to PG 11 so that other similar attacks can be avoided in the future.As a result, it makes sense for us to also import it to be on the safer side.
Warning: Please confirm that this issue does not contain any sensitive information
The text was updated successfully, but these errors were encountered: