rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
postgresql/contrib/seg
History
Noah Misch 01e8182c73 Replace last PushOverrideSearchPath() call with set_config_option(). 
The two methods don't cooperate, so set_config_option("search_path",
...) has been ineffective under non-empty overrideStack.  This defect
enabled an attacker having database-level CREATE privilege to execute
arbitrary code as the bootstrap superuser.  While that particular attack
requires v13+ for the trusted extension attribute, other attacks are
feasible in all supported versions.

Standardize on the combination of NewGUCNestLevel() and
set_config_option("search_path", ...).  It is newer than
PushOverrideSearchPath(), more-prevalent, and has no known
disadvantages.  The "override" mechanism remains for now, for
compatibility with out-of-tree code.  Users should update such code,
which likely suffers from the same sort of vulnerability closed here.
Back-patch to v11 (all supported versions).

Alexander Lakhin.  Reported by Alexander Lakhin.

Security: CVE-2023-2454
 		2023-05-08 06:14:11 -07:00
..
data Modify the float4 datatype to be pass-by-val. Along the way, remove the last 2008-04-18 18:43:09 +00:00
expected Replace last PushOverrideSearchPath() call with set_config_option(). 2023-05-08 06:14:11 -07:00
sql Replace last PushOverrideSearchPath() call with set_config_option(). 2023-05-08 06:14:11 -07:00
.gitignore Support "make check" in contrib 2011-04-25 22:27:11 +03:00
Makefile Replace last PushOverrideSearchPath() call with set_config_option(). 2023-05-08 06:14:11 -07:00
seg--1.0--1.1.sql Make contrib modules' installation scripts more secure. 2020-08-10 10:44:42 -04:00
seg--1.1--1.2.sql Update contrib/seg for new scalarlesel/scalargesel selectivity functions. 2017-09-13 11:54:55 -04:00
seg--1.1.sql Update extensions with GIN/GIST support for parallel query. 2016-06-14 13:34:37 -04:00
seg--1.2--1.3.sql Make contrib modules' installation scripts more secure. 2020-08-10 10:44:42 -04:00
seg--1.3--1.4.sql Remove deprecated containment operators for contrib types. 2021-03-05 10:45:41 -05:00
seg-validate.pl Remove extraneous newlines added by perl copyright patch 2021-05-07 11:37:37 -04:00
seg.c Fix contrib/seg to be more wary of long input numbers. 2022-12-21 17:51:50 -05:00
seg.control Remove deprecated containment operators for contrib types. 2021-03-05 10:45:41 -05:00
segdata.h Add some const decorations to prototypes 2017-11-10 13:38:57 -05:00
segparse.y Fix contrib/seg to be more wary of long input numbers. 2022-12-21 17:51:50 -05:00
segscan.l Exclude flex-generated code from coverage testing 2017-10-16 16:28:11 -04:00
sort-segments.pl Remove extraneous newlines added by perl copyright patch 2021-05-07 11:37:37 -04:00