rdelaage/postgresql
1
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2024-08-30 13:37:18 +02:00
Code Issues Packages Projects Releases Wiki Activity
35edcc0cee
postgresql/src
History
Noah Misch 35edcc0cee Make relation-enumerating operations be security-restricted operations. 
When a feature enumerates relations and runs functions associated with
all found relations, the feature's user shall not need to trust every
user having permission to create objects.  BRIN-specific functionality
in autovacuum neglected to account for this, as did pg_amcheck and
CLUSTER.  An attacker having permission to create non-temp objects in at
least one schema could execute arbitrary SQL functions under the
identity of the bootstrap superuser.  CREATE INDEX (not a
relation-enumerating operation) and REINDEX protected themselves too
late.  This change extends to the non-enumerating amcheck interface.
Back-patch to v10 (all supported versions).

Sergey Shinderuk, reviewed (in earlier versions) by Alexander Lakhin.
Reported by Alexander Lakhin.

Security: CVE-2022-1552
2022-05-09 08:35:12 -07:00
..
backend Make relation-enumerating operations be security-restricted operations. 2022-05-09 08:35:12 -07:00
bin Translation updates 2022-05-09 12:27:22 +02:00
common Inhibit mingw CRT's auto-globbing of command line arguments 2022-04-25 15:50:01 -04:00
fe_utils Clean up assorted failures under clang's -fsanitize=undefined checks. 2022-03-03 18:13:24 -05:00
include Remove inadequate assertion check in CTE inlining. 2022-04-21 17:58:52 -04:00
interfaces Translation updates 2022-05-09 12:27:22 +02:00
makefiles Remove libpq.rc, use win32ver.rc for libpq 2020-01-15 15:06:12 +01:00
pl Translation updates 2022-05-09 12:27:22 +02:00
port AIX: Fix missing libpq symbols by respecting SHLIB_EXPORTS. 2021-09-06 11:28:02 -07:00
template Further tweaking of PG_SYSROOT heuristics for macOS. 2021-01-20 12:07:31 -05:00
test Make relation-enumerating operations be security-restricted operations. 2022-05-09 08:35:12 -07:00
timezone Update time zone data files to tzdata release 2022a. 2022-05-05 14:55:10 -04:00
tools Revert "Fix replay of create database records on standby" 2022-03-29 15:36:21 +02:00
tutorial tutorial: land height is "elevation", not "altitude" 2021-03-10 20:25:18 -05:00
.gitignore
DEVELOPERS
Makefile Fix partial-build problems introduced by having more generated headers. 2018-04-09 16:42:10 -04:00
Makefile.global.in Fix prove_installcheck to use correct paths when used with PGXS 2021-07-01 08:46:38 -04:00
Makefile.shlib AIX: Fix missing libpq symbols by respecting SHLIB_EXPORTS. 2021-09-06 11:28:02 -07:00
nls-global.mk NLS: Fix backend gettext triggers 2019-09-23 09:04:20 +02:00