From: | Heikki Linnakangas <heikki(dot)linnakangas(at)iki(dot)fi> |
---|---|
To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
Subject: | pgsql: Run REFRESH MATERIALIZED VIEW CONCURRENTLY in right security con |
Date: | 2024-02-05 09:28:32 |
Message-ID: | E1rWvHE-004kuo-3T@gemulon.postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers |
Run REFRESH MATERIALIZED VIEW CONCURRENTLY in right security context
The internal commands in REFRESH MATERIALIZED VIEW CONCURRENTLY are
correctly executed in SECURITY_RESTRICTED_OPERATION mode, except for
creating the temporary "diff" table, because you cannot create
temporary tables in SRO mode. But creating the temporary "diff" table
is a pretty complex CTAS command that selects from another temporary
table created earlier in the command. If you can cajole that CTAS
command to execute code defined by the table owner, the table owner
can run code with the privileges of the user running the REFRESH
command.
The proof-of-concept reported to the security team relied on CREATE
RULE to convert the internally-built temp table to a view. That's not
possible since commit b23cd185fd, and I was not able to find a
different way to turn the SELECT on the temp table into code
execution, so as far as I know this is only exploitable in v15 and
below. That's a fiddly assumption though, so apply this patch to
master and all stable versions.
Thanks to Pedro Gallegos for the report.
Security: CVE-2023-5869
Reviewed-by: Noah Misch
Branch
------
REL_14_STABLE
Details
-------
https://git.postgresql.org/pg/commitdiff/f4f2883521fc3f81765ab82eab2ffa31574f0a07
Modified Files
--------------
src/backend/commands/matview.c | 33 ++++++++++++++++++++++++++-------
1 file changed, 26 insertions(+), 7 deletions(-)
From | Date | Subject | |
---|---|---|---|
Next Message | Aleksander Alekseev | 2024-02-05 12:48:41 | Re: pgsql: Generate syscache info from catalog files |
Previous Message | Amit Kapila | 2024-02-05 05:28:01 | pgsql: Enhance libpqrcv APIs to support slot synchronization. |