pgsql: Prevent indirect security attacks via changing session-local

Поиск
Список
Период
Сортировка
От tgl@postgresql.org (Tom Lane)
Тема pgsql: Prevent indirect security attacks via changing session-local
Дата
Msg-id 20091209215856.2210E753FB7@cvs.postgresql.org
обсуждение исходный текст
Список pgsql-committers
Дерево обсуждения 
Log Message:
-----------
Prevent indirect security attacks via changing session-local state within
an allegedly immutable index function.  It was previously recognized that
we had to prevent such a function from executing SET/RESET ROLE/SESSION
AUTHORIZATION, or it could trivially obtain the privileges of the session
user.  However, since there is in general no privilege checking for changes
of session-local state, it is also possible for such a function to change
settings in a way that might subvert later operations in the same session.
Examples include changing search_path to cause an unexpected function to
be called, or replacing an existing prepared statement with another one
that will execute a function of the attacker's choosing.

The present patch secures VACUUM, ANALYZE, and CREATE INDEX/REINDEX against
these threats, which are the same places previously deemed to need protection
against the SET ROLE issue.  GUC changes are still allowed, since there are
many useful cases for that, but we prevent security problems by forcing a
rollback of any GUC change after completing the operation.  Other cases are
handled by throwing an error if any change is attempted; these include temp
table creation, closing a cursor, and creating or deleting a prepared
statement.  (In 7.4, the infrastructure to roll back GUC changes doesn't
exist, so we settle for rejecting changes of "search_path" in these contexts.)

Original report and patch by Gurjeet Singh, additional analysis by
Tom Lane.

Security: CVE-2009-4136

Tags:
----
REL8_0_STABLE

Modified Files:
--------------
    pgsql/src/backend/access/transam:
        xact.c (r1.195.4.4 -> r1.195.4.5)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/backend/access/transam/xact.c?r1=1.195.4.4&r2=1.195.4.5)
    pgsql/src/backend/catalog:
        index.c (r1.244.4.4 -> r1.244.4.5)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/backend/catalog/index.c?r1=1.244.4.4&r2=1.244.4.5)
    pgsql/src/backend/commands:
        analyze.c (r1.80.4.1 -> r1.80.4.2)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/backend/commands/analyze.c?r1=1.80.4.1&r2=1.80.4.2)
        schemacmds.c (r1.27.4.1 -> r1.27.4.2)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/backend/commands/schemacmds.c?r1=1.27.4.1&r2=1.27.4.2)
        tablecmds.c (r1.142.4.10 -> r1.142.4.11)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/backend/commands/tablecmds.c?r1=1.142.4.10&r2=1.142.4.11)
        vacuum.c (r1.299.4.5 -> r1.299.4.6)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/backend/commands/vacuum.c?r1=1.299.4.5&r2=1.299.4.6)
    pgsql/src/backend/executor:
        execMain.c (r1.241.4.4 -> r1.241.4.5)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/backend/executor/execMain.c?r1=1.241.4.4&r2=1.241.4.5)
    pgsql/src/backend/tcop:
        utility.c (r1.231.4.1 -> r1.231.4.2)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/backend/tcop/utility.c?r1=1.231.4.1&r2=1.231.4.2)
    pgsql/src/backend/utils/adt:
        ri_triggers.c (r1.76.4.3 -> r1.76.4.4)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/backend/utils/adt/ri_triggers.c?r1=1.76.4.3&r2=1.76.4.4)
    pgsql/src/backend/utils/fmgr:
        fmgr.c (r1.88.4.3 -> r1.88.4.4)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/backend/utils/fmgr/fmgr.c?r1=1.88.4.3&r2=1.88.4.4)
    pgsql/src/backend/utils/init:
        miscinit.c (r1.137.4.2 -> r1.137.4.3)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/backend/utils/init/miscinit.c?r1=1.137.4.2&r2=1.137.4.3)
    pgsql/src/backend/utils/misc:
        guc.c (r1.252.4.6 -> r1.252.4.7)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/backend/utils/misc/guc.c?r1=1.252.4.6&r2=1.252.4.7)
    pgsql/src/include:
        miscadmin.h (r1.174.4.1 -> r1.174.4.2)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/include/miscadmin.h?r1=1.174.4.1&r2=1.174.4.2)
    pgsql/src/include/utils:
        guc.h (r1.58.4.1 -> r1.58.4.2)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/include/utils/guc.h?r1=1.58.4.1&r2=1.58.4.2)
        guc_tables.h (r1.19.4.2 -> r1.19.4.3)
        (http://anoncvs.postgresql.org/cvsweb.cgi/pgsql/src/include/utils/guc_tables.h?r1=1.19.4.2&r2=1.19.4.3)

В списке pgsql-committers по дате отправления:

Предыдущее
От: tgl@postgresql.org (Tom Lane)
Дата:
Сообщение: pgsql: Prevent indirect security attacks via changing session-local
Следующее
От: tgl@postgresql.org (Tom Lane)
Дата:
Сообщение: pgsql: Prevent indirect security attacks via changing session-local