Replace last PushOverrideSearchPath() call with set_config_option().
The two methods don't cooperate, so set_config_option("search_path",
...) has been ineffective under non-empty overrideStack. This defect
enabled an attacker having database-level CREATE privilege to execute
arbitrary code as the bootstrap superuser. While that particular attack
requires v13+ for the trusted extension attribute, other attacks are
feasible in all supported versions.
Standardize on the combination of NewGUCNestLevel() and
set_config_option("search_path", ...). It is newer than
PushOverrideSearchPath(), more-prevalent, and has no known
disadvantages. The "override" mechanism remains for now, for
compatibility with out-of-tree code. Users should update such code,
which likely suffers from the same sort of vulnerability closed here.
Back-patch to v11 (all supported versions).
Alexander Lakhin. Reported by Alexander Lakhin.
Security: CVE-2023-2454
Branch
------
REL_11_STABLE
Details
-------
https://git.postgresql.org/pg/commitdiff/23cb8eaeb97df350273cb8902e55842a955339c8
Modified Files
--------------
src/backend/catalog/namespace.c | 4 +++
src/backend/commands/schemacmds.c | 37 +++++++++++++++++++--------
src/test/regress/expected/namespace.out | 45 +++++++++++++++++++++++++++++++++
src/test/regress/sql/namespace.sql | 24 ++++++++++++++++++
4 files changed, 100 insertions(+), 10 deletions(-)