diff options
| author | Noah Misch <noah@leadboat.com> | 2022-05-09 08:35:08 -0700 |
|---|---|---|
| committer | Noah Misch <noah@leadboat.com> | 2022-05-09 08:35:12 -0700 |
| commit | ab49ce7c3414ac19e4afb386d7843ce2d2fb8bda (patch) | |
| tree | 87f4681e87f0061a44b3db6f3bd6b7b80ecfc85f /src/backend/utils/adt/timestamp.c | |
| parent | e5b5a21356233739a552063fa70d4f5b245edb9a (diff) | |
| download | postgresql-ab49ce7c3414ac19e4afb386d7843ce2d2fb8bda.tar.gz postgresql-ab49ce7c3414ac19e4afb386d7843ce2d2fb8bda.zip | |
Make relation-enumerating operations be security-restricted operations.
When a feature enumerates relations and runs functions associated with
all found relations, the feature's user shall not need to trust every
user having permission to create objects. BRIN-specific functionality
in autovacuum neglected to account for this, as did pg_amcheck and
CLUSTER. An attacker having permission to create non-temp objects in at
least one schema could execute arbitrary SQL functions under the
identity of the bootstrap superuser. CREATE INDEX (not a
relation-enumerating operation) and REINDEX protected themselves too
late. This change extends to the non-enumerating amcheck interface.
Back-patch to v10 (all supported versions).
Sergey Shinderuk, reviewed (in earlier versions) by Alexander Lakhin.
Reported by Alexander Lakhin.
Security: CVE-2022-1552
Diffstat (limited to 'src/backend/utils/adt/timestamp.c')
0 files changed, 0 insertions, 0 deletions