!26 fix CVE-2020-14349 CVE-2020-14350

From: @markeryang Reviewed-by: @miao_kaibo Signed-off-by: @miao_kaibo
2020-09-11 10:47:47 +08:00 · 2020-09-11 10:47:47 +08:00 · 103843950c
commit 103843950c
parent 2211816c39 ac34a3d60b
12 changed files with 1376 additions and 19 deletions
--- a/0001-postgresql-var-run-socket.patch
+++ b/0001-postgresql-var-run-socket.patch
--- a/0002-rpm-pgsql.patch
+++ b/0002-rpm-pgsql.patch
--- a/0003-CVE-2019-10164-1.patch
+++ b/0003-CVE-2019-10164-1.patch
--- a/0004-CVE-2019-10164-2.patch
+++ b/0004-CVE-2019-10164-2.patch
--- a/0005-CVE-2019-10208.patch
+++ b/0005-CVE-2019-10208.patch
--- a/0006-CVE-2018-16850.patch
+++ b/0006-CVE-2018-16850.patch
--- a/0007-CVE-2019-10130.patch
+++ b/0007-CVE-2019-10130.patch
--- a/0008-CVE-2020-1720.patch
+++ b/0008-CVE-2020-1720.patch
--- a/0009-CVE-2020-14349-1.patch
+++ b/0009-CVE-2020-14349-1.patch
@ -0,0 +1,96 @@
+From 11da97024abbe76b8c81e3f2375b2a62e9717c67 Mon Sep 17 00:00:00 2001
+From: Noah Misch <noah@leadboat.com>
+Date: Mon, 10 Aug 2020 09:22:54 -0700
+Subject: [PATCH] Empty search_path in logical replication apply worker and
+ walsender.
+
+This is like CVE-2018-1058 commit
+582edc369cdbd348d68441fc50fa26a84afd0c1a.  Today, a malicious user of a
+publisher or subscriber database can invoke arbitrary SQL functions
+under an identity running replication, often a superuser.  This fix may
+cause "does not exist" or "no schema has been selected to create in"
+errors in a replication process.  After upgrading, consider watching
+server logs for these errors.  Objects accruing schema qualification in
+the wake of the earlier commit are unlikely to need further correction.
+Back-patch to v10, which introduced logical replication.
+
+Security: CVE-2020-14349
+reason: fix CVE-2020-14349
+https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=11da97024abbe76b8c81e3f2375b2a62e9717c67
+
+Signed-off-by: Noah Misch <noah@leadboat.com>
+---
+ .../libpqwalreceiver/libpqwalreceiver.c         | 17 +++++++++++++++++
+ src/backend/replication/logical/worker.c        |  6 ++++++
+ src/test/subscription/t/001_rep_changes.pl      |  4 ++++
+ 3 files changed, 27 insertions(+)
+
+diff --git a/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c b/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c
+index 37b481c..564e6d3 100644
+--- a/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c
+++ b/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c
+@@ -23,6 +23,7 @@
+ #include "pqexpbuffer.h"
+ #include "access/xlog.h"
+ #include "catalog/pg_type.h"
+#include "fe_utils/connect.h"
+ #include "funcapi.h"
+ #include "mb/pg_wchar.h"
+ #include "miscadmin.h"
+@@ -210,6 +211,22 @@ libpqrcv_connect(const char *conninfo, bool logical, const char *appname,
+ 		return NULL;
+ 	}
+ 
+	if (logical)
+	{
+		PGresult   *res;
+
+		res = libpqrcv_PQexec(conn->streamConn,
+							  ALWAYS_SECURE_SEARCH_PATH_SQL);
+		if (PQresultStatus(res) != PGRES_TUPLES_OK)
+		{
+			PQclear(res);
+			ereport(ERROR,
+					(errmsg("could not clear search path: %s",
+							pchomp(PQerrorMessage(conn->streamConn)))));
+		}
+		PQclear(res);
+	}
+
+ 	conn->logical = logical;
+ 
+ 	return conn;
+diff --git a/src/backend/replication/logical/worker.c b/src/backend/replication/logical/worker.c
+index bd60094..07b765a 100644
+--- a/src/backend/replication/logical/worker.c
+++ b/src/backend/replication/logical/worker.c
+@@ -1548,6 +1548,12 @@ ApplyWorkerMain(Datum main_arg)
+ 	BackgroundWorkerInitializeConnectionByOid(MyLogicalRepWorker->dbid,
+ 											  MyLogicalRepWorker->userid);
+ 
+	/*
+ 	 * Set always-secure search path, so malicious users can't redirect user
+ 	 * code (e.g. pg_index.indexprs).
+ 	 */
+	SetConfigOption("search_path", "", PGC_SUSET, PGC_S_OVERRIDE);
+
+ 	/* Load the subscription into persistent memory context. */
+ 	ApplyContext = AllocSetContextCreate(TopMemoryContext,
+ 										 "ApplyContext",
+diff --git a/src/test/subscription/t/001_rep_changes.pl b/src/test/subscription/t/001_rep_changes.pl
+index 0136c79..cda275b 100644
+--- a/src/test/subscription/t/001_rep_changes.pl
+++ b/src/test/subscription/t/001_rep_changes.pl
+@@ -16,6 +16,10 @@ $node_subscriber->init(allows_streaming => 'logical');
+ $node_subscriber->start;
+ 
+ # Create some preexisting content on publisher
+$node_publisher->safe_psql(
+	'postgres',
+	"CREATE FUNCTION public.pg_get_replica_identity_index(int)
+	 RETURNS regclass LANGUAGE sql AS 'SELECT 1/0'");    # shall not call
+ $node_publisher->safe_psql('postgres',
+ 	"CREATE TABLE tab_notrep AS SELECT generate_series(1,10) AS a");
+ $node_publisher->safe_psql('postgres',
+-- 
+2.23.0
--- a/0010-CVE-2020-14349-2.patch
+++ b/0010-CVE-2020-14349-2.patch
@ -0,0 +1,54 @@
+From cec57b1a0fbcd3833086ba686897c5883e0a2afc Mon Sep 17 00:00:00 2001
+From: Noah Misch <noah@leadboat.com>
+Date: Mon, 10 Aug 2020 09:22:54 -0700
+Subject: [PATCH] Document clashes between logical replication and untrusted
+users.
+
+Back-patch to v10, which introduced logical replication.
+
+Security: CVE-2020-14349
+reason: fix CVE-2020-14349
+https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cec57b1a0fbcd3833086ba686897c5883e0a2afc
+
+Signed-off-by: Noah Misch <noah@leadboat.com>
+---
+ doc/src/sgml/logical-replication.sgml | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/doc/src/sgml/logical-replication.sgml b/doc/src/sgml/logical-replication.sgml
+index 41770a4..f5086b2 100644
+--- a/doc/src/sgml/logical-replication.sgml
+++ b/doc/src/sgml/logical-replication.sgml
+@@ -490,11 +490,27 @@
+  <sect1 id="logical-replication-security">
+   <title>Security</title>
+ 
+  <para>
+   A user able to modify the schema of subscriber-side tables can execute
+   arbitrary code as a superuser.  Limit ownership
+   and <literal>TRIGGER</literal> privilege on such tables to roles that
+   superusers trust.  Moreover, if untrusted users can create tables, use only
+   publications that list tables explicitly.  That is to say, create a
+   subscription <literal>FOR ALL TABLES</literal> only when superusers trust
+   every user permitted to create a non-temp table on the publisher or the
+   subscriber.
+  </para>
+
+   <para>
+    The role used for the replication connection must have
+-   the <literal>REPLICATION</literal> attribute (or be a superuser).  Access for the role must be
+-   configured in <filename>pg_hba.conf</filename> and it must have the
+-   <literal>LOGIN</literal> attribute.
+   the <literal>REPLICATION</literal> attribute (or be a superuser).  If the
+   role lacks <literal>SUPERUSER</literal> and <literal>BYPASSRLS</literal>,
+   publisher row security policies can execute.  If the role does not trust
+   all table owners, include <literal>options=-crow_security=off</literal> in
+   the connection string; if a table owner then adds a row security policy,
+   that setting will cause replication to halt rather than execute the policy.
+   Access for the role must be configured in <filename>pg_hba.conf</filename>
+   and it must have the <literal>LOGIN</literal> attribute.
+   </para>
+ 
+   <para>
+-- 
+2.23.0
--- a/0011-CVE-2020-14350.patch
+++ b/0011-CVE-2020-14350.patch
--- a/postgresql.spec
+++ b/postgresql.spec
@ -4,7 +4,7 @@

 Name:          postgresql
 Version:       10.5
-Release:       16
+Release:       17
 Summary:       PostgreSQL client programs
 License:       PostgreSQL
 URL:           http://www.postgresql.org/
@ -23,19 +23,21 @@ Source11:      macros.postgresql
 Source12:      macros.postgresql-test
 Source13:      postgresql_pkg_tests.sh

-Patch0000:     0000-postgresql-var-run-socket.patch
-Patch0001:     0000-rpm-pgsql.patch
-
-Patch6000:     6000-CVE-2019-10164-1.patch
-Patch6001:     6001-CVE-2019-10164-2.patch
-Patch6002:     CVE-2019-10208.patch
-Patch6003:     CVE-2018-16850.patch
-Patch6004:     CVE-2019-10130.patch
-Patch6005:     CVE-2020-1720.patch
+Patch1:     0001-postgresql-var-run-socket.patch
+Patch2:     0002-rpm-pgsql.patch
+Patch3:     0003-CVE-2019-10164-1.patch
+Patch4:     0004-CVE-2019-10164-2.patch
+Patch5:     0005-CVE-2019-10208.patch
+Patch6:     0006-CVE-2018-16850.patch
+Patch7:     0007-CVE-2019-10130.patch
+Patch8:     0008-CVE-2020-1720.patch
+Patch9:     0009-CVE-2020-14349-1.patch
+Patch10:    0010-CVE-2020-14349-2.patch
+Patch11:    0011-CVE-2020-14350.patch

 BuildRequires: gcc perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk perl(ExtUtils::Embed)
 BuildRequires: perl-devel perl-generators readline-devel zlib-devel systemd systemd-devel
-BuildRequires: util-linux m4 elinks docbook-utils help2man
+BuildRequires: util-linux m4 elinks docbook-utils help2man docbook-style-xsl
 BuildRequires: python3 python3-devel tcl-devel openssl-devel krb5-devel openldap-devel gettext >= 0.10.35
 BuildRequires: uuid-devel libxml2-devel libxslt-devel pam-devel systemtap-sdt-devel libselinux-devel
 Requires:      %{name}-libs = %{version}-%{release}
@ -158,14 +160,17 @@ that want to run build-time testsuite against running PostgreSQL server.
  sha256sum -c %{SOURCE3}
 )
 %setup -q
-%patch0000 -p1
-%patch0001 -p1
-%patch6000 -p1
-%patch6001 -p1
-%patch6002 -p1
-%patch6003 -p1
-%patch6004 -p1
-%patch6005 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1

 %build
 if [ x"`id -u`" = x0 ]; then
@ -430,6 +435,9 @@ find_lang_bins pltcl.lst pltcl
 %attr(-,postgres,postgres) %{_libdir}/pgsql/test

 %changelog
+* Web Sep 9 2020 yanglongkang<yanglongkang@huawei.com> - 10.5-17
+- Fix CVE-2020-14349 CVE-2020-14350
+
 * Fri Jun 19 2020 cuibaobao <cuibaobao1@huawei.com> - 10.5-16
 - Type: enhancement
 - DESC: delete all about residual parse_upgrade_setup in postgresql-setup