!45 Fix CVE-2021-20229

From: @wang_yue111 Reviewed-by: @wangxiao65,@miao_kaibo Signed-off-by: @miao_kaibo
2021-03-01 17:31:43 +08:00 · 2021-03-01 17:31:43 +08:00 · 1b9765d8a5
commit 1b9765d8a5
parent a2dc495906 c9b961e7eb
4 changed files with 196 additions and 46 deletions
--- a/CVE-2020-25695.patch
+++ b/CVE-2020-25695.patch
@ -1,4 +1,4 @@
-From 0c3185e963d9f9dd0608214f7d732b84aa0888fe Mon Sep 17 00:00:00 2001
+From f97ecea1ed7b09c6f1398540a1d72a57eee70c9f Mon Sep 17 00:00:00 2001
 From: Noah Misch <noah@leadboat.com>
 Date: Mon, 9 Nov 2020 07:32:09 -0800
 Subject: [PATCH] In security-restricted operations, block enqueue of at-commit
@ -29,7 +29,7 @@ Security: CVE-2020-25695
 6 files changed, 104 insertions(+), 6 deletions(-)
 diff --git a/contrib/postgres_fdw/connection.c b/contrib/postgres_fdw/connection.c
-index be4ec07cf9..09ffb21d48 100644
+index 885bd075798c..5dcff3d07624 100644
 --- a/contrib/postgres_fdw/connection.c
 +++ b/contrib/postgres_fdw/connection.c
@@ -645,6 +645,10 @@ pgfdw_report_error(int elevel, PGresult *res, PGconn *conn,
@ -44,10 +44,10 @@ index be4ec07cf9..09ffb21d48 100644
 static void
 pgfdw_xact_callback(XactEvent event, void *arg)
 diff --git a/src/backend/access/transam/xact.c b/src/backend/access/transam/xact.c
-index 9004e38e6d..e2ca8a5d2e 100644
+index 37f31a2c31ea..00cec50e8402 100644
 --- a/src/backend/access/transam/xact.c
 +++ b/src/backend/access/transam/xact.c
-@@ -1961,9 +1961,10 @@ CommitTransaction(void)
+@@ -1994,9 +1994,10 @@ CommitTransaction(void)
 	/*
 	 * Do pre-commit processing that involves calling user-defined code, such
@ -61,7 +61,7 @@ index 9004e38e6d..e2ca8a5d2e 100644
 	 */
 	for (;;)
 	{
-@@ -1981,9 +1982,6 @@ CommitTransaction(void)
+@@ -2014,9 +2015,6 @@ CommitTransaction(void)
 			break;
 	}
@ -71,7 +71,7 @@ index 9004e38e6d..e2ca8a5d2e 100644
 	/*
 	 * The remaining actions cannot call any user-defined code, so it's safe
 	 * to start shutting down within-transaction services.  But note that most
-@@ -1991,6 +1989,9 @@ CommitTransaction(void)
+@@ -2024,6 +2022,9 @@ CommitTransaction(void)
 	 * the transaction-abort path.
 	 */
@ -82,7 +82,7 @@ index 9004e38e6d..e2ca8a5d2e 100644
 	if (IsInParallelMode())
 		AtEOXact_Parallel(true);
 diff --git a/src/backend/commands/portalcmds.c b/src/backend/commands/portalcmds.c
-index 46369cf3db..3d01a782da 100644
+index 46369cf3dbee..3d01a782da06 100644
 --- a/src/backend/commands/portalcmds.c
 +++ b/src/backend/commands/portalcmds.c
@@ -27,6 +27,7 @@
@ -105,10 +105,10 @@ index 46369cf3db..3d01a782da 100644
 	/*
 	 * Parse analysis was done already, but we still have to run the rule
 diff --git a/src/backend/commands/trigger.c b/src/backend/commands/trigger.c
-index 2886aebef4..896cb20051 100644
+index f83840625348..9c04eee48422 100644
 --- a/src/backend/commands/trigger.c
 +++ b/src/backend/commands/trigger.c
-@@ -4142,6 +4142,7 @@ afterTriggerMarkEvents(AfterTriggerEventList *events,
+@@ -4144,6 +4144,7 @@ afterTriggerMarkEvents(AfterTriggerEventList *events,
 					   bool immediate_only)
 {
 	bool		found = false;
@ -116,7 +116,7 @@ index 2886aebef4..896cb20051 100644
 	AfterTriggerEvent event;
 	AfterTriggerEventChunk *chunk;
-@@ -4177,6 +4178,7 @@ afterTriggerMarkEvents(AfterTriggerEventList *events,
+@@ -4179,6 +4180,7 @@ afterTriggerMarkEvents(AfterTriggerEventList *events,
 		 */
 		if (defer_it && move_list != NULL)
 		{
@ -124,7 +124,7 @@ index 2886aebef4..896cb20051 100644
 			/* add it to move_list */
 			afterTriggerAddEvent(move_list, event, evtshared);
 			/* mark original copy "done" so we don't do it again */
-@@ -4184,6 +4186,16 @@ afterTriggerMarkEvents(AfterTriggerEventList *events,
+@@ -4186,6 +4188,16 @@ afterTriggerMarkEvents(AfterTriggerEventList *events,
 		}
 	}
@ -142,10 +142,10 @@ index 2886aebef4..896cb20051 100644
 }
 diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
-index 65d950f15b..f7f9252a05 100644
+index dacc98450514..26ee16a0c370 100644
 --- a/src/test/regress/expected/privileges.out
 +++ b/src/test/regress/expected/privileges.out
-@@ -1138,6 +1138,48 @@ SELECT has_table_privilege('regress_user1', 'atest4', 'SELECT WITH GRANT OPTION'
+@@ -1253,6 +1253,48 @@ SELECT has_table_privilege('regress_user1', 'atest4', 'SELECT WITH GRANT OPTION'
  t
 (1 row)
@ -154,7 +154,7 @@ index 65d950f15b..f7f9252a05 100644
 +CREATE ROLE regress_sro_user;
 +SET SESSION AUTHORIZATION regress_sro_user;
 +CREATE FUNCTION unwanted_grant() RETURNS void LANGUAGE sql AS
-+	'GRANT regress_priv_group2 TO regress_sro_user';
+	'GRANT regress_group2 TO regress_sro_user';
 +CREATE FUNCTION mv_action() RETURNS bool LANGUAGE sql AS
 +	'DECLARE c CURSOR WITH HOLD FOR SELECT unwanted_grant(); SELECT true';
 +-- REFRESH of this MV will queue a GRANT at end of transaction
@ -184,7 +184,7 @@ index 65d950f15b..f7f9252a05 100644
 +ERROR:  cannot fire deferred trigger within security-restricted operation
 +CONTEXT:  SQL function "mv_action" statement 1
 +BEGIN; SET CONSTRAINTS ALL IMMEDIATE; REFRESH MATERIALIZED VIEW sro_mv; COMMIT;
-+ERROR:  must have admin option on role "regress_priv_group2"
+ERROR:  must have admin option on role "regress_group2"
 +CONTEXT:  SQL function "unwanted_grant" statement 1
 +SQL statement "SELECT unwanted_grant()"
 +PL/pgSQL function sro_trojan() line 1 at PERFORM
@ -195,10 +195,10 @@ index 65d950f15b..f7f9252a05 100644
 SET SESSION AUTHORIZATION regress_user4;
 CREATE FUNCTION dogrant_ok() RETURNS void LANGUAGE sql SECURITY DEFINER AS
 diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
-index 902f64c747..baa521bcaf 100644
+index 4263315a2d87..f979cccea03f 100644
 --- a/src/test/regress/sql/privileges.sql
 +++ b/src/test/regress/sql/privileges.sql
-@@ -726,6 +726,40 @@ SELECT has_table_privilege('regress_user3', 'atest4', 'SELECT'); -- false
+@@ -761,6 +761,40 @@ SELECT has_table_privilege('regress_user3', 'atest4', 'SELECT'); -- false
 SELECT has_table_privilege('regress_user1', 'atest4', 'SELECT WITH GRANT OPTION'); -- true
@ -208,7 +208,7 @@ index 902f64c747..baa521bcaf 100644
 +
 +SET SESSION AUTHORIZATION regress_sro_user;
 +CREATE FUNCTION unwanted_grant() RETURNS void LANGUAGE sql AS
-+	'GRANT regress_priv_group2 TO regress_sro_user';
+	'GRANT regress_group2 TO regress_sro_user';
 +CREATE FUNCTION mv_action() RETURNS bool LANGUAGE sql AS
 +	'DECLARE c CURSOR WITH HOLD FOR SELECT unwanted_grant(); SELECT true';
 +-- REFRESH of this MV will queue a GRANT at end of transaction
@ -239,6 +239,3 @@ index 902f64c747..baa521bcaf 100644
 -- Admin options
 SET SESSION AUTHORIZATION regress_user4;
 -- 
 2.23.0
--- a/CVE-2020-25696.patch
+++ b/CVE-2020-25696.patch
@ -1,4 +1,4 @@
-From 098fb00799ffb026ff12c64bd21635f963cfc609 Mon Sep 17 00:00:00 2001
+From a498db87be103f93856dd515a574b2d67d3c1237 Mon Sep 17 00:00:00 2001
 From: Noah Misch <noah@leadboat.com>
 Date: Mon, 9 Nov 2020 07:32:09 -0800
 Subject: [PATCH] Ignore attempts to \gset into specially treated variables.
@ -24,17 +24,17 @@ Security: CVE-2020-25696
 5 files changed, 41 insertions(+)
 diff --git a/src/bin/psql/common.c b/src/bin/psql/common.c
-index a41932ff27..f3d966d7cf 100644
+index d04a7943d6a9..4e342c180a6c 100644
 --- a/src/bin/psql/common.c
 +++ b/src/bin/psql/common.c
-@@ -878,6 +878,13 @@ StoreQueryTuple(const PGresult *result)
+@@ -894,6 +894,13 @@ StoreQueryTuple(const PGresult *result)
 			/* concatenate prefix and column name */
 			varname = psprintf("%s%s", pset.gset_prefix, colname);
 +			if (VariableHasHook(pset.vars, varname))
 +			{
-+				pg_log_warning("attempt to \\gset into specially treated variable \"%s\" ignored",
+				psql_error("attempt to \\gset into specially treated variable \"%s\" ignored\n",
-+							   varname);
+						   varname);
 +				continue;
 +			}
 +
@ -42,7 +42,7 @@ index a41932ff27..f3d966d7cf 100644
 				value = PQgetvalue(result, 0, i);
 			else
 diff --git a/src/bin/psql/variables.c b/src/bin/psql/variables.c
-index 120b25c696..0d28ba9c92 100644
+index 120b25c69661..0d28ba9c92bb 100644
 --- a/src/bin/psql/variables.c
 +++ b/src/bin/psql/variables.c
@@ -360,6 +360,32 @@ SetVariableHooks(VariableSpace space, const char *name,
@ -79,7 +79,7 @@ index 120b25c696..0d28ba9c92 100644
  * Convenience function to set a variable's value to "on".
  */
 diff --git a/src/bin/psql/variables.h b/src/bin/psql/variables.h
-index 02d85b1bc2..8dc5c20ee8 100644
+index 02d85b1bc2e4..8dc5c20ee8fc 100644
 --- a/src/bin/psql/variables.h
 +++ b/src/bin/psql/variables.h
@@ -90,6 +90,7 @@ bool		DeleteVariable(VariableSpace space, const char *name);
@ -91,7 +91,7 @@ index 02d85b1bc2..8dc5c20ee8 100644
 void		PsqlVarEnumError(const char *name, const char *value, const char *suggestions);
 diff --git a/src/test/regress/expected/psql.out b/src/test/regress/expected/psql.out
-index 0c94144575..1ae81912c7 100644
+index 0c94144575af..1ae81912c734 100644
 --- a/src/test/regress/expected/psql.out
 +++ b/src/test/regress/expected/psql.out
@@ -84,6 +84,10 @@ select 10 as test01, 20 as test02, 'Hello' as test03 \gset pref01_
@ -106,7 +106,7 @@ index 0c94144575..1ae81912c7 100644
 select 1 as x, 2 as y \gset pref01_ \\ \echo :pref01_x
 1
 diff --git a/src/test/regress/sql/psql.sql b/src/test/regress/sql/psql.sql
-index 4a676c3119..7f8ab2e5c2 100644
+index 4a676c311955..7f8ab2e5c218 100644
 --- a/src/test/regress/sql/psql.sql
 +++ b/src/test/regress/sql/psql.sql
@@ -48,6 +48,9 @@ select 10 as test01, 20 as test02, 'Hello' as test03 \gset pref01_
@ -119,6 +119,3 @@ index 4a676c3119..7f8ab2e5c2 100644
 -- multiple backslash commands in one line
 select 1 as x, 2 as y \gset pref01_ \\ \echo :pref01_x
 select 3 as x, 4 as y \gset pref01_ \echo :pref01_x \echo :pref01_y
 -- 
 2.23.0
--- a/CVE-2021-20229.patch
+++ b/CVE-2021-20229.patch
@ -0,0 +1,163 @@
 From eeede2470a8ec902c80de449d2c4822330c689ca Mon Sep 17 00:00:00 2001
 From: wang_yue111 <648774160@qq.com>
 Date: Fri, 26 Feb 2021 12:57:48 +0800
 Subject: [PATCH] Fix mishandling of column-level SELECT privileges for join
 aliases.
 scanNSItemForColumn, expandNSItemAttrs, and ExpandSingleTable would
 pass the wrong RTE to markVarForSelectPriv when dealing with a join
 ParseNamespaceItem: they'd pass the join RTE, when what we need to
 mark is the base table that the join column came from.  The end
 result was to not fill the base table's selectedCols bitmap correctly,
 resulting in an understatement of the set of columns that are read
 by the query.  The executor would still insist on there being at
 least one selectable column; but with a correctly crafted query,
 a user having SELECT privilege on just one column of a table would
 nonetheless be allowed to read all its columns.
 To fix, make markRTEForSelectPriv fetch the correct RTE for itself,
 ignoring the possibly-mismatched RTE passed by the caller.  Later,
 we'll get rid of some now-unused RTE arguments, but that risks
 API breaks so we won't do it in released branches.
 This problem was introduced by commit 9ce77d75c, so back-patch
 to v13 where that came in.  Thanks to Sven Klemm for reporting
 the problem.
 Security: CVE-2021-20229
 ---
 src/backend/parser/parse_relation.c      | 40 ++++++++++-----------
 src/backend/parser/parse_target.c        |  8 +++--
 4 files changed, 91 insertions(+), 22 deletions(-)
 diff --git a/src/backend/parser/parse_relation.c b/src/backend/parser/parse_relation.c
 index bbbb0b6..7ab4ba7 100644
 --- a/src/backend/parser/parse_relation.c
 +++ b/src/backend/parser/parse_relation.c
@@ -43,7 +43,8 @@ static RangeTblEntry *scanNameSpaceForRelid(ParseState *pstate, Oid relid,
 					  int location);
 static void check_lateral_ref_ok(ParseState *pstate, ParseNamespaceItem *nsitem,
 					 int location);
 -static void markRTEForSelectPriv(ParseState *pstate, RangeTblEntry *rte,
 +static void markRTEForSelectPriv(ParseState *pstate,
 +
 					 int rtindex, AttrNumber col);
 static void expandRelation(Oid relid, Alias *eref,
 			   int rtindex, int sublevels_up,
@@ -897,20 +898,15 @@ searchRangeTableForCol(ParseState *pstate, const char *alias, char *colname,
 /*
  * markRTEForSelectPriv
 - *	   Mark the specified column of an RTE as requiring SELECT privilege
 + *	   Mark the specified column of the RTE with index rtindex
 + *	   as requiring SELECT privilege
  *
  * col == InvalidAttrNumber means a "whole row" reference
 - *
 - * The caller should pass the actual RTE if it has it handy; otherwise pass
 - * NULL, and we'll look it up here.  (This uglification of the API is
 - * worthwhile because nearly all external callers have the RTE at hand.)
  */
 static void
 -markRTEForSelectPriv(ParseState *pstate, RangeTblEntry *rte,
 -					 int rtindex, AttrNumber col)
 +markRTEForSelectPriv(ParseState *pstate, int rtindex, AttrNumber col)
 {
 -	if (rte == NULL)
 -		rte = rt_fetch(rtindex, pstate->p_rtable);
 +	RangeTblEntry *rte = rt_fetch(rtindex, pstate->p_rtable);
 	if (rte->rtekind == RTE_RELATION)
 	{
@@ -942,13 +938,13 @@ markRTEForSelectPriv(ParseState *pstate, RangeTblEntry *rte,
 			{
 				int			varno = ((RangeTblRef *) j->larg)->rtindex;
 -				markRTEForSelectPriv(pstate, NULL, varno, InvalidAttrNumber);
 +				markRTEForSelectPriv(pstate, varno, InvalidAttrNumber);
 			}
 			else if (IsA(j->larg, JoinExpr))
 			{
 				int			varno = ((JoinExpr *) j->larg)->rtindex;
 -				markRTEForSelectPriv(pstate, NULL, varno, InvalidAttrNumber);
 +				markRTEForSelectPriv(pstate, varno, InvalidAttrNumber);
 			}
 			else
 				elog(ERROR, "unrecognized node type: %d",
@@ -957,13 +953,13 @@ markRTEForSelectPriv(ParseState *pstate, RangeTblEntry *rte,
 			{
 				int			varno = ((RangeTblRef *) j->rarg)->rtindex;
 -				markRTEForSelectPriv(pstate, NULL, varno, InvalidAttrNumber);
 +				markRTEForSelectPriv(pstate, varno, InvalidAttrNumber);
 			}
 			else if (IsA(j->rarg, JoinExpr))
 			{
 				int			varno = ((JoinExpr *) j->rarg)->rtindex;
 -				markRTEForSelectPriv(pstate, NULL, varno, InvalidAttrNumber);
 +				markRTEForSelectPriv(pstate, varno, InvalidAttrNumber);
 			}
 			else
 				elog(ERROR, "unrecognized node type: %d",
@@ -994,10 +990,10 @@ markRTEForSelectPriv(ParseState *pstate, RangeTblEntry *rte,
 /*
  * markVarForSelectPriv
 - *	   Mark the RTE referenced by a Var as requiring SELECT privilege
 + *	   Mark the RTE referenced by the Var as requiring SELECT privilege
 + *	   for the Var's column (the Var could be a whole-row Var, too)
  *
 - * The caller should pass the Var's referenced RTE if it has it handy
 - * (nearly all do); otherwise pass NULL.
 + * The rte argument is unused and will be removed later.
  */
 void
 markVarForSelectPriv(ParseState *pstate, Var *var, RangeTblEntry *rte)
@@ -1008,7 +1004,7 @@ markVarForSelectPriv(ParseState *pstate, Var *var, RangeTblEntry *rte)
 	/* Find the appropriate pstate if it's an uplevel Var */
 	for (lv = 0; lv < var->varlevelsup; lv++)
 		pstate = pstate->parentParseState;
 -	markRTEForSelectPriv(pstate, rte, var->varno, var->varattno);
 +	markRTEForSelectPriv(pstate, var->varno, var->varattno);
 }
 /*
@@ -2629,9 +2625,13 @@ expandRelAttrs(ParseState *pstate, RangeTblEntry *rte,
 	/*
 	 * Require read access to the table.  This is normally redundant with the
 	 * markVarForSelectPriv calls below, but not if the table has zero
 -	 * columns.
 +	 * columns.  We need not do anything if the nsitem is for a join: its
 +	 * component tables will have been marked ACL_SELECT when they were added
 +	 * to the rangetable.  (This step changes things only for the target
 +	 * relation of UPDATE/DELETE, which cannot be under a join.)
 	 */
 -	rte->requiredPerms |= ACL_SELECT;
 +	if (rte->rtekind == RTE_RELATION)
 +		rte->requiredPerms |= ACL_SELECT;
 	forboth(name, names, var, vars)
 	{
 diff --git a/src/backend/parser/parse_target.c b/src/backend/parser/parse_target.c
 index 64a1b75..c7165cb 100644
 --- a/src/backend/parser/parse_target.c
 +++ b/src/backend/parser/parse_target.c
@@ -1328,9 +1328,13 @@ ExpandSingleTable(ParseState *pstate, RangeTblEntry *rte,
 		/*
 		 * Require read access to the table.  This is normally redundant with
 		 * the markVarForSelectPriv calls below, but not if the table has zero
 -		 * columns.
 +		 * columns.  We need not do anything if the nsitem is for a join: its
 +		 * component tables will have been marked ACL_SELECT when they were
 +		 * added to the rangetable.  (This step changes things only for the
 +		 * target relation of UPDATE/DELETE, which cannot be under a join.)
 		 */
 -		rte->requiredPerms |= ACL_SELECT;
 +		if (rte->rtekind == RTE_RELATION)
 +			rte->requiredPerms |= ACL_SELECT;
 		/* Require read access to each column */
 		foreach(l, vars)
--- a/postgresql.spec
+++ b/postgresql.spec
@ -4,7 +4,7 @@
 Name:          postgresql
 Version:       10.5
-Release:       18
+Release:       19
 Summary:       PostgreSQL client programs
 License:       PostgreSQL
 URL:           http://www.postgresql.org/
@ -42,6 +42,7 @@ Patch16:    CVE-2020-25694-2.patch
 Patch17:    CVE-2020-25694-3.patch
 Patch18:    CVE-2020-25695.patch
 Patch19:    CVE-2020-25696.patch
 Patch20:    CVE-2021-20229.patch
 BuildRequires: gcc perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk perl(ExtUtils::Embed)
 BuildRequires: perl-devel perl-generators readline-devel zlib-devel systemd systemd-devel
@ -167,18 +168,7 @@ that want to run build-time testsuite against running PostgreSQL server.
  cd "$(dirname "%{SOURCE0}")"
  sha256sum -c %{SOURCE3}
 )
-%setup -q
+%autosetup -n %{name}-%{version} -p1
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
 %build
 if [ x"`id -u`" = x0 ]; then
@ -443,6 +433,9 @@ find_lang_bins pltcl.lst pltcl
 %attr(-,postgres,postgres) %{_libdir}/pgsql/test
 %changelog
 * Fri Feb 26 2021 wangyue <wangyue92@huawei.com> - 10.5-19
 - Fix CVE-2021-20229
 * Tue Dec 8 2020 wangxiao <wangxiao65@huawei.com> - 10.5-18
 - Fix CVE-2020-25694 CVE-2020-25695 CVE-2020-25696