l
This commit is contained in:
s17723959267
parent
2211816c39
commit
35c3fe921c
96
0009-CVE-2020-14349-1.patch
Normal file
96
0009-CVE-2020-14349-1.patch
Normal file
@ -0,0 +1,96 @@
|
|||||||
|
From 11da97024abbe76b8c81e3f2375b2a62e9717c67 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Noah Misch <noah@leadboat.com>
|
||||||
|
Date: Mon, 10 Aug 2020 09:22:54 -0700
|
||||||
|
Subject: [PATCH] Empty search_path in logical replication apply worker and
|
||||||
|
walsender.
|
||||||
|
|
||||||
|
This is like CVE-2018-1058 commit
|
||||||
|
582edc369cdbd348d68441fc50fa26a84afd0c1a. Today, a malicious user of a
|
||||||
|
publisher or subscriber database can invoke arbitrary SQL functions
|
||||||
|
under an identity running replication, often a superuser. This fix may
|
||||||
|
cause "does not exist" or "no schema has been selected to create in"
|
||||||
|
errors in a replication process. After upgrading, consider watching
|
||||||
|
server logs for these errors. Objects accruing schema qualification in
|
||||||
|
the wake of the earlier commit are unlikely to need further correction.
|
||||||
|
Back-patch to v10, which introduced logical replication.
|
||||||
|
|
||||||
|
Security: CVE-2020-14349
|
||||||
|
reason: fix CVE-2020-14349
|
||||||
|
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=11da97024abbe76b8c81e3f2375b2a62e9717c67
|
||||||
|
|
||||||
|
Signed-off-by: Noah Misch <noah@leadboat.com>
|
||||||
|
---
|
||||||
|
.../libpqwalreceiver/libpqwalreceiver.c | 17 +++++++++++++++++
|
||||||
|
src/backend/replication/logical/worker.c | 6 ++++++
|
||||||
|
src/test/subscription/t/001_rep_changes.pl | 4 ++++
|
||||||
|
3 files changed, 27 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c b/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c
|
||||||
|
index 37b481c..564e6d3 100644
|
||||||
|
--- a/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c
|
||||||
|
+++ b/src/backend/replication/libpqwalreceiver/libpqwalreceiver.c
|
||||||
|
@@ -23,6 +23,7 @@
|
||||||
|
#include "pqexpbuffer.h"
|
||||||
|
#include "access/xlog.h"
|
||||||
|
#include "catalog/pg_type.h"
|
||||||
|
+#include "fe_utils/connect.h"
|
||||||
|
#include "funcapi.h"
|
||||||
|
#include "mb/pg_wchar.h"
|
||||||
|
#include "miscadmin.h"
|
||||||
|
@@ -210,6 +211,22 @@ libpqrcv_connect(const char *conninfo, bool logical, const char *appname,
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (logical)
|
||||||
|
+ {
|
||||||
|
+ PGresult *res;
|
||||||
|
+
|
||||||
|
+ res = libpqrcv_PQexec(conn->streamConn,
|
||||||
|
+ ALWAYS_SECURE_SEARCH_PATH_SQL);
|
||||||
|
+ if (PQresultStatus(res) != PGRES_TUPLES_OK)
|
||||||
|
+ {
|
||||||
|
+ PQclear(res);
|
||||||
|
+ ereport(ERROR,
|
||||||
|
+ (errmsg("could not clear search path: %s",
|
||||||
|
+ pchomp(PQerrorMessage(conn->streamConn)))));
|
||||||
|
+ }
|
||||||
|
+ PQclear(res);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
conn->logical = logical;
|
||||||
|
|
||||||
|
return conn;
|
||||||
|
diff --git a/src/backend/replication/logical/worker.c b/src/backend/replication/logical/worker.c
|
||||||
|
index bd60094..07b765a 100644
|
||||||
|
--- a/src/backend/replication/logical/worker.c
|
||||||
|
+++ b/src/backend/replication/logical/worker.c
|
||||||
|
@@ -1548,6 +1548,12 @@ ApplyWorkerMain(Datum main_arg)
|
||||||
|
BackgroundWorkerInitializeConnectionByOid(MyLogicalRepWorker->dbid,
|
||||||
|
MyLogicalRepWorker->userid);
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * Set always-secure search path, so malicious users can't redirect user
|
||||||
|
+ * code (e.g. pg_index.indexprs).
|
||||||
|
+ */
|
||||||
|
+ SetConfigOption("search_path", "", PGC_SUSET, PGC_S_OVERRIDE);
|
||||||
|
+
|
||||||
|
/* Load the subscription into persistent memory context. */
|
||||||
|
ApplyContext = AllocSetContextCreate(TopMemoryContext,
|
||||||
|
"ApplyContext",
|
||||||
|
diff --git a/src/test/subscription/t/001_rep_changes.pl b/src/test/subscription/t/001_rep_changes.pl
|
||||||
|
index 0136c79..cda275b 100644
|
||||||
|
--- a/src/test/subscription/t/001_rep_changes.pl
|
||||||
|
+++ b/src/test/subscription/t/001_rep_changes.pl
|
||||||
|
@@ -16,6 +16,10 @@ $node_subscriber->init(allows_streaming => 'logical');
|
||||||
|
$node_subscriber->start;
|
||||||
|
|
||||||
|
# Create some preexisting content on publisher
|
||||||
|
+$node_publisher->safe_psql(
|
||||||
|
+ 'postgres',
|
||||||
|
+ "CREATE FUNCTION public.pg_get_replica_identity_index(int)
|
||||||
|
+ RETURNS regclass LANGUAGE sql AS 'SELECT 1/0'"); # shall not call
|
||||||
|
$node_publisher->safe_psql('postgres',
|
||||||
|
"CREATE TABLE tab_notrep AS SELECT generate_series(1,10) AS a");
|
||||||
|
$node_publisher->safe_psql('postgres',
|
||||||
|
--
|
||||||
|
2.23.0
|
||||||
54
0010-CVE-2020-14349-2.patch
Normal file
54
0010-CVE-2020-14349-2.patch
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
From cec57b1a0fbcd3833086ba686897c5883e0a2afc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Noah Misch <noah@leadboat.com>
|
||||||
|
Date: Mon, 10 Aug 2020 09:22:54 -0700
|
||||||
|
Subject: [PATCH] Document clashes between logical replication and untrusted
|
||||||
|
users.
|
||||||
|
|
||||||
|
Back-patch to v10, which introduced logical replication.
|
||||||
|
|
||||||
|
Security: CVE-2020-14349
|
||||||
|
reason: fix CVE-2020-14349
|
||||||
|
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cec57b1a0fbcd3833086ba686897c5883e0a2afc
|
||||||
|
|
||||||
|
Signed-off-by: Noah Misch <noah@leadboat.com>
|
||||||
|
---
|
||||||
|
doc/src/sgml/logical-replication.sgml | 22 +++++++++++++++++++---
|
||||||
|
1 file changed, 19 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/src/sgml/logical-replication.sgml b/doc/src/sgml/logical-replication.sgml
|
||||||
|
index 41770a4..f5086b2 100644
|
||||||
|
--- a/doc/src/sgml/logical-replication.sgml
|
||||||
|
+++ b/doc/src/sgml/logical-replication.sgml
|
||||||
|
@@ -490,11 +490,27 @@
|
||||||
|
<sect1 id="logical-replication-security">
|
||||||
|
<title>Security</title>
|
||||||
|
|
||||||
|
+ <para>
|
||||||
|
+ A user able to modify the schema of subscriber-side tables can execute
|
||||||
|
+ arbitrary code as a superuser. Limit ownership
|
||||||
|
+ and <literal>TRIGGER</literal> privilege on such tables to roles that
|
||||||
|
+ superusers trust. Moreover, if untrusted users can create tables, use only
|
||||||
|
+ publications that list tables explicitly. That is to say, create a
|
||||||
|
+ subscription <literal>FOR ALL TABLES</literal> only when superusers trust
|
||||||
|
+ every user permitted to create a non-temp table on the publisher or the
|
||||||
|
+ subscriber.
|
||||||
|
+ </para>
|
||||||
|
+
|
||||||
|
<para>
|
||||||
|
The role used for the replication connection must have
|
||||||
|
- the <literal>REPLICATION</literal> attribute (or be a superuser). Access for the role must be
|
||||||
|
- configured in <filename>pg_hba.conf</filename> and it must have the
|
||||||
|
- <literal>LOGIN</literal> attribute.
|
||||||
|
+ the <literal>REPLICATION</literal> attribute (or be a superuser). If the
|
||||||
|
+ role lacks <literal>SUPERUSER</literal> and <literal>BYPASSRLS</literal>,
|
||||||
|
+ publisher row security policies can execute. If the role does not trust
|
||||||
|
+ all table owners, include <literal>options=-crow_security=off</literal> in
|
||||||
|
+ the connection string; if a table owner then adds a row security policy,
|
||||||
|
+ that setting will cause replication to halt rather than execute the policy.
|
||||||
|
+ Access for the role must be configured in <filename>pg_hba.conf</filename>
|
||||||
|
+ and it must have the <literal>LOGIN</literal> attribute.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
--
|
||||||
|
2.23.0
|
||||||
1199
0011-CVE-2020-14350.patch
Normal file
1199
0011-CVE-2020-14350.patch
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
x
Reference in New Issue
Block a user