diff options
| author | Noah Misch | 2023-05-08 13:14:07 +0000 |
|---|---|---|
| committer | Noah Misch | 2023-05-08 13:14:12 +0000 |
| commit | 23cb8eaeb97df350273cb8902e55842a955339c8 (patch) | |
| tree | a65eac5de3e0d5ba57fe3e87acd776468a3ffceb /doc/src | |
| parent | 625acd098b98fb955473bf87c78f49afd20eb7c9 (diff) | |
Replace last PushOverrideSearchPath() call with set_config_option().
The two methods don't cooperate, so set_config_option("search_path",
...) has been ineffective under non-empty overrideStack. This defect
enabled an attacker having database-level CREATE privilege to execute
arbitrary code as the bootstrap superuser. While that particular attack
requires v13+ for the trusted extension attribute, other attacks are
feasible in all supported versions.
Standardize on the combination of NewGUCNestLevel() and
set_config_option("search_path", ...). It is newer than
PushOverrideSearchPath(), more-prevalent, and has no known
disadvantages. The "override" mechanism remains for now, for
compatibility with out-of-tree code. Users should update such code,
which likely suffers from the same sort of vulnerability closed here.
Back-patch to v11 (all supported versions).
Alexander Lakhin. Reported by Alexander Lakhin.
Security: CVE-2023-2454
Diffstat (limited to 'doc/src')
0 files changed, 0 insertions, 0 deletions