Skip site navigation (1) Skip section navigation (2)

pgsql: Ignore SECURITY DEFINER and SET attributes for a PL's callhandl

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-committers(at)postgresql(dot)org
Subject: pgsql: Ignore SECURITY DEFINER and SET attributes for a PL's callhandl
Date: 2012-05-31 03:29:06
Message-ID: E1SZw4Q-0003m7-J8@gemulon.postgresql.org (view raw or flat)
Thread:
Lists: pgsql-committers
Ignore SECURITY DEFINER and SET attributes for a PL's call handler.

It's not very sensible to set such attributes on a handler function;
but if one were to do so, fmgr.c went into infinite recursion because
it would call fmgr_security_definer instead of the handler function proper.
There is no way for fmgr_security_definer to know that it ought to call the
handler and not the original function referenced by the FmgrInfo's fn_oid,
so it tries to do the latter, causing the whole process to start over
again.

Ordinarily such misconfiguration of a procedural language's handler could
be written off as superuser error.  However, because we allow non-superuser
database owners to create procedural languages and the handler for such a
language becomes owned by the database owner, it is possible for a database
owner to crash the backend, which ideally shouldn't be possible without
superuser privileges.  In 9.2 and up we will adjust things so that the
handler functions are always owned by superusers, but in existing branches
this is a minor security fix.

Problem noted by Noah Misch (after several of us had failed to detect
it :-().  This is CVE-2012-2655.

Branch
------
REL9_1_STABLE

Details
-------
http://git.postgresql.org/pg/commitdiff/d72a3bd75813615898db27d4bbd2dca5cac9615a

Modified Files
--------------
src/backend/utils/fmgr/fmgr.c |   15 +++++++++++----
1 files changed, 11 insertions(+), 4 deletions(-)

pgsql-committers by date

Next:From: Tom LaneDate: 2012-05-31 03:48:10
Subject: pgsql: Force PL and range-type support functions to be owned by asuper
Previous:From: Tom LaneDate: 2012-05-30 23:59:30
Subject: pgsql: Expand the allowed range of timezone offsets to +/-15:59:59from

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group