| From: | Roberto C(dot) Sánchez <roberto(at)debian(dot)org> |
|---|---|
| To: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Request for assistance to backport CVE-2022-1552 fixes to 9.6 and 9.4 |
| Date: | 2022-07-04 22:06:51 |
| Message-ID: | YsNke3aGSKJV+b5c@connexer.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Jun 08, 2022 at 05:31:22PM -0400, Roberto C. Sánchez wrote:
> On Wed, Jun 08, 2022 at 04:15:47PM -0400, Tom Lane wrote:
> > Roberto =?iso-8859-1?Q?C=2E_S=E1nchez?= <roberto(at)debian(dot)org> writes:
> > > I am investigating backporting the fixes for CVE-2022-1552 to 9.6 and
> > > 9.4 as part of Debian LTS and Extended LTS. I am aware that these
> > > releases are no longer supported upstream, but I have made an attempt at
> > > adapting commits ef792f7856dea2576dcd9cab92b2b05fe955696b and
> > > f26d5702857a9c027f84850af48b0eea0f3aa15c from the REL_10_STABLE branch.
> > > I would appreciate a review of the attached patches and any comments on
> > > things that may have been missed and/or adapted improperly.
> >
> > FWIW, I would not recommend being in a huge hurry to back-port those
> > changes, pending the outcome of this discussion:
> >
> > https://www.postgresql.org/message-id/flat/f8a4105f076544c180a87ef0c4822352%40stmuk.bayern.de
> >
> Thanks for the pointer.
>
> > We're going to have to tweak that code somehow, and it's not yet
> > entirely clear how.
> >
> I will monitor the discussion to see what comes of it.
>
Based on the discussion in the other thread, I have made an attempt to
backport commit 88b39e61486a8925a3861d50c306a51eaa1af8d6 to 9.6 and 9.4.
The only significant change that I had to make was to add the full
function signatures for the REVOKE/GRANT in the citext test.
One question that I had about the change as committed is whether a
REVOKE is needed on s.citext_ne, like so:
REVOKE ALL ON FUNCTION s.citext_ne FROM PUBLIC;
Or (for pre-10):
REVOKE ALL ON FUNCTION s.citext_ne(s.citext, s.citext) FROM PUBLIC;
I ask because the comment immediately preceding the sequence of REVOKEs
includes the comment "Revoke all conceivably-relevant ACLs within the
extension." I am not especially knowledgable about deep internals, but
that function seems like it would belong in the same group with the
others.
In any event, would someone be willing to review the attached patches
for correctness? I would like to shortly publish updates to 9.6 and 9.4
in Debian and a review would be most appreciated.
Regards,
-Roberto
--
Roberto C. Sánchez
| Attachment | Content-Type | Size |
|---|---|---|
| CVE-2022-1552_ef792f7856_adapted_for_9.6.patch | text/x-diff | 18.7 KB |
| CVE-2022-1552_f26d570285_adapted_for_9.6.patch | text/x-diff | 4.2 KB |
| CVE-2022-1552_88b39e6148_adapted_for_9.6.patch | text/x-diff | 16.9 KB |
| CVE-2022-1552_ef792f7856_adapted_for_9.4.patch | text/x-diff | 15.6 KB |
| CVE-2022-1552_f26d570285_adapted_for_9.4.patch | text/x-diff | 4.2 KB |
| CVE-2022-1552_88b39e6148_adapted_for_9.4.patch | text/x-diff | 16.9 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Daniel Gustafsson | 2022-07-04 22:11:13 | Re: TAP output format in pg_regress |
| Previous Message | Tom Lane | 2022-07-04 22:06:31 | Re: TAP output format in pg_regress |