postgresql: fix CVE-2023-2454 & CVE-2023-2455

fixed Below security CVE: 1)CVE-2023-2454 postgresql: schema_element defeats protective search_path changes. 2)CVE-2023-2455 postgresql: row security policies disregard user ID changes after inlining. Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: vkumbhar <vkumbhar@mvista.com> 2023-06-27 16:18:58 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-07-14 07:08:54 -0400
commit: 5f94e674795421b21fefc12f13c8152e7f6cf3d8 (patch)
tree: f138715208aff658c93c046a90b001e0e9a36e7c
parent: e5808a69cd3e952d7815b34ad3d66046e3cd9d50 (diff)
download: meta-openembedded-5f94e674795421b21fefc12f13c8152e7f6cf3d8.tar.gz
3 files changed, 355 insertions, 0 deletions
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2454.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2454.patch
new file mode 100644
index 0000000000..eb0aff80d7
--- /dev/null
+++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2454.patch
@@ -0,0 +1,235 @@
+From 23cb8eaeb97df350273cb8902e55842a955339c8 Mon Sep 17 00:00:00 2001
+From: Noah Misch <noah@leadboat.com>
+Date: Mon, 8 May 2023 06:14:07 -0700
+Subject: [PATCH] Replace last PushOverrideSearchPath() call with
+ set_config_option().
+The two methods don't cooperate, so set_config_option("search_path",
+...) has been ineffective under non-empty overrideStack.  This defect
+enabled an attacker having database-level CREATE privilege to execute
+arbitrary code as the bootstrap superuser.  While that particular attack
+requires v13+ for the trusted extension attribute, other attacks are
+feasible in all supported versions.
+Standardize on the combination of NewGUCNestLevel() and
+set_config_option("search_path", ...).  It is newer than
+PushOverrideSearchPath(), more-prevalent, and has no known
+disadvantages.  The "override" mechanism remains for now, for
+compatibility with out-of-tree code.  Users should update such code,
+which likely suffers from the same sort of vulnerability closed here.
+Back-patch to v11 (all supported versions).
+Alexander Lakhin.  Reported by Alexander Lakhin.
+Security: CVE-2023-2454
+Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=23cb8eaeb97df350273cb8902e55842a955339c8]
+CVE: CVE-2023-2454
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/backend/catalog/namespace.c         |  4 +++
+ src/backend/commands/schemacmds.c       | 37 ++++++++++++++------
+ src/test/regress/expected/namespace.out | 45 +++++++++++++++++++++++++
+ src/test/regress/sql/namespace.sql      | 24 +++++++++++++
+ 4 files changed, 100 insertions(+), 10 deletions(-)
+diff --git a/src/backend/catalog/namespace.c b/src/backend/catalog/namespace.c
+index 48a7058..74a0536 100644
+--- a/src/backend/catalog/namespace.c
+++ b/src/backend/catalog/namespace.c
+@@ -3456,6 +3456,10 @@ OverrideSearchPathMatchesCurrent(OverrideSearchPath *path)
+ /*
+  * PushOverrideSearchPath - temporarily override the search path
+  *
+ * Do not use this function; almost any usage introduces a security
+ * vulnerability.  It exists for the benefit of legacy code running in
+ * non-security-sensitive environments.
+ *
+  * We allow nested overrides, hence the push/pop terminology.  The GUC
+  * search_path variable is ignored while an override is active.
+  *
+diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
+index 6bc4edc..27b1241 100644
+--- a/src/backend/commands/schemacmds.c
+++ b/src/backend/commands/schemacmds.c
+@@ -29,6 +29,7 @@
+ #include "commands/schemacmds.h"
+ #include "miscadmin.h"
+ #include "parser/parse_utilcmd.h"
+#include "parser/scansup.h"
+ #include "tcop/utility.h"
+ #include "utils/acl.h"
+ #include "utils/builtins.h"
+@@ -53,14 +54,16 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
+ {
+        const char *schemaName = stmt->schemaname;
+        Oid                     namespaceId;
+-       OverrideSearchPath *overridePath;
+        List       *parsetree_list;
+        ListCell   *parsetree_item;
+        Oid                     owner_uid;
+        Oid                     saved_uid;
+        int                     save_sec_context;
+       int                     save_nestlevel;
+       char       *nsp = namespace_search_path;
+        AclResult       aclresult;
+        ObjectAddress address;
+       StringInfoData pathbuf;
+ 
+        GetUserIdAndSecContext(&saved_uid, &save_sec_context);
+ 
+@@ -153,14 +156,26 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
+        CommandCounterIncrement();
+ 
+        /*
+-        * Temporarily make the new namespace be the front of the search path, as
+-        * well as the default creation target namespace.  This will be undone at
+-        * the end of this routine, or upon error.
+        * Prepend the new schema to the current search path.
+        *
+        * We use the equivalent of a function SET option to allow the setting to
+        * persist for exactly the duration of the schema creation.  guc.c also
+        * takes care of undoing the setting on error.
+         */
+-       overridePath = GetOverrideSearchPath(CurrentMemoryContext);
+-       overridePath->schemas = lcons_oid(namespaceId, overridePath->schemas);
+-       /* XXX should we clear overridePath->useTemp? */
+-       PushOverrideSearchPath(overridePath);
+       save_nestlevel = NewGUCNestLevel();
+
+       initStringInfo(&pathbuf);
+       appendStringInfoString(&pathbuf, quote_identifier(schemaName));
+
+       while (scanner_isspace(*nsp))
+               nsp++;
+
+       if (*nsp != '\0')
+               appendStringInfo(&pathbuf, ", %s", nsp);
+
+       (void) set_config_option("search_path", pathbuf.data,
+                                                        PGC_USERSET, PGC_S_SESSION,
+                                                        GUC_ACTION_SAVE, true, 0, false);
+ 
+        /*
+         * Report the new schema to possibly interested event triggers.  Note we
+@@ -213,8 +228,10 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
+                CommandCounterIncrement();
+        }
+ 
+-       /* Reset search path to normal state */
+-       PopOverrideSearchPath();
+       /*
+        * Restore the GUC variable search_path we set above.
+        */
+       AtEOXact_GUC(true, save_nestlevel);
+ 
+        /* Reset current user and security context */
+        SetUserIdAndSecContext(saved_uid, save_sec_context);
+diff --git a/src/test/regress/expected/namespace.out b/src/test/regress/expected/namespace.out
+index 2564d1b..a62fd8d 100644
+--- a/src/test/regress/expected/namespace.out
+++ b/src/test/regress/expected/namespace.out
+@@ -1,6 +1,14 @@
+ --
+ -- Regression tests for schemas (namespaces)
+ --
+-- set the whitespace-only search_path to test that the
+-- GUC list syntax is preserved during a schema creation
+SELECT pg_catalog.set_config('search_path', ' ', false);
+ set_config 
+------------
+  
+(1 row)
+
+ CREATE SCHEMA test_ns_schema_1
+        CREATE UNIQUE INDEX abc_a_idx ON abc (a)
+        CREATE VIEW abc_view AS
+@@ -9,6 +17,43 @@ CREATE SCHEMA test_ns_schema_1
+               a serial,
+               b int UNIQUE
+        );
+-- verify that the correct search_path restored on abort
+SET search_path to public;
+BEGIN;
+SET search_path to public, test_ns_schema_1;
+CREATE SCHEMA test_ns_schema_2
+       CREATE VIEW abc_view AS SELECT c FROM abc;
+ERROR:  column "c" does not exist
+LINE 2:        CREATE VIEW abc_view AS SELECT c FROM abc;
+                                              ^
+COMMIT;
+SHOW search_path;
+ search_path 
+-------------
+ public
+(1 row)
+
+-- verify that the correct search_path preserved
+-- after creating the schema and on commit
+BEGIN;
+SET search_path to public, test_ns_schema_1;
+CREATE SCHEMA test_ns_schema_2
+       CREATE VIEW abc_view AS SELECT a FROM abc;
+SHOW search_path;
+       search_path        
+--------------------------
+ public, test_ns_schema_1
+(1 row)
+
+COMMIT;
+SHOW search_path;
+       search_path        
+--------------------------
+ public, test_ns_schema_1
+(1 row)
+
+DROP SCHEMA test_ns_schema_2 CASCADE;
+NOTICE:  drop cascades to view test_ns_schema_2.abc_view
+ -- verify that the objects were created
+ SELECT COUNT(*) FROM pg_class WHERE relnamespace =
+     (SELECT oid FROM pg_namespace WHERE nspname = 'test_ns_schema_1');
+diff --git a/src/test/regress/sql/namespace.sql b/src/test/regress/sql/namespace.sql
+index 6b12c96..3474f5e 100644
+--- a/src/test/regress/sql/namespace.sql
+++ b/src/test/regress/sql/namespace.sql
+@@ -2,6 +2,10 @@
+ -- Regression tests for schemas (namespaces)
+ --
+ 
+-- set the whitespace-only search_path to test that the
+-- GUC list syntax is preserved during a schema creation
+SELECT pg_catalog.set_config('search_path', ' ', false);
+
+ CREATE SCHEMA test_ns_schema_1
+        CREATE UNIQUE INDEX abc_a_idx ON abc (a)
+ 
+@@ -13,6 +17,26 @@ CREATE SCHEMA test_ns_schema_1
+               b int UNIQUE
+        );
+ 
+-- verify that the correct search_path restored on abort
+SET search_path to public;
+BEGIN;
+SET search_path to public, test_ns_schema_1;
+CREATE SCHEMA test_ns_schema_2
+       CREATE VIEW abc_view AS SELECT c FROM abc;
+COMMIT;
+SHOW search_path;
+
+-- verify that the correct search_path preserved
+-- after creating the schema and on commit
+BEGIN;
+SET search_path to public, test_ns_schema_1;
+CREATE SCHEMA test_ns_schema_2
+       CREATE VIEW abc_view AS SELECT a FROM abc;
+SHOW search_path;
+COMMIT;
+SHOW search_path;
+DROP SCHEMA test_ns_schema_2 CASCADE;
+
+ -- verify that the objects were created
+ SELECT COUNT(*) FROM pg_class WHERE relnamespace =
+     (SELECT oid FROM pg_namespace WHERE nspname = 'test_ns_schema_1');
+-- 
+2.25.1
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2455.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2455.patch
new file mode 100644
index 0000000000..b0bf2dbf29
--- /dev/null
+++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2455.patch
@@ -0,0 +1,118 @@
+From 473626cf00babd829eb15c36b51dfb358d32bc95 Mon Sep 17 00:00:00 2001
+From: Tom Lane <tgl@sss.pgh.pa.us>
+Date: Mon, 8 May 2023 10:12:45 -0400
+Subject: [PATCH] Handle RLS dependencies in inlined set-returning functions
+ properly.
+If an SRF in the FROM clause references a table having row-level
+security policies, and we inline that SRF into the calling query,
+we neglected to mark the plan as potentially dependent on which
+role is executing it.  This could lead to later executions in the
+same session returning or hiding rows that should have been hidden
+or returned instead.
+Our thanks to Wolfgang Walther for reporting this problem.
+Stephen Frost and Tom Lane
+Security: CVE-2023-2455
+Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=473626cf00babd829eb15c36b51dfb358d32bc95]
+CVE: CVE-2023-2455
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/backend/optimizer/util/clauses.c      |  7 ++++++
+ src/test/regress/expected/rowsecurity.out | 27 +++++++++++++++++++++++
+ src/test/regress/sql/rowsecurity.sql      | 20 +++++++++++++++++
+ 3 files changed, 54 insertions(+)
+diff --git a/src/backend/optimizer/util/clauses.c b/src/backend/optimizer/util/clauses.c
+index 946e232..b8e469f 100644
+--- a/src/backend/optimizer/util/clauses.c
+++ b/src/backend/optimizer/util/clauses.c
+@@ -5142,6 +5142,13 @@ inline_set_returning_function(PlannerInfo *root, RangeTblEntry *rte)
+         */
+        record_plan_function_dependency(root, func_oid);
+ 
+       /*
+        * We must also notice if the inserted query adds a dependency on the
+        * calling role due to RLS quals.
+        */
+       if (querytree->hasRowSecurity)
+               root->glob->dependsOnRole = true;
+
+        return querytree;
+ 
+        /* Here if func is not inlinable: release temp memory and return NULL */
+diff --git a/src/test/regress/expected/rowsecurity.out b/src/test/regress/expected/rowsecurity.out
+index 5116e23..26eecd0 100644
+--- a/src/test/regress/expected/rowsecurity.out
+++ b/src/test/regress/expected/rowsecurity.out
+@@ -4001,6 +4001,33 @@ SELECT * FROM rls_tbl;
+ 
+ DROP TABLE rls_tbl;
+ RESET SESSION AUTHORIZATION;
+-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency
+create table rls_t (c text);
+insert into rls_t values ('invisible to bob');
+alter table rls_t enable row level security;
+grant select on rls_t to regress_rls_alice, regress_rls_bob;
+create policy p1 on rls_t for select to regress_rls_alice using (true);
+create policy p2 on rls_t for select to regress_rls_bob using (false);
+create function rls_f () returns setof rls_t
+  stable language sql
+  as $$ select * from rls_t $$;
+prepare q as select current_user, * from rls_f();
+set role regress_rls_alice;
+execute q;
+   current_user    |        c         
+-------------------+------------------
+ regress_rls_alice | invisible to bob
+(1 row)
+
+set role regress_rls_bob;
+execute q;
+ current_user | c 
+--------------+---
+(0 rows)
+
+RESET ROLE;
+DROP FUNCTION rls_f();
+DROP TABLE rls_t;
+ --
+ -- Clean up objects
+ --
+diff --git a/src/test/regress/sql/rowsecurity.sql b/src/test/regress/sql/rowsecurity.sql
+index 178eeb0..83d99e3 100644
+--- a/src/test/regress/sql/rowsecurity.sql
+++ b/src/test/regress/sql/rowsecurity.sql
+@@ -1839,6 +1839,26 @@ SELECT * FROM rls_tbl;
+ DROP TABLE rls_tbl;
+ RESET SESSION AUTHORIZATION;
+ 
+-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency
+create table rls_t (c text);
+insert into rls_t values ('invisible to bob');
+alter table rls_t enable row level security;
+grant select on rls_t to regress_rls_alice, regress_rls_bob;
+create policy p1 on rls_t for select to regress_rls_alice using (true);
+create policy p2 on rls_t for select to regress_rls_bob using (false);
+create function rls_f () returns setof rls_t
+  stable language sql
+  as $$ select * from rls_t $$;
+prepare q as select current_user, * from rls_f();
+set role regress_rls_alice;
+execute q;
+set role regress_rls_bob;
+execute q;
+
+RESET ROLE;
+DROP FUNCTION rls_f();
+DROP TABLE rls_t;
+
+ --
+ -- Clean up objects
+ --
+-- 
+2.25.1
diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
index 808c5d6e77..a32701cd83 100644
--- a/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
+++ b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
@@ -10,6 +10,8 @@ SRC_URI += "\
   file://CVE-2022-1552.patch \
   file://CVE-2022-2625.patch \
   file://CVE-2022-41862.patch \
+   file://CVE-2023-2454.patch \
+   file://CVE-2023-2455.patch \
 "
 SRC_URI[sha256sum] = "89fda2de33ed04a98548e43f3ee5f15b882be17505d631fe0dd1a540a2b56dce"
author	vkumbhar <vkumbhar@mvista.com>	2023-06-27 16:18:58 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-07-14 07:08:54 -0400
commit	5f94e674795421b21fefc12f13c8152e7f6cf3d8 (patch)
tree	f138715208aff658c93c046a90b001e0e9a36e7c
parent	e5808a69cd3e952d7815b34ad3d66046e3cd9d50 (diff)
download	meta-openembedded-5f94e674795421b21fefc12f13c8152e7f6cf3d8.tar.gz

diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2454.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2454.patch new file mode 100644 index 0000000000..eb0aff80d7 --- /dev/null +++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2454.patch
@@ -0,0 +1,235 @@
		1	From 23cb8eaeb97df350273cb8902e55842a955339c8 Mon Sep 17 00:00:00 2001
		2	From: Noah Misch <noah@leadboat.com>
		3	Date: Mon, 8 May 2023 06:14:07 -0700
		4	Subject: [PATCH] Replace last PushOverrideSearchPath() call with
		5	set_config_option().
		6
		7	The two methods don't cooperate, so set_config_option("search_path",
		8	...) has been ineffective under non-empty overrideStack. This defect
		9	enabled an attacker having database-level CREATE privilege to execute
		10	arbitrary code as the bootstrap superuser. While that particular attack
		11	requires v13+ for the trusted extension attribute, other attacks are
		12	feasible in all supported versions.
		13
		14	Standardize on the combination of NewGUCNestLevel() and
		15	set_config_option("search_path", ...). It is newer than
		16	PushOverrideSearchPath(), more-prevalent, and has no known
		17	disadvantages. The "override" mechanism remains for now, for
		18	compatibility with out-of-tree code. Users should update such code,
		19	which likely suffers from the same sort of vulnerability closed here.
		20	Back-patch to v11 (all supported versions).
		21
		22	Alexander Lakhin. Reported by Alexander Lakhin.
		23
		24	Security: CVE-2023-2454
		25
		26	Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=23cb8eaeb97df350273cb8902e55842a955339c8]
		27	CVE: CVE-2023-2454
		28	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		29	---
		30	src/backend/catalog/namespace.c \| 4 +++
		31	src/backend/commands/schemacmds.c \| 37 ++++++++++++++------
		32	src/test/regress/expected/namespace.out \| 45 +++++++++++++++++++++++++
		33	src/test/regress/sql/namespace.sql \| 24 +++++++++++++
		34	4 files changed, 100 insertions(+), 10 deletions(-)
		35
		36	diff --git a/src/backend/catalog/namespace.c b/src/backend/catalog/namespace.c
		37	index 48a7058..74a0536 100644
		38	--- a/src/backend/catalog/namespace.c
		39	+++ b/src/backend/catalog/namespace.c
		40	@@ -3456,6 +3456,10 @@ OverrideSearchPathMatchesCurrent(OverrideSearchPath *path)
		41	/*
		42	* PushOverrideSearchPath - temporarily override the search path
		43	*
		44	+ * Do not use this function; almost any usage introduces a security
		45	+ * vulnerability. It exists for the benefit of legacy code running in
		46	+ * non-security-sensitive environments.
		47	+ *
		48	* We allow nested overrides, hence the push/pop terminology. The GUC
		49	* search_path variable is ignored while an override is active.
		50	*
		51	diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
		52	index 6bc4edc..27b1241 100644
		53	--- a/src/backend/commands/schemacmds.c
		54	+++ b/src/backend/commands/schemacmds.c
		55	@@ -29,6 +29,7 @@
		56	#include "commands/schemacmds.h"
		57	#include "miscadmin.h"
		58	#include "parser/parse_utilcmd.h"
		59	+#include "parser/scansup.h"
		60	#include "tcop/utility.h"
		61	#include "utils/acl.h"
		62	#include "utils/builtins.h"
		63	@@ -53,14 +54,16 @@ CreateSchemaCommand(CreateSchemaStmt stmt, const char queryString,
		64	{
		65	const char *schemaName = stmt->schemaname;
		66	Oid namespaceId;
		67	- OverrideSearchPath *overridePath;
		68	List *parsetree_list;
		69	ListCell *parsetree_item;
		70	Oid owner_uid;
		71	Oid saved_uid;
		72	int save_sec_context;
		73	+ int save_nestlevel;
		74	+ char *nsp = namespace_search_path;
		75	AclResult aclresult;
		76	ObjectAddress address;
		77	+ StringInfoData pathbuf;
		78
		79	GetUserIdAndSecContext(&saved_uid, &save_sec_context);
		80
		81	@@ -153,14 +156,26 @@ CreateSchemaCommand(CreateSchemaStmt stmt, const char queryString,
		82	CommandCounterIncrement();
		83
		84	/*
		85	- * Temporarily make the new namespace be the front of the search path, as
		86	- * well as the default creation target namespace. This will be undone at
		87	- * the end of this routine, or upon error.
		88	+ * Prepend the new schema to the current search path.
		89	+ *
		90	+ * We use the equivalent of a function SET option to allow the setting to
		91	+ * persist for exactly the duration of the schema creation. guc.c also
		92	+ * takes care of undoing the setting on error.
		93	*/
		94	- overridePath = GetOverrideSearchPath(CurrentMemoryContext);
		95	- overridePath->schemas = lcons_oid(namespaceId, overridePath->schemas);
		96	- /* XXX should we clear overridePath->useTemp? */
		97	- PushOverrideSearchPath(overridePath);
		98	+ save_nestlevel = NewGUCNestLevel();
		99	+
		100	+ initStringInfo(&pathbuf);
		101	+ appendStringInfoString(&pathbuf, quote_identifier(schemaName));
		102	+
		103	+ while (scanner_isspace(*nsp))
		104	+ nsp++;
		105	+
		106	+ if (*nsp != '\0')
		107	+ appendStringInfo(&pathbuf, ", %s", nsp);
		108	+
		109	+ (void) set_config_option("search_path", pathbuf.data,
		110	+ PGC_USERSET, PGC_S_SESSION,
		111	+ GUC_ACTION_SAVE, true, 0, false);
		112
		113	/*
		114	* Report the new schema to possibly interested event triggers. Note we
		115	@@ -213,8 +228,10 @@ CreateSchemaCommand(CreateSchemaStmt stmt, const char queryString,
		116	CommandCounterIncrement();
		117	}
		118
		119	- /* Reset search path to normal state */
		120	- PopOverrideSearchPath();
		121	+ /*
		122	+ * Restore the GUC variable search_path we set above.
		123	+ */
		124	+ AtEOXact_GUC(true, save_nestlevel);
		125
		126	/* Reset current user and security context */
		127	SetUserIdAndSecContext(saved_uid, save_sec_context);
		128	diff --git a/src/test/regress/expected/namespace.out b/src/test/regress/expected/namespace.out
		129	index 2564d1b..a62fd8d 100644
		130	--- a/src/test/regress/expected/namespace.out
		131	+++ b/src/test/regress/expected/namespace.out
		132	@@ -1,6 +1,14 @@
		133	--
		134	-- Regression tests for schemas (namespaces)
		135	--
		136	+-- set the whitespace-only search_path to test that the
		137	+-- GUC list syntax is preserved during a schema creation
		138	+SELECT pg_catalog.set_config('search_path', ' ', false);
		139	+ set_config
		140	+------------
		141	+
		142	+(1 row)
		143	+
		144	CREATE SCHEMA test_ns_schema_1
		145	CREATE UNIQUE INDEX abc_a_idx ON abc (a)
		146	CREATE VIEW abc_view AS
		147	@@ -9,6 +17,43 @@ CREATE SCHEMA test_ns_schema_1
		148	a serial,
		149	b int UNIQUE
		150	);
		151	+-- verify that the correct search_path restored on abort
		152	+SET search_path to public;
		153	+BEGIN;
		154	+SET search_path to public, test_ns_schema_1;
		155	+CREATE SCHEMA test_ns_schema_2
		156	+ CREATE VIEW abc_view AS SELECT c FROM abc;
		157	+ERROR: column "c" does not exist
		158	+LINE 2: CREATE VIEW abc_view AS SELECT c FROM abc;
		159	+ ^
		160	+COMMIT;
		161	+SHOW search_path;
		162	+ search_path
		163	+-------------
		164	+ public
		165	+(1 row)
		166	+
		167	+-- verify that the correct search_path preserved
		168	+-- after creating the schema and on commit
		169	+BEGIN;
		170	+SET search_path to public, test_ns_schema_1;
		171	+CREATE SCHEMA test_ns_schema_2
		172	+ CREATE VIEW abc_view AS SELECT a FROM abc;
		173	+SHOW search_path;
		174	+ search_path
		175	+--------------------------
		176	+ public, test_ns_schema_1
		177	+(1 row)
		178	+
		179	+COMMIT;
		180	+SHOW search_path;
		181	+ search_path
		182	+--------------------------
		183	+ public, test_ns_schema_1
		184	+(1 row)
		185	+
		186	+DROP SCHEMA test_ns_schema_2 CASCADE;
		187	+NOTICE: drop cascades to view test_ns_schema_2.abc_view
		188	-- verify that the objects were created
		189	SELECT COUNT(*) FROM pg_class WHERE relnamespace =
		190	(SELECT oid FROM pg_namespace WHERE nspname = 'test_ns_schema_1');
		191	diff --git a/src/test/regress/sql/namespace.sql b/src/test/regress/sql/namespace.sql
		192	index 6b12c96..3474f5e 100644
		193	--- a/src/test/regress/sql/namespace.sql
		194	+++ b/src/test/regress/sql/namespace.sql
		195	@@ -2,6 +2,10 @@
		196	-- Regression tests for schemas (namespaces)
		197	--
		198
		199	+-- set the whitespace-only search_path to test that the
		200	+-- GUC list syntax is preserved during a schema creation
		201	+SELECT pg_catalog.set_config('search_path', ' ', false);
		202	+
		203	CREATE SCHEMA test_ns_schema_1
		204	CREATE UNIQUE INDEX abc_a_idx ON abc (a)
		205
		206	@@ -13,6 +17,26 @@ CREATE SCHEMA test_ns_schema_1
		207	b int UNIQUE
		208	);
		209
		210	+-- verify that the correct search_path restored on abort
		211	+SET search_path to public;
		212	+BEGIN;
		213	+SET search_path to public, test_ns_schema_1;
		214	+CREATE SCHEMA test_ns_schema_2
		215	+ CREATE VIEW abc_view AS SELECT c FROM abc;
		216	+COMMIT;
		217	+SHOW search_path;
		218	+
		219	+-- verify that the correct search_path preserved
		220	+-- after creating the schema and on commit
		221	+BEGIN;
		222	+SET search_path to public, test_ns_schema_1;
		223	+CREATE SCHEMA test_ns_schema_2
		224	+ CREATE VIEW abc_view AS SELECT a FROM abc;
		225	+SHOW search_path;
		226	+COMMIT;
		227	+SHOW search_path;
		228	+DROP SCHEMA test_ns_schema_2 CASCADE;
		229	+
		230	-- verify that the objects were created
		231	SELECT COUNT(*) FROM pg_class WHERE relnamespace =
		232	(SELECT oid FROM pg_namespace WHERE nspname = 'test_ns_schema_1');
		233	--
		234	2.25.1
		235


diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2455.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2455.patch new file mode 100644 index 0000000000..b0bf2dbf29 --- /dev/null +++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2455.patch
@@ -0,0 +1,118 @@
		1	From 473626cf00babd829eb15c36b51dfb358d32bc95 Mon Sep 17 00:00:00 2001
		2	From: Tom Lane <tgl@sss.pgh.pa.us>
		3	Date: Mon, 8 May 2023 10:12:45 -0400
		4	Subject: [PATCH] Handle RLS dependencies in inlined set-returning functions
		5	properly.
		6
		7	If an SRF in the FROM clause references a table having row-level
		8	security policies, and we inline that SRF into the calling query,
		9	we neglected to mark the plan as potentially dependent on which
		10	role is executing it. This could lead to later executions in the
		11	same session returning or hiding rows that should have been hidden
		12	or returned instead.
		13
		14	Our thanks to Wolfgang Walther for reporting this problem.
		15
		16	Stephen Frost and Tom Lane
		17
		18	Security: CVE-2023-2455
		19
		20	Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=473626cf00babd829eb15c36b51dfb358d32bc95]
		21	CVE: CVE-2023-2455
		22	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		23	---
		24	src/backend/optimizer/util/clauses.c \| 7 ++++++
		25	src/test/regress/expected/rowsecurity.out \| 27 +++++++++++++++++++++++
		26	src/test/regress/sql/rowsecurity.sql \| 20 +++++++++++++++++
		27	3 files changed, 54 insertions(+)
		28
		29	diff --git a/src/backend/optimizer/util/clauses.c b/src/backend/optimizer/util/clauses.c
		30	index 946e232..b8e469f 100644
		31	--- a/src/backend/optimizer/util/clauses.c
		32	+++ b/src/backend/optimizer/util/clauses.c
		33	@@ -5142,6 +5142,13 @@ inline_set_returning_function(PlannerInfo root, RangeTblEntry rte)
		34	*/
		35	record_plan_function_dependency(root, func_oid);
		36
		37	+ /*
		38	+ * We must also notice if the inserted query adds a dependency on the
		39	+ * calling role due to RLS quals.
		40	+ */
		41	+ if (querytree->hasRowSecurity)
		42	+ root->glob->dependsOnRole = true;
		43	+
		44	return querytree;
		45
		46	/* Here if func is not inlinable: release temp memory and return NULL */
		47	diff --git a/src/test/regress/expected/rowsecurity.out b/src/test/regress/expected/rowsecurity.out
		48	index 5116e23..26eecd0 100644
		49	--- a/src/test/regress/expected/rowsecurity.out
		50	+++ b/src/test/regress/expected/rowsecurity.out
		51	@@ -4001,6 +4001,33 @@ SELECT * FROM rls_tbl;
		52
		53	DROP TABLE rls_tbl;
		54	RESET SESSION AUTHORIZATION;
		55	+-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency
		56	+create table rls_t (c text);
		57	+insert into rls_t values ('invisible to bob');
		58	+alter table rls_t enable row level security;
		59	+grant select on rls_t to regress_rls_alice, regress_rls_bob;
		60	+create policy p1 on rls_t for select to regress_rls_alice using (true);
		61	+create policy p2 on rls_t for select to regress_rls_bob using (false);
		62	+create function rls_f () returns setof rls_t
		63	+ stable language sql
		64	+ as $$ select * from rls_t $$;
		65	+prepare q as select current_user, * from rls_f();
		66	+set role regress_rls_alice;
		67	+execute q;
		68	+ current_user \| c
		69	+-------------------+------------------
		70	+ regress_rls_alice \| invisible to bob
		71	+(1 row)
		72	+
		73	+set role regress_rls_bob;
		74	+execute q;
		75	+ current_user \| c
		76	+--------------+---
		77	+(0 rows)
		78	+
		79	+RESET ROLE;
		80	+DROP FUNCTION rls_f();
		81	+DROP TABLE rls_t;
		82	--
		83	-- Clean up objects
		84	--
		85	diff --git a/src/test/regress/sql/rowsecurity.sql b/src/test/regress/sql/rowsecurity.sql
		86	index 178eeb0..83d99e3 100644
		87	--- a/src/test/regress/sql/rowsecurity.sql
		88	+++ b/src/test/regress/sql/rowsecurity.sql
		89	@@ -1839,6 +1839,26 @@ SELECT * FROM rls_tbl;
		90	DROP TABLE rls_tbl;
		91	RESET SESSION AUTHORIZATION;
		92
		93	+-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency
		94	+create table rls_t (c text);
		95	+insert into rls_t values ('invisible to bob');
		96	+alter table rls_t enable row level security;
		97	+grant select on rls_t to regress_rls_alice, regress_rls_bob;
		98	+create policy p1 on rls_t for select to regress_rls_alice using (true);
		99	+create policy p2 on rls_t for select to regress_rls_bob using (false);
		100	+create function rls_f () returns setof rls_t
		101	+ stable language sql
		102	+ as $$ select * from rls_t $$;
		103	+prepare q as select current_user, * from rls_f();
		104	+set role regress_rls_alice;
		105	+execute q;
		106	+set role regress_rls_bob;
		107	+execute q;
		108	+
		109	+RESET ROLE;
		110	+DROP FUNCTION rls_f();
		111	+DROP TABLE rls_t;
		112	+
		113	--
		114	-- Clean up objects
		115	--
		116	--
		117	2.25.1
		118


diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb index 808c5d6e77..a32701cd83 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb +++ b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
@@ -10,6 +10,8 @@ SRC_URI += "\
10	file://CVE-2022-1552.patch \	10	file://CVE-2022-1552.patch \
11	file://CVE-2022-2625.patch \	11	file://CVE-2022-2625.patch \
12	file://CVE-2022-41862.patch \	12	file://CVE-2022-41862.patch \
		13	file://CVE-2023-2454.patch \
		14	file://CVE-2023-2455.patch \
13	"	15	"
14		16
15	SRC_URI[sha256sum] = "89fda2de33ed04a98548e43f3ee5f15b882be17505d631fe0dd1a540a2b56dce"	17	SRC_URI[sha256sum] = "89fda2de33ed04a98548e43f3ee5f15b882be17505d631fe0dd1a540a2b56dce"