diff --git a/CVE-2020-1720.patch b/CVE-2020-1720.patch new file mode 100644 index 0000000000000000000000000000000000000000..cf04b4e709821c30b1807eb0b0b20734bc4e504e --- /dev/null +++ b/CVE-2020-1720.patch @@ -0,0 +1,42 @@ +From b048f558dd7c26a0c630a2cff29d3d8981eaf6b9 Mon Sep 17 00:00:00 2001 +From: Alvaro Herrera +Date: Mon, 10 Feb 2020 11:47:09 -0300 +Subject: [PATCH] Fix priv checks for ALTER DEPENDS ON EXTENSION + +Marking an object as dependant on an extension did not have any +privilege check whatsoever; this allowed any user to mark objects as +droppable by anyone able to DROP EXTENSION, which could be used to cause +system-wide havoc. Disallow by checking that the calling user owns the +mentioned object. + +(No constraints are placed on the extension.) + +Security: CVE-2020-1720 +Reported-by: Tom Lane +Discussion: 31605.1566429043@sss.pgh.pa.us +--- + src/backend/commands/alter.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/backend/commands/alter.c b/src/backend/commands/alter.c +index fca85ba2c17f..1cb84182b05f 100644 +--- a/src/backend/commands/alter.c ++++ b/src/backend/commands/alter.c +@@ -430,6 +430,17 @@ ExecAlterObjectDependsStmt(AlterObjectDependsStmt *stmt, ObjectAddress *refAddre + get_object_address_rv(stmt->objectType, stmt->relation, (List *) stmt->object, + &rel, AccessExclusiveLock, false); + ++ /* ++ * Verify that the user is entitled to run the command. ++ * ++ * We don't check any privileges on the extension, because that's not ++ * needed. The object owner is stipulating, by running this command, that ++ * the extension owner can drop the object whenever they feel like it, ++ * which is not considered a problem. ++ */ ++ check_object_ownership(GetUserId(), ++ stmt->objectType, address, stmt->object, rel); ++ + /* + * If a relation was involved, it would have been opened and locked. We + * don't need the relation here, but we'll retain the lock until commit. diff --git a/postgresql.spec b/postgresql.spec index 06793d36dd215f8b4856b332ff5e15912a99d7ab..3bfe57f347312018e059b82be524fd0b371dd59a 100644 --- a/postgresql.spec +++ b/postgresql.spec @@ -4,7 +4,7 @@ Name: postgresql Version: 10.5 -Release: 14 +Release: 15 Summary: PostgreSQL client programs License: PostgreSQL URL: http://www.postgresql.org/ @@ -31,6 +31,7 @@ Patch6001: 6001-CVE-2019-10164-2.patch Patch6002: CVE-2019-10208.patch Patch6003: CVE-2018-16850.patch Patch6004: CVE-2019-10130.patch +Patch6005: CVE-2020-1720.patch BuildRequires: gcc perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk perl(ExtUtils::Embed) BuildRequires: perl-devel perl-generators readline-devel zlib-devel systemd systemd-devel @@ -164,6 +165,7 @@ that want to run build-time testsuite against running PostgreSQL server. %patch6002 -p1 %patch6003 -p1 %patch6004 -p1 +%patch6005 -p1 %build if [ x"`id -u`" = x0 ]; then @@ -428,6 +430,12 @@ find_lang_bins pltcl.lst pltcl %attr(-,postgres,postgres) %{_libdir}/pgsql/test %changelog +* Wed May 6 2020 cuibaobao - 10.5-15 +- Type:cve +- ID:CVE-2020-1720 +- SUG: NA +- DESC: fix CVE-2020-1720 + * Tue Apr 08 2020 daiqianwen - 10.5-14 - Type: enhancement - DESC: add postgresql-test-rpm-macros