[postgis-tickets] [PostGIS] #5165: CREATE EXTENSION scripts should use CREATE instead of CREATE OR REPLACE
PostGIS
trac at osgeo.org
Tue Aug 9 07:10:09 PDT 2022
#5165: CREATE EXTENSION scripts should use CREATE instead of CREATE OR REPLACE
------------------------------------+-----------------------------
Reporter: robe | Owner: strk
Type: defect | Status: new
Priority: medium | Milestone: PostGIS Fund Me
Component: build/upgrade/install | Version: master
Resolution: | Keywords:
------------------------------------+-----------------------------
Comment (by tbussmann):
> The danger for ALTER EXTENSION here is if a regular untrusted user knows
a function exists in postgis in a newer version not yet installed. They go
create a function with that signature with the future expectation that
postgis will be upgraded. Then when ALTER EXTENSION UPDATE is done, our
function would now make a function they own be part of postgis, and they
could then change that function putting malicious things in there. If a
super user then runs this coopted function, they could accidentally
elevate the privileges of said user (cause it would be running under super
user rights).
That describes what is my understanding of CVE-2022-2625. The upcoming
PostgreSQL releases of this week 10.22, 11.17, 12.12, 13.8, 14.5 will
therefore forbid to use `CREATE OR REPLACE` on a function that is not
owned by the extension (see postgresql commit
b9b21acc766db54d8c337d508d0fe2f5bf2daab0). This breaks the PostGIS
regression tests and likely the possibility to upgrade from unpackaged to
extension and thus the 2.x -> 3.x upgrades where `postgis_raster` was
repackaged. But these deserve their own tickets after being confirmed.
--
Ticket URL: <https://trac.osgeo.org/postgis/ticket/5165#comment:9>
PostGIS <http://trac.osgeo.org/postgis/>
The PostGIS Trac is used for bug, enhancement & task tracking, a user and developer wiki, and a view into the subversion code repository of PostGIS project.
More information about the postgis-tickets
mailing list