[SCM] PostGIS branch stable-3.5 updated. 3.5.5-2-gd1b44c115

git at osgeo.org git at osgeo.org
Fri Mar 6 13:13:18 PST 2026 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "PostGIS".

The branch, stable-3.5 has been updated
       via  d1b44c115e202fbec8fb6238f821f38b7efc6ef0 (commit)
      from  9e5f4cbde747366e62bcd93a9ac30601e310fa6f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit d1b44c115e202fbec8fb6238f821f38b7efc6ef0
Author: Paul Ramsey <pramsey at cleverelephant.ca>
Date:   Fri Mar 6 13:13:06 2026 -0800

    Remove rare extension priv escalation case, where account
    with extension create privs can escalate to superuser
    by piggy backing on an extension creation event.
    From Sven Klemm (Tiger Data) and Allistair Ishmael Hakim (allistair.sh)
    References #6055

diff --git a/NEWS b/NEWS
index 3dead9499..a66c75e0d 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,10 @@ PostgreSQL 12-18 required. GEOS 3.8+ required. Proj 6.1+ required.
 
 * Bug fixes *
 
+  - #6055, Remove rare extension priv escalation case.
+           Reported by Sven Klemm (Tiger Data) and Allistair Ishmael Hakim (allistair.sh)
+
+
 PostGIS 3.5.5
 2026/02/09
 
diff --git a/libpgcommon/sql/AddToSearchPath.sql.inc b/libpgcommon/sql/AddToSearchPath.sql.inc
index a5e02279e..ff313406c 100644
--- a/libpgcommon/sql/AddToSearchPath.sql.inc
+++ b/libpgcommon/sql/AddToSearchPath.sql.inc
@@ -16,10 +16,10 @@ DECLARE
 BEGIN
 	WITH settings AS (
 		SELECT unnest(setconfig) config
-		FROM pg_db_role_setting
+		FROM pg_catalog.pg_db_role_setting
 		WHERE setdatabase = (
 			SELECT oid
-			FROM pg_database
+			FROM pg_catalog.pg_database
 			WHERE datname = current_database()
 		) and setrole = 0
 	)
@@ -30,10 +30,10 @@ BEGIN
 	RAISE NOTICE 'cur_search_path from pg_db_role_setting is %', var_cur_search_path;
 
 	-- only run this test if person creating the extension is a super user
-	IF var_cur_search_path IS NULL AND (SELECT rolsuper FROM pg_roles where rolname = CURRENT_USER) THEN
+	IF var_cur_search_path IS NULL AND (SELECT rolsuper FROM pg_catalog.pg_roles where rolname = CURRENT_USER) THEN
 		SELECT setting
 		INTO var_cur_search_path
-		FROM pg_file_settings
+		FROM pg_catalog.pg_file_settings
 		WHERE name = 'search_path' AND applied;
 
 		RAISE NOTICE 'cur_search_path from pg_file_settings is %', var_cur_search_path;
@@ -42,7 +42,7 @@ BEGIN
 	IF var_cur_search_path IS NULL THEN
 		SELECT boot_val
 		INTO var_cur_search_path
-		FROM pg_settings
+		FROM pg_catalog.pg_settings
 		WHERE name = 'search_path';
 
 		RAISE NOTICE 'cur_search_path from pg_settings is %', var_cur_search_path;
@@ -63,7 +63,8 @@ BEGIN
   RETURN var_result;
 END
 $BODY$
-SET search_path = pg_catalog -- make safe
+-- explicitly move pg_temp after pg_catalog in search path
+SET search_path = pg_catalog, pg_temp
 LANGUAGE 'plpgsql' VOLATILE STRICT
 ;
 

-----------------------------------------------------------------------

Summary of changes:
 NEWS                                    |  4 ++++
 libpgcommon/sql/AddToSearchPath.sql.inc | 13 +++++++------
 2 files changed, 11 insertions(+), 6 deletions(-)


hooks/post-receive
-- 
PostGIS

More information about the postgis-tickets mailing list