[SCM] PostGIS branch stable-3.4 updated. 3.4.5-6-gcf26d1a4e

git at osgeo.org git at osgeo.org
Thu Mar 12 12:06:12 PDT 2026 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "PostGIS".

The branch, stable-3.4 has been updated
       via  cf26d1a4efc3c886de779335c6662bf682e43daa (commit)
       via  d33ee69b158bcde54ad407b5939c11442f8e2d7c (commit)
      from  86e45c71c55b00b62c64a51d081ffff0a896222c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit cf26d1a4efc3c886de779335c6662bf682e43daa
Author: Paul Ramsey <pramsey at cleverelephant.ca>
Date:   Thu Mar 12 12:02:44 2026 -0700

    Remove priv escalation scenario.
    Reported by Daniel Bakker
    References #6054

diff --git a/NEWS b/NEWS
index 53c688b01..385b3bd13 100644
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,8 @@ Proj 6.1+ required.
 * Bug Fixes *
 
   - #6055, Remove rare extension priv escalation case.
-           Reported by Sven Klemm (Tiger Data) and Allistair Ishmael Hakim (allistair.sh)
+           Reported by Sven Klemm (Tiger Data), Allistair Ishmael Hakim (allistair.sh)
+           and Daniel Bakker
 
 
 PostGIS 3.4.5
diff --git a/utils/create_unpackaged.pl b/utils/create_unpackaged.pl
index a50725158..d505ed747 100755
--- a/utils/create_unpackaged.pl
+++ b/utils/create_unpackaged.pl
@@ -186,10 +186,10 @@ AS \$\$
 DECLARE
 	sql text;
 	proc regproc;
-	obj text := format('%s %s', type, sig);
+	obj text := pg_catalog.format('%s %s', type, sig);
 BEGIN
 
-	sql := format('ALTER EXTENSION ${extname} ADD %s', obj);
+	sql := pg_catalog.format('ALTER EXTENSION ${extname} ADD %s', obj);
 	EXECUTE sql;
 	RAISE NOTICE 'newly registered %', obj;
 

commit d33ee69b158bcde54ad407b5939c11442f8e2d7c
Author: Paul Ramsey <pramsey at cleverelephant.ca>
Date:   Fri Mar 6 13:12:28 2026 -0800

    Remove rare extension priv escalation case, where account
    with extension create privs can escalate to superuser
    by piggy backing on an extension creation event.
    From Sven Klemm (Tiger Data) and Allistair Ishmael Hakim (allistair.sh)
    References #6055

diff --git a/NEWS b/NEWS
index 00e232b57..53c688b01 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ Proj 6.1+ required.
 
 * Bug Fixes *
 
+  - #6055, Remove rare extension priv escalation case.
+           Reported by Sven Klemm (Tiger Data) and Allistair Ishmael Hakim (allistair.sh)
 
 
 PostGIS 3.4.5
diff --git a/libpgcommon/sql/AddToSearchPath.sql.inc b/libpgcommon/sql/AddToSearchPath.sql.inc
index a5e02279e..ff313406c 100644
--- a/libpgcommon/sql/AddToSearchPath.sql.inc
+++ b/libpgcommon/sql/AddToSearchPath.sql.inc
@@ -16,10 +16,10 @@ DECLARE
 BEGIN
 	WITH settings AS (
 		SELECT unnest(setconfig) config
-		FROM pg_db_role_setting
+		FROM pg_catalog.pg_db_role_setting
 		WHERE setdatabase = (
 			SELECT oid
-			FROM pg_database
+			FROM pg_catalog.pg_database
 			WHERE datname = current_database()
 		) and setrole = 0
 	)
@@ -30,10 +30,10 @@ BEGIN
 	RAISE NOTICE 'cur_search_path from pg_db_role_setting is %', var_cur_search_path;
 
 	-- only run this test if person creating the extension is a super user
-	IF var_cur_search_path IS NULL AND (SELECT rolsuper FROM pg_roles where rolname = CURRENT_USER) THEN
+	IF var_cur_search_path IS NULL AND (SELECT rolsuper FROM pg_catalog.pg_roles where rolname = CURRENT_USER) THEN
 		SELECT setting
 		INTO var_cur_search_path
-		FROM pg_file_settings
+		FROM pg_catalog.pg_file_settings
 		WHERE name = 'search_path' AND applied;
 
 		RAISE NOTICE 'cur_search_path from pg_file_settings is %', var_cur_search_path;
@@ -42,7 +42,7 @@ BEGIN
 	IF var_cur_search_path IS NULL THEN
 		SELECT boot_val
 		INTO var_cur_search_path
-		FROM pg_settings
+		FROM pg_catalog.pg_settings
 		WHERE name = 'search_path';
 
 		RAISE NOTICE 'cur_search_path from pg_settings is %', var_cur_search_path;
@@ -63,7 +63,8 @@ BEGIN
   RETURN var_result;
 END
 $BODY$
-SET search_path = pg_catalog -- make safe
+-- explicitly move pg_temp after pg_catalog in search path
+SET search_path = pg_catalog, pg_temp
 LANGUAGE 'plpgsql' VOLATILE STRICT
 ;
 

-----------------------------------------------------------------------

Summary of changes:
 NEWS                                    |  3 +++
 libpgcommon/sql/AddToSearchPath.sql.inc | 13 +++++++------
 utils/create_unpackaged.pl              |  4 ++--
 3 files changed, 12 insertions(+), 8 deletions(-)


hooks/post-receive
-- 
PostGIS

More information about the postgis-tickets mailing list