From 1a40db6e0ac0df8f3194f0dd9a34777b0f4a48a0 Mon Sep 17 00:00:00 2001
From: gu-gu-gu <gulining1@huawei.com>
Date: Mon, 3 Feb 2020 20:28:08 +0800
Subject: [PATCH] CVE-2019-10130

---
 CVE-2019-10130.patch | 75 ++++++++++++++++++++++++++++++++++++++++++++
 postgresql.spec      | 10 +++++-
 2 files changed, 84 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-10130.patch

diff --git a/CVE-2019-10130.patch b/CVE-2019-10130.patch
new file mode 100644
index 0000000..b773c40
--- /dev/null
+++ b/CVE-2019-10130.patch
@@ -0,0 +1,75 @@
+From 1aebfbea83c4a3e1a0aba4b0910135dc5a45666c Mon Sep 17 00:00:00 2001
+From: Dean Rasheed <dean.a.rasheed@gmail.com>
+Date: Mon, 6 May 2019 11:38:43 +0100
+Subject: [PATCH] Fix security checks for selectivity estimation functions with
+ RLS.
+
+In commit e2d4ef8de8, security checks were added to prevent
+user-supplied operators from running over data from pg_statistic
+unless the user has table or column privileges on the table, or the
+operator is leakproof. For a table with RLS, however, checking for
+table or column privileges is insufficient, since that does not
+guarantee that the user has permission to view all of the column's
+data.
+
+Fix this by also checking for securityQuals on the RTE, and insisting
+that the operator be leakproof if there are any. Thus the
+leakproofness check will only be skipped if there are no securityQuals
+and the user has table or column privileges on the table -- i.e., only
+if we know that the user has access to all the data in the column.
+
+Back-patch to 9.5 where RLS was added.
+
+Dean Rasheed, reviewed by Jonathan Katz and Stephen Frost.
+
+Security: CVE-2019-10130
+---
+ src/backend/utils/adt/selfuncs.c          | 21 +++++++++++++++------
+ src/test/regress/expected/rowsecurity.out | 21 +++++++++++++++++++++
+ src/test/regress/sql/rowsecurity.sql      | 20 ++++++++++++++++++++
+ 3 files changed, 56 insertions(+), 6 deletions(-)
+
+diff --git a/src/backend/utils/adt/selfuncs.c b/src/backend/utils/adt/selfuncs.c
+index b41991315520..514612857ad6 100644
+--- a/src/backend/utils/adt/selfuncs.c
++++ b/src/backend/utils/adt/selfuncs.c
+@@ -4597,9 +4597,13 @@ examine_variable(PlannerInfo *root, Node *node, int varRelid,
+ 								 * For simplicity, we insist on the whole
+ 								 * table being selectable, rather than trying
+ 								 * to identify which column(s) the index
+-								 * depends on.
++								 * depends on.  Also require all rows to be
++								 * selectable --- there must be no
++								 * securityQuals from security barrier views
++								 * or RLS policies.
+ 								 */
+ 								vardata->acl_ok =
++									rte->securityQuals == NIL &&
+ 									(pg_class_aclcheck(rte->relid, GetUserId(),
+ 													   ACL_SELECT) == ACLCHECK_OK);
+ 							}
+@@ -4663,12 +4667,17 @@ examine_simple_variable(PlannerInfo *root, Var *var,
+ 
+ 		if (HeapTupleIsValid(vardata->statsTuple))
+ 		{
+-			/* check if user has permission to read this column */
++			/*
++			 * Check if user has permission to read this column.  We require
++			 * all rows to be accessible, so there must be no securityQuals
++			 * from security barrier views or RLS policies.
++			 */
+ 			vardata->acl_ok =
+-				(pg_class_aclcheck(rte->relid, GetUserId(),
+-								   ACL_SELECT) == ACLCHECK_OK) ||
+-				(pg_attribute_aclcheck(rte->relid, var->varattno, GetUserId(),
+-									   ACL_SELECT) == ACLCHECK_OK);
++				rte->securityQuals == NIL &&
++				((pg_class_aclcheck(rte->relid, GetUserId(),
++									ACL_SELECT) == ACLCHECK_OK) ||
++				 (pg_attribute_aclcheck(rte->relid, var->varattno, GetUserId(),
++										ACL_SELECT) == ACLCHECK_OK));
+ 		}
+ 		else
+ 		{
+-- 
+2.11.0
diff --git a/postgresql.spec b/postgresql.spec
index 4dd1347..52f1c3c 100644
--- a/postgresql.spec
+++ b/postgresql.spec
@@ -4,7 +4,7 @@
 
 Name:          postgresql
 Version:       10.5
-Release:       9
+Release:       10
 Summary:       PostgreSQL client programs
 License:       PostgreSQL
 URL:           http://www.postgresql.org/
@@ -20,6 +20,7 @@ Patch6000:     6000-CVE-2019-10164-1.patch
 Patch6001:     6001-CVE-2019-10164-2.patch
 Patch6002:     CVE-2019-10208.patch
 Patch6003:     CVE-2018-16850.patch
+Patch6004:     CVE-2019-10130.patch
 
 BuildRequires: gcc perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk perl(ExtUtils::Embed)
 BuildRequires: perl-devel perl-generators readline-devel zlib-devel systemd systemd-devel
@@ -180,6 +181,7 @@ PostgreSQL database management system, including regression tests and benchmarks
 %patch6001 -p1
 %patch6002 -p1
 %patch6003 -p1
+%patch6004 -p1
 
 tar xfj %{SOURCE1}
 find . -type f -name .gitignore | xargs rm
@@ -534,6 +536,12 @@ make -C postgresql-setup-8.2 check
 %attr(-,postgres,postgres) %{_libdir}/postgresql/test
 
 %changelog
+* Mon Feb 3 2020 chenli <chenli147@huawei.com> 10.5-10
+- Type:cve
+- ID:CVE-2019-10130
+- SUG: NA
+- DESC: fix CVE-2019-10130
+
 * Tue Jan 14 2020 openEuler Buildteam <buildteam@openeuler.org> - 10.5-9
 - Type:enhancement
 - ID:NA
-- 
Gitee