postgresql: Backport fix for CVE-2024-7348

Upstream-Status: Backport []https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=79c7a7e29695a32fef2e65682be224b8d61ec972

Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

2 files changed, 584 insertions, 0 deletions

diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2024-7348.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2024-7348.patch
new file mode 100644
index 0000000000..10c2fa3efe
--- /dev/null
+++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2024-7348.patch
@@ -0,0 +1,583 @@
+From 6aba85a4b0a0e60126cc7c598b3e010e272516ec Mon Sep 17 00:00:00 2001
+From: Masahiko Sawada <msawada@postgresql.org>
+Date: Mon, 5 Aug 2024 06:05:28 -0700
+Subject: [PATCH] Restrict accesses to non-system views and foreign tables
+ during pg_dump.
+
+When pg_dump retrieves the list of database objects and performs the
+data dump, there was possibility that objects are replaced with others
+of the same name, such as views, and access them. This vulnerability
+could result in code execution with superuser privileges during the
+pg_dump process.
+
+This issue can arise when dumping data of sequences, foreign
+tables (only 13 or later), or tables registered with a WHERE clause in
+the extension configuration table.
+
+To address this, pg_dump now utilizes the newly introduced
+restrict_nonsystem_relation_kind GUC parameter to restrict the
+accesses to non-system views and foreign tables during the dump
+process. This new GUC parameter is added to back branches too, but
+these changes do not require cluster recreation.
+
+Back-patch to all supported branches.
+
+Reviewed-by: Noah Misch
+Security: CVE-2024-7348
+Backpatch-through: 12
+
+Upstream-Status: Backport from [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=79c7a7e29695a32fef2e65682be224b8d61ec972]
+CVE: CVE-2024-7348
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ .../postgres_fdw/expected/postgres_fdw.out    | 11 ++++
+ contrib/postgres_fdw/sql/postgres_fdw.sql     |  8 +++
+ doc/src/sgml/config.sgml                      | 17 +++++
+ doc/src/sgml/ref/pg_dump.sgml                 |  8 +++
+ src/backend/foreign/foreign.c                 | 10 +++
+ src/backend/optimizer/plan/createplan.c       | 13 ++++
+ src/backend/optimizer/util/plancat.c          | 12 ++++
+ src/backend/rewrite/rewriteHandler.c          | 17 +++++
+ src/backend/tcop/postgres.c                   | 64 +++++++++++++++++++
+ src/backend/utils/misc/guc_tables.c           | 12 ++++
+ src/bin/pg_dump/pg_dump.c                     | 47 ++++++++++++++
+ src/include/tcop/tcopprot.h                   |  6 ++
+ src/include/utils/guc_hooks.h                 |  3 +
+ src/test/regress/expected/create_view.out     | 19 +++++-
+ src/test/regress/sql/create_view.sql          |  9 +++
+ 15 files changed, 255 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out
+index a6fd3f6ff0..9b7a7eed05 100644
+--- a/contrib/postgres_fdw/expected/postgres_fdw.out
++++ b/contrib/postgres_fdw/expected/postgres_fdw.out
+@@ -637,6 +637,17 @@ EXPLAIN (VERBOSE, COSTS OFF) SELECT * FROM ft_empty ORDER BY c1;
+    Remote SQL: SELECT c1, c2 FROM public.loct_empty ORDER BY c1 ASC NULLS LAST
+ (3 rows)
+ 
++-- test restriction on non-system foreign tables.
++SET restrict_nonsystem_relation_kind TO 'foreign-table';
++SELECT * from ft1 where c1 < 1; -- ERROR
++ERROR:  access to non-system foreign table is restricted
++INSERT INTO ft1 (c1) VALUES (1); -- ERROR
++ERROR:  access to non-system foreign table is restricted
++DELETE FROM ft1 WHERE c1 = 1; -- ERROR
++ERROR:  access to non-system foreign table is restricted
++TRUNCATE ft1; -- ERROR
++ERROR:  access to non-system foreign table is restricted
++RESET restrict_nonsystem_relation_kind;
+ -- ===================================================================
+ -- WHERE with remotely-executable conditions
+ -- ===================================================================
+diff --git a/contrib/postgres_fdw/sql/postgres_fdw.sql b/contrib/postgres_fdw/sql/postgres_fdw.sql
+index 1c1dedd991..80cc3f9d8e 100644
+--- a/contrib/postgres_fdw/sql/postgres_fdw.sql
++++ b/contrib/postgres_fdw/sql/postgres_fdw.sql
+@@ -327,6 +327,14 @@ DELETE FROM loct_empty;
+ ANALYZE ft_empty;
+ EXPLAIN (VERBOSE, COSTS OFF) SELECT * FROM ft_empty ORDER BY c1;
+ 
++-- test restriction on non-system foreign tables.
++SET restrict_nonsystem_relation_kind TO 'foreign-table';
++SELECT * from ft1 where c1 < 1; -- ERROR
++INSERT INTO ft1 (c1) VALUES (1); -- ERROR
++DELETE FROM ft1 WHERE c1 = 1; -- ERROR
++TRUNCATE ft1; -- ERROR
++RESET restrict_nonsystem_relation_kind;
++
+ -- ===================================================================
+ -- WHERE with remotely-executable conditions
+ -- ===================================================================
+diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
+index e8c5d2a3b7..69c4bc614f 100644
+--- a/doc/src/sgml/config.sgml
++++ b/doc/src/sgml/config.sgml
+@@ -9564,6 +9564,23 @@ SET XML OPTION { DOCUMENT | CONTENT };
+       </listitem>
+      </varlistentry>
+ 
++     <varlistentry id="guc-restrict-nonsystem-relation-kind" xreflabel="restrict_nonsystem_relation_kind">
++      <term><varname>restrict_nonsystem_relation_kind</varname> (<type>string</type>)
++      <indexterm>
++       <primary><varname>restrict_nonsystem_relation_kind</varname></primary>
++       <secondary>configuration parameter</secondary>
++     </indexterm>
++     </term>
++     <listitem>
++      <para>
++       This variable specifies relation kind to which access is restricted.
++       It contains a comma-separated list of relation kind.  Currently, the
++       supported relation kinds are <literal>view</literal> and
++       <literal>foreign-table</literal>.
++      </para>
++     </listitem>
++     </varlistentry>
++
+      </variablelist>
+     </sect2>
+      <sect2 id="runtime-config-client-format">
+diff --git a/doc/src/sgml/ref/pg_dump.sgml b/doc/src/sgml/ref/pg_dump.sgml
+index 7ff5d04c73..b879c30c18 100644
+--- a/doc/src/sgml/ref/pg_dump.sgml
++++ b/doc/src/sgml/ref/pg_dump.sgml
+@@ -868,6 +868,14 @@ PostgreSQL documentation
+         The only exception is that an empty pattern is disallowed.
+        </para>
+ 
++       <note>
++        <para>
++         Using wildcards in <option>--include-foreign-data</option> may result
++         in access to unexpected foreign servers. Also, to use this option securely,
++         make sure that the named server must have a trusted owner.
++        </para>
++       </note>
++
+        <note>
+         <para>
+          When <option>--include-foreign-data</option> is specified,
+diff --git a/src/backend/foreign/foreign.c b/src/backend/foreign/foreign.c
+index ca3ad55b62..7335838af3 100644
+--- a/src/backend/foreign/foreign.c
++++ b/src/backend/foreign/foreign.c
+@@ -23,6 +23,7 @@
+ #include "funcapi.h"
+ #include "lib/stringinfo.h"
+ #include "miscadmin.h"
++#include "tcop/tcopprot.h"
+ #include "utils/builtins.h"
+ #include "utils/memutils.h"
+ #include "utils/rel.h"
+@@ -323,6 +324,15 @@ GetFdwRoutine(Oid fdwhandler)
+        Datum           datum;
+        FdwRoutine *routine;
+ 
++       /* Check if the access to foreign tables is restricted */
++       if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_FOREIGN_TABLE) != 0))
++       {
++               /* there must not be built-in FDW handler  */
++               ereport(ERROR,
++                               (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
++                                errmsg("access to non-system foreign table is restricted")));
++       }
++
+        datum = OidFunctionCall0(fdwhandler);
+        routine = (FdwRoutine *) DatumGetPointer(datum);
+ 
+diff --git a/src/backend/optimizer/plan/createplan.c b/src/backend/optimizer/plan/createplan.c
+index 4bb38160b3..974c50b29f 100644
+--- a/src/backend/optimizer/plan/createplan.c
++++ b/src/backend/optimizer/plan/createplan.c
+@@ -40,6 +40,7 @@
+ #include "parser/parse_clause.h"
+ #include "parser/parsetree.h"
+ #include "partitioning/partprune.h"
++#include "tcop/tcopprot.h"
+ #include "utils/lsyscache.h"
+ 
+ 
+@@ -7090,7 +7091,19 @@ make_modifytable(PlannerInfo *root, Plan *subplan,
+ 
+                        if (rte->rtekind == RTE_RELATION &&
+                                rte->relkind == RELKIND_FOREIGN_TABLE)
++                       {
++                               /* Check if the access to foreign tables is restricted */
++                               if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_FOREIGN_TABLE) != 0))
++                               {
++                                       /* there must not be built-in foreign tables */
++                                       Assert(rte->relid >= FirstNormalObjectId);
++                                       ereport(ERROR,
++                                                       (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
++                                                        errmsg("access to non-system foreign table is restricted")));
++                               }
++
+                                fdwroutine = GetFdwRoutineByRelId(rte->relid);
++                       }
+                        else
+                                fdwroutine = NULL;
+                }
+diff --git a/src/backend/optimizer/util/plancat.c b/src/backend/optimizer/util/plancat.c
+index 07c4ba384a..1a3045479f 100644
+--- a/src/backend/optimizer/util/plancat.c
++++ b/src/backend/optimizer/util/plancat.c
+@@ -47,6 +47,7 @@
+ #include "rewrite/rewriteManip.h"
+ #include "statistics/statistics.h"
+ #include "storage/bufmgr.h"
++#include "tcop/tcopprot.h"
+ #include "utils/builtins.h"
+ #include "utils/lsyscache.h"
+ #include "utils/partcache.h"
+@@ -500,6 +501,17 @@ get_relation_info(PlannerInfo *root, Oid relationObjectId, bool inhparent,
+        /* Grab foreign-table info using the relcache, while we have it */
+        if (relation->rd_rel->relkind == RELKIND_FOREIGN_TABLE)
+        {
++               /* Check if the access to foreign tables is restricted */
++               if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_FOREIGN_TABLE) != 0))
++               {
++                       /* there must not be built-in foreign tables */
++                       Assert(RelationGetRelid(relation) >= FirstNormalObjectId);
++
++                       ereport(ERROR,
++                                       (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
++                                        errmsg("access to non-system foreign table is restricted")));
++               }
++
+                rel->serverid = GetForeignServerIdByRelId(RelationGetRelid(relation));
+                rel->fdwroutine = GetFdwRoutineForRelation(relation, true);
+        }
+diff --git a/src/backend/rewrite/rewriteHandler.c b/src/backend/rewrite/rewriteHandler.c
+index 6cef936f82..9cd96fd17e 100644
+--- a/src/backend/rewrite/rewriteHandler.c
++++ b/src/backend/rewrite/rewriteHandler.c
+@@ -41,6 +41,7 @@
+ #include "rewrite/rewriteManip.h"
+ #include "rewrite/rewriteSearchCycle.h"
+ #include "rewrite/rowsecurity.h"
++#include "tcop/tcopprot.h"
+ #include "utils/builtins.h"
+ #include "utils/lsyscache.h"
+ #include "utils/rel.h"
+@@ -1740,6 +1741,14 @@ ApplyRetrieveRule(Query *parsetree,
+        if (rule->qual != NULL)
+                elog(ERROR, "cannot handle qualified ON SELECT rule");
+ 
++       /* Check if the expansion of non-system views are restricted */
++       if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_VIEW) != 0 &&
++                                RelationGetRelid(relation) >= FirstNormalObjectId))
++               ereport(ERROR,
++                               (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
++                                errmsg("access to non-system view \"%s\" is restricted",
++                                               RelationGetRelationName(relation))));
++
+        if (rt_index == parsetree->resultRelation)
+        {
+                /*
+@@ -3104,6 +3113,14 @@
+                }
+        }
+ 
++       /* Check if the expansion of non-system views are restricted */
++       if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_VIEW) != 0 &&
++                                RelationGetRelid(view) >= FirstNormalObjectId))
++               ereport(ERROR,
++                               (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
++                                errmsg("access to non-system view \"%s\" is restricted",
++                                               RelationGetRelationName(view))));
++       
+        /*
+         * For INSERT/UPDATE the modified columns must all be updatable. Note that
+         * we get the modified columns from the query's targetlist, not from the
+diff --git a/src/backend/tcop/postgres.c b/src/backend/tcop/postgres.c
+index 36cc99ec9c..e7d486ca2f 100644
+--- a/src/backend/tcop/postgres.c
++++ b/src/backend/tcop/postgres.c
+@@ -77,6 +77,7 @@
+ #include "utils/snapmgr.h"
+ #include "utils/timeout.h"
+ #include "utils/timestamp.h"
++#include "utils/varlena.h"
+ 
+ /* ----------------
+  *             global variables
+@@ -101,6 +102,9 @@ int                 PostAuthDelay = 0;
+ /* Time between checks that the client is still connected. */
+ int                    client_connection_check_interval = 0;
+ 
++/* flags for non-system relation kinds to restrict use */
++int                    restrict_nonsystem_relation_kind;
++
+ /* ----------------
+  *             private typedefs etc
+  * ----------------
+@@ -3628,6 +3632,66 @@ check_log_stats(bool *newval, void **extra, GucSource source)
+        return true;
+ }
+ 
++/*
++ * GUC check_hook for restrict_nonsystem_relation_kind
++ */
++bool
++check_restrict_nonsystem_relation_kind(char **newval, void **extra, GucSource source)
++{
++       char       *rawstring;
++       List       *elemlist;
++       ListCell   *l;
++       int                     flags = 0;
++
++       /* Need a modifiable copy of string */
++       rawstring = pstrdup(*newval);
++
++       if (!SplitIdentifierString(rawstring, ',', &elemlist))
++       {
++               /* syntax error in list */
++               GUC_check_errdetail("List syntax is invalid.");
++               pfree(rawstring);
++               list_free(elemlist);
++               return false;
++       }
++
++       foreach(l, elemlist)
++       {
++               char       *tok = (char *) lfirst(l);
++
++               if (pg_strcasecmp(tok, "view") == 0)
++                       flags |= RESTRICT_RELKIND_VIEW;
++               else if (pg_strcasecmp(tok, "foreign-table") == 0)
++                       flags |= RESTRICT_RELKIND_FOREIGN_TABLE;
++               else
++               {
++                       GUC_check_errdetail("Unrecognized key word: \"%s\".", tok);
++                       pfree(rawstring);
++                       list_free(elemlist);
++                       return false;
++               }
++       }
++
++       pfree(rawstring);
++       list_free(elemlist);
++
++       /* Save the flags in *extra, for use by the assign function */
++       *extra = guc_malloc(ERROR, sizeof(int));
++       *((int *) *extra) = flags;
++
++       return true;
++}
++
++/*
++ * GUC assign_hook for restrict_nonsystem_relation_kind
++ */
++void
++assign_restrict_nonsystem_relation_kind(const char *newval, void *extra)
++{
++       int                *flags = (int *) extra;
++
++       restrict_nonsystem_relation_kind = *flags;
++}
+ 
+ /*
+  * set_debug_options --- apply "-d N" command line option
+diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c
+index b078b934a7..a515ecde97 100644
+--- a/src/backend/utils/misc/guc_tables.c
++++ b/src/backend/utils/misc/guc_tables.c
+@@ -564,6 +564,7 @@ static char *server_encoding_string;
+ static char *server_version_string;
+ static int     server_version_num;
+ static char *debug_io_direct_string;
++static char *restrict_nonsystem_relation_kind_string;
+ 
+ #ifdef HAVE_SYSLOG
+ #define        DEFAULT_SYSLOG_FACILITY LOG_LOCAL0
+@@ -4549,6 +4550,17 @@ struct config_string ConfigureNamesString[] =
+                check_debug_io_direct, assign_debug_io_direct, NULL
+        },
+ 
++       {
++               {"restrict_nonsystem_relation_kind", PGC_USERSET, CLIENT_CONN_STATEMENT,
++                       gettext_noop("Sets relation kinds of non-system relation to restrict use"),
++                       NULL,
++                       GUC_LIST_INPUT | GUC_NOT_IN_SAMPLE
++               },
++               &restrict_nonsystem_relation_kind_string,
++               "",
++               check_restrict_nonsystem_relation_kind, assign_restrict_nonsystem_relation_kind, NULL
++       },
++
+        /* End-of-list marker */
+        {
+                {NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL, NULL
+diff --git a/src/bin/pg_dump/pg_dump.c b/src/bin/pg_dump/pg_dump.c
+index 300fe071fc..1694ff55f8 100644
+--- a/src/bin/pg_dump/pg_dump.c
++++ b/src/bin/pg_dump/pg_dump.c
+@@ -324,6 +324,7 @@ static bool nonemptyReloptions(const char *reloptions);
+ static void appendReloptionsArrayAH(PQExpBuffer buffer, const char *reloptions,
+                                                                        const char *prefix, Archive *fout);
+ static char *get_synchronized_snapshot(Archive *fout);
++static void set_restrict_relation_kind(Archive *AH, const char *value);
+ static void setupDumpWorker(Archive *AH);
+ static TableInfo *getRootTableInfo(const TableInfo *tbinfo);
+ static bool forcePartitionRootLoad(const TableInfo *tbinfo);
+@@ -1252,6 +1253,13 @@ setup_connection(Archive *AH, const char *dumpencoding,
+                        ExecuteSqlStatement(AH, "SET row_security = off");
+        }
+ 
++       /*
++        * For security reasons, we restrict the expansion of non-system views and
++        * access to foreign tables during the pg_dump process. This restriction
++        * is adjusted when dumping foreign table data.
++        */
++       set_restrict_relation_kind(AH, "view, foreign-table");
++
+        /*
+         * Initialize prepared-query state to "nothing prepared".  We do this here
+         * so that a parallel dump worker will have its own state.
+@@ -2114,6 +2122,10 @@ dumpTableData_copy(Archive *fout, const void *dcontext)
+         */
+        if (tdinfo->filtercond || tbinfo->relkind == RELKIND_FOREIGN_TABLE)
+        {
++               /* Temporary allows to access to foreign tables to dump data */
++               if (tbinfo->relkind == RELKIND_FOREIGN_TABLE)
++                       set_restrict_relation_kind(fout, "view");
++
+                appendPQExpBufferStr(q, "COPY (SELECT ");
+                /* klugery to get rid of parens in column list */
+                if (strlen(column_list) > 2)
+@@ -2225,6 +2237,11 @@ dumpTableData_copy(Archive *fout, const void *dcontext)
+                                           classname);
+ 
+        destroyPQExpBuffer(q);
++
++       /* Revert back the setting */
++       if (tbinfo->relkind == RELKIND_FOREIGN_TABLE)
++               set_restrict_relation_kind(fout, "view, foreign-table");
++
+        return 1;
+ }
+ 
+@@ -2251,6 +2268,10 @@ dumpTableData_insert(Archive *fout, const void *dcontext)
+        int                     rows_per_statement = dopt->dump_inserts;
+        int                     rows_this_statement = 0;
+ 
++       /* Temporary allows to access to foreign tables to dump data */
++       if (tbinfo->relkind == RELKIND_FOREIGN_TABLE)
++               set_restrict_relation_kind(fout, "view");
++
+        /*
+         * If we're going to emit INSERTs with column names, the most efficient
+         * way to deal with generated columns is to exclude them entirely.  For
+@@ -2490,6 +2511,10 @@ dumpTableData_insert(Archive *fout, const void *dcontext)
+                destroyPQExpBuffer(insertStmt);
+        free(attgenerated);
+ 
++       /* Revert back the setting */
++       if (tbinfo->relkind == RELKIND_FOREIGN_TABLE)
++               set_restrict_relation_kind(fout, "view, foreign-table");
++
+        return 1;
+ }
+ 
+@@ -4590,6 +4615,28 @@ is_superuser(Archive *fout)
+        return false;
+ }
+ 
++/*
++ * Set the given value to restrict_nonsystem_relation_kind value. Since
++ * restrict_nonsystem_relation_kind is introduced in minor version releases,
++ * the setting query is effective only where available.
++ */
++static void
++set_restrict_relation_kind(Archive *AH, const char *value)
++{
++       PQExpBuffer query = createPQExpBuffer();
++       PGresult   *res;
++
++       appendPQExpBuffer(query,
++                                         "SELECT set_config(name, '%s', false) "
++                                         "FROM pg_settings "
++                                         "WHERE name = 'restrict_nonsystem_relation_kind'",
++                                         value);
++       res = ExecuteSqlQuery(AH, query->data, PGRES_TUPLES_OK);
++
++       PQclear(res);
++       destroyPQExpBuffer(query);
++}
++
+ /*
+  * getSubscriptions
+  *       get information about subscriptions
+diff --git a/src/include/tcop/tcopprot.h b/src/include/tcop/tcopprot.h
+index abd7b4fff3..e529e9f06c 100644
+--- a/src/include/tcop/tcopprot.h
++++ b/src/include/tcop/tcopprot.h
+@@ -43,6 +43,12 @@ typedef enum
+ 
+ extern PGDLLIMPORT int log_statement;
+ 
++/* Flags for restrict_nonsystem_relation_kind value */
++#define RESTRICT_RELKIND_VIEW                  0x01
++#define RESTRICT_RELKIND_FOREIGN_TABLE 0x02
++
++extern PGDLLIMPORT int restrict_nonsystem_relation_kind;
++
+ extern List *pg_parse_query(const char *query_string);
+ extern List *pg_rewrite_query(Query *query);
+ extern List *pg_analyze_and_rewrite_fixedparams(RawStmt *parsetree,
+diff --git a/src/include/utils/guc_hooks.h b/src/include/utils/guc_hooks.h
+index 952293a1c3..0ea33fede9 100644
+--- a/src/include/utils/guc_hooks.h
++++ b/src/include/utils/guc_hooks.h
+@@ -118,6 +118,9 @@ extern void assign_recovery_target_xid(const char *newval, void *extra);
+ extern bool check_role(char **newval, void **extra, GucSource source);
+ extern void assign_role(const char *newval, void *extra);
+ extern const char *show_role(void);
++extern bool check_restrict_nonsystem_relation_kind(char **newval, void **extra,
++                                                                                                  GucSource source);
++extern void assign_restrict_nonsystem_relation_kind(const char *newval, void *extra);
+ extern bool check_search_path(char **newval, void **extra, GucSource source);
+ extern void assign_search_path(const char *newval, void *extra);
+ extern bool check_session_authorization(char **newval, void **extra, GucSource source);
+diff --git a/src/test/regress/expected/create_view.out b/src/test/regress/expected/create_view.out
+index 61825ef7d4..f3f8c7b5a2 100644
+--- a/src/test/regress/expected/create_view.out
++++ b/src/test/regress/expected/create_view.out
+@@ -2202,6 +2202,21 @@ select pg_get_viewdef('tt26v', true);
+     FROM ( VALUES (1,2,3)) v(x, y, z);
+ (1 row)
+ 
++-- test restriction on non-system view expansion.
++create table tt27v_tbl (a int);
++create view tt27v as select a from tt27v_tbl;
++set restrict_nonsystem_relation_kind to 'view';
++select a from tt27v where a > 0; -- Error
++ERROR:  access to non-system view "tt27v" is restricted
++insert into tt27v values (1); -- Error
++ERROR:  access to non-system view "tt27v" is restricted
++select viewname from pg_views where viewname = 'tt27v'; -- Ok to access a system view.
++ viewname 
++----------
++ tt27v
++(1 row)
++
++reset restrict_nonsystem_relation_kind;
+ -- clean up all the random objects we made above
+ DROP SCHEMA temp_view_test CASCADE;
+ NOTICE:  drop cascades to 27 other objects
+@@ -2233,7 +2248,7 @@ drop cascades to view aliased_view_2
+ drop cascades to view aliased_view_3
+ drop cascades to view aliased_view_4
+ DROP SCHEMA testviewschm2 CASCADE;
+-NOTICE:  drop cascades to 77 other objects
++NOTICE:  drop cascades to 79 other objects
+ DETAIL:  drop cascades to table t1
+ drop cascades to view temporal1
+ drop cascades to view temporal2
+@@ -2311,3 +2326,5 @@ drop cascades to view tt23v
+ drop cascades to view tt24v
+ drop cascades to view tt25v
+ drop cascades to view tt26v
++drop cascades to table tt27v_tbl
++drop cascades to view tt27v
+diff --git a/src/test/regress/sql/create_view.sql b/src/test/regress/sql/create_view.sql
+index 8838a40f7a..3a78be1b0c 100644
+--- a/src/test/regress/sql/create_view.sql
++++ b/src/test/regress/sql/create_view.sql
+@@ -813,6 +813,15 @@ select x + y + z as c1,
+ from (values(1,2,3)) v(x,y,z);
+ select pg_get_viewdef('tt26v', true);
+ 
++-- test restriction on non-system view expansion.
++create table tt27v_tbl (a int);
++create view tt27v as select a from tt27v_tbl;
++set restrict_nonsystem_relation_kind to 'view';
++select a from tt27v where a > 0; -- Error
++insert into tt27v values (1); -- Error
++select viewname from pg_views where viewname = 'tt27v'; -- Ok to access a system view.
++reset restrict_nonsystem_relation_kind;
++
+ -- clean up all the random objects we made above
+ DROP SCHEMA temp_view_test CASCADE;
+ DROP SCHEMA testviewschm2 CASCADE;
+-- 
+2.30.2
+
diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_16.3.bb b/meta-oe/recipes-dbs/postgresql/postgresql_16.3.bb
index 6df719cd98..31f427503b 100644
--- a/meta-oe/recipes-dbs/postgresql/postgresql_16.3.bb
+++ b/meta-oe/recipes-dbs/postgresql/postgresql_16.3.bb
@@ -9,6 +9,7 @@ SRC_URI += "\
    file://0003-configure.ac-bypass-autoconf-2.69-version-check.patch \
    file://0004-config_info.c-not-expose-build-info.patch \
    file://0005-postgresql-fix-ptest-failure-of-sysviews.patch \
+   file://CVE-2024-7348.patch \
 "
 
 SRC_URI[sha256sum] = "331963d5d3dc4caf4216a049fa40b66d6bcb8c730615859411b9518764e60585"