Backport of CVE-2025-12817 fix: Check for CREATE privilege on the schema in CREATE STATISTICS.

[reshke]

This omission allowed table owners to create statistics in any schema, potentially leading to unexpected naming conflicts. For ALTER TABLE commands that require re-creating statistics objects, skip this check in case the user has since lost CREATE on the schema. The addition of a second parameter to CreateStatistics() breaks ABI compatibility, but we are unaware of any impacted third-party code.

Reported-by: Jelte Fennema-Nio postgres@jeltef.nl
Author: Jelte Fennema-Nio postgres@jeltef.nl
Co-authored-by: Nathan Bossart nathandbossart@gmail.com
Reviewed-by: Noah Misch noah@leadboat.com
Reviewed-by: Álvaro Herrera alvherre@kurilemu.de
Security: CVE-2025-12817
Backpatch-through: 13

========
In CBDB backported from https://git.postgresql.org/cgit/postgresql.git/commit/?h=95cce566968
Backport-by: reshke reshke@double.cloud

[my-ship-it]

LGTM

[leborchuk]

stats_ext test with gporca enabled failed with

diff -I HINT: -I CONTEXT: -I GP_IGNORE: -U3 /__w/cloudberry/cloudberry/src/test/regress/expected/stats_ext_optimizer.out /__w/cloudberry/cloudberry/src/test/regress/results/stats_ext.out
--- /__w/cloudberry/cloudberry/src/test/regress/expected/stats_ext_optimizer.out        2026-03-24 12:26:47.306277668 +0000
+++ /__w/cloudberry/cloudberry/src/test/regress/results/stats_ext.out   2026-03-24 12:26:47.387277789 +0000
@@ -3276,6 +3276,23 @@
  s_expr          | {secret}
 (2 rows)

+-- CREATE STATISTICS checks for CREATE on the schema
+RESET SESSION AUTHORIZATION;
+CREATE SCHEMA sts_sch1 CREATE TABLE sts_sch1.tbl (a INT, b INT);
+GRANT USAGE ON SCHEMA sts_sch1 TO regress_stats_user1;
+ALTER TABLE sts_sch1.tbl OWNER TO regress_stats_user1;
+SET SESSION AUTHORIZATION regress_stats_user1;
+CREATE STATISTICS sts_sch1.fail ON a, b FROM sts_sch1.tbl;
+ERROR:  permission denied for schema sts_sch1
+RESET SESSION AUTHORIZATION;
+GRANT CREATE ON SCHEMA sts_sch1 TO regress_stats_user1;
+SET SESSION AUTHORIZATION regress_stats_user1;
+CREATE STATISTICS sts_sch1.pass ON a, b FROM sts_sch1.tbl;
+-- re-creating statistics via ALTER TABLE bypasses checks for CREATE on schema
+RESET SESSION AUTHORIZATION;
+REVOKE CREATE ON SCHEMA sts_sch1 FROM regress_stats_user1;
+SET SESSION AUTHORIZATION regress_stats_user1;
+ALTER TABLE sts_sch1.tbl ALTER COLUMN a TYPE SMALLINT;
 -- Tidy up
 DROP OPERATOR <<< (int, int);
 DROP FUNCTION op_leak(int, int);
@@ -3285,6 +3302,8 @@
 DETAIL:  drop cascades to table tststats.priv_test_tbl
 NOTICE:  drop cascades to 2 other objects
 drop cascades to view tststats.priv_test_view
+DROP SCHEMA sts_sch1 CASCADE;
+NOTICE:  drop cascades to table sts_sch1.tbl
 DROP USER regress_stats_user1;
 -- test analyze with extended statistics
 CREATE TABLE tbl_issue1293 (col1 int, col2 int);