Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • pkg/postgresql-13
1 result
Show changes
Commits on Source (9)
Showing
with 813 additions and 177 deletions
......@@ -25,9 +25,12 @@ src/interfaces/libpq/test/expected.out whitespace=-blank-at-eof
# These files are maintained or generated elsewhere. We take them as is.
configure -whitespace
ppport.h -whitespace
src/backend/jit/llvm/SectionMemoryManager.cpp -whitespace
src/backend/jit/llvm/SectionMemoryManager.LICENSE -whitespace
src/backend/regex/COPYRIGHT -whitespace
src/backend/regex/re_syntax.n -whitespace
src/backend/snowball/libstemmer/*.c -whitespace
src/backend/utils/mb/Unicode/*-std.txt -whitespace
src/include/jit/SectionMemoryManager.h -whitespace
src/include/snowball/libstemmer/* -whitespace
src/timezone/data/* -whitespace
0dc08bbfcc93ac4f04d2a3f4b9d1231a80e2cc0c
bf5710d3b6656516d828ebe9f6e2ffd49e54d084
PostgreSQL Database Management System
(formerly known as Postgres, then as Postgres95)
Portions Copyright (c) 1996-2024, PostgreSQL Global Development Group
Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
Portions Copyright (c) 1994, The Regents of the University of California
......
This diff is collapsed.
......@@ -17,7 +17,7 @@ dnl Read the Autoconf manual for details.
dnl
m4_pattern_forbid(^PGAC_)dnl to catch undefined macros
AC_INIT([PostgreSQL], [13.16], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/])
AC_INIT([PostgreSQL], [13.19], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/])
m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required.
Untested combinations of 'autoconf' and PostgreSQL versions are not
......@@ -456,6 +456,26 @@ else
BITCODE_CXXFLAGS="-O2 $BITCODE_CXXFLAGS"
fi
# We use C constructs that became invalid in C23. Check if the compiler
# reports a standard higher than C17, with the flags selected above (so the
# user can control the language level explicitly to avoid the gcc/clang-only
# fallback logic below if preferred).
AC_MSG_CHECKING([whether $CC reports a C standard higher than ISO C17])
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [@%:@if __STDC_VERSION__ > 201710L
choke me
@%:@endif])], [POSTC17=no], [POSTC17=yes])
AC_MSG_RESULT(${POSTC17})
# If a too recent standard was detected with the user's CFLAGS, try asking for
# C17 with GNU extensions explicitly.
if test "$POSTC17" = yes; then
old_CFLAGS="$CFLAGS"
PGAC_PROG_CC_CFLAGS_OPT([-std=gnu17])
if test "$CFLAGS" = "$old_CFLAGS"; then
AC_MSG_ERROR([cannot proceed])
fi
fi
# C[XX]FLAGS we determined above will be added back at the end
user_CFLAGS=$CFLAGS
CFLAGS=""
......@@ -498,6 +518,8 @@ if test "$GCC" = yes -a "$ICC" = no; then
PGAC_PROG_CXX_CFLAGS_OPT([-Wmissing-format-attribute])
PGAC_PROG_CC_CFLAGS_OPT([-Wimplicit-fallthrough=3])
PGAC_PROG_CXX_CFLAGS_OPT([-Wimplicit-fallthrough=3])
PGAC_PROG_CC_CFLAGS_OPT([-Wcast-function-type])
PGAC_PROG_CXX_CFLAGS_OPT([-Wcast-function-type])
# This was included in -Wall/-Wformat in older GCC versions
PGAC_PROG_CC_CFLAGS_OPT([-Wformat-security])
PGAC_PROG_CXX_CFLAGS_OPT([-Wformat-security])
......@@ -551,6 +573,12 @@ if test "$GCC" = yes -a "$ICC" = no; then
if test -n "$NOT_THE_CFLAGS"; then
CFLAGS="$CFLAGS -Wno-stringop-truncation"
fi
# Suppress clang 16's strict warnings about function casts
NOT_THE_CFLAGS=""
PGAC_PROG_CC_VAR_OPT(NOT_THE_CFLAGS, [-Wcast-function-type-strict])
if test -n "$NOT_THE_CFLAGS"; then
CFLAGS="$CFLAGS -Wno-cast-function-type-strict"
fi
elif test "$ICC" = yes; then
# Intel's compiler has a bug/misoptimization in checking for
# division by NAN (NaN == 0), -mp1 fixes it, so add it to the CFLAGS.
......@@ -593,6 +621,13 @@ if test "$with_llvm" = yes ; then
PGAC_PROG_VARCC_VARFLAGS_OPT(CLANG, BITCODE_CFLAGS, [-Xclang -no-opaque-pointers])
PGAC_PROG_VARCXX_VARFLAGS_OPT(CLANGXX, BITCODE_CXXFLAGS, [-Xclang -no-opaque-pointers])
# Ideally bitcode should perhaps match $CC's use, or not, of outline atomic
# functions, but for now we err on the side of suppressing them in bitcode,
# because we can't assume they're available at runtime. This affects aarch64
# builds using the basic armv8-a ISA without LSE support.
PGAC_PROG_VARCXX_VARFLAGS_OPT(CLANG, BITCODE_CFLAGS, [-mno-outline-atomics])
PGAC_PROG_VARCXX_VARFLAGS_OPT(CLANG, BITCODE_CXXFLAGS, [-mno-outline-atomics])
NOT_THE_CFLAGS=""
PGAC_PROG_VARCC_VARFLAGS_OPT(CLANG, NOT_THE_CFLAGS, [-Wunused-command-line-argument])
if test -n "$NOT_THE_CFLAGS"; then
......@@ -1368,8 +1403,6 @@ AC_SUBST(UUID_LIBS)
## Header files
##
AC_HEADER_STDBOOL
AC_CHECK_HEADERS(m4_normalize([
atomic.h
copyfile.h
......@@ -1678,14 +1711,11 @@ if test "$ac_cv_sizeof_off_t" -lt 8 -a "$segsize" != "1"; then
AC_MSG_ERROR([Large file support is not enabled. Segment size cannot be larger than 1GB.])
fi
AC_CHECK_SIZEOF([bool], [],
[#ifdef HAVE_STDBOOL_H
#include <stdbool.h>
#endif])
AC_CHECK_SIZEOF([bool], [], [#include <stdbool.h>])
dnl We use <stdbool.h> if we have it and it declares type bool as having
dnl size 1. Otherwise, c.h will fall back to declaring bool as unsigned char.
if test "$ac_cv_header_stdbool_h" = yes -a "$ac_cv_sizeof_bool" = 1; then
dnl We use <stdbool.h> if bool has size 1 after including it. Otherwise, c.h
dnl will fall back to declaring bool as unsigned char.
if test "$ac_cv_sizeof_bool" = 1; then
AC_DEFINE([PG_USE_STDBOOL], 1,
[Define to 1 to use <stdbool.h> to define type bool.])
fi
......@@ -1871,8 +1901,10 @@ if test "$PORTNAME" = "win32"; then
AC_LIBOBJ(system)
AC_LIBOBJ(win32env)
AC_LIBOBJ(win32error)
AC_LIBOBJ(win32ntdll)
AC_LIBOBJ(win32security)
AC_LIBOBJ(win32setlocale)
AC_LIBOBJ(win32stat)
AC_DEFINE([HAVE_SYMLINK], 1,
[Define to 1 if you have the `symlink' function.])
AC_CHECK_TYPES(MINIDUMP_TYPE, [pgac_minidump_type=yes], [pgac_minidump_type=no], [
......@@ -2092,11 +2124,15 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([], [
# Check for ARMv8 CRC Extension intrinsics to do CRC calculations.
#
# First check if __crc32c* intrinsics can be used with the default compiler
# flags. If not, check if adding -march=armv8-a+crc flag helps.
# flags. If not, check if adding "-march=armv8-a+crc+simd" flag helps.
# On systems using soft-float ABI, "-march=armv8-a+crc" is required instead.
# CFLAGS_ARMV8_CRC32C is set if the extra flag is required.
PGAC_ARMV8_CRC32C_INTRINSICS([])
if test x"$pgac_armv8_crc32c_intrinsics" != x"yes"; then
PGAC_ARMV8_CRC32C_INTRINSICS([-march=armv8-a+crc])
PGAC_ARMV8_CRC32C_INTRINSICS([-march=armv8-a+crc+simd])
if test x"$pgac_armv8_crc32c_intrinsics" != x"yes"; then
PGAC_ARMV8_CRC32C_INTRINSICS([-march=armv8-a+crc])
fi
fi
AC_SUBST(CFLAGS_ARMV8_CRC32C)
......
......@@ -121,6 +121,7 @@ blgetbitmap(IndexScanDesc scan, TIDBitmap *tbm)
*/
bas = GetAccessStrategy(BAS_BULKREAD);
npages = RelationGetNumberOfBlocks(scan->indexRelation);
pgstat_count_index_scan(scan->indexRelation);
for (blkno = BLOOM_HEAD_BLKNO; blkno < npages; blkno++)
{
......
......@@ -47,4 +47,73 @@ SELECT lo_get(43214);
DELETE FROM image;
SELECT lo_get(43214);
ERROR: large object 43214 does not exist
-- Now let's try it with an AFTER trigger
DROP TRIGGER t_raster ON image;
CREATE CONSTRAINT TRIGGER t_raster AFTER UPDATE OR DELETE ON image
DEFERRABLE INITIALLY DEFERRED
FOR EACH ROW EXECUTE PROCEDURE lo_manage(raster);
SELECT lo_create(43223);
lo_create
-----------
43223
(1 row)
SELECT lo_create(43224);
lo_create
-----------
43224
(1 row)
SELECT lo_create(43225);
lo_create
-----------
43225
(1 row)
INSERT INTO image (title, raster) VALUES ('beautiful image', 43223);
SELECT lo_get(43223);
lo_get
--------
\x
(1 row)
UPDATE image SET raster = 43224 WHERE title = 'beautiful image';
SELECT lo_get(43223); -- gone
ERROR: large object 43223 does not exist
SELECT lo_get(43224);
lo_get
--------
\x
(1 row)
-- test updating of unrelated column
UPDATE image SET title = 'beautiful picture' WHERE title = 'beautiful image';
SELECT lo_get(43224);
lo_get
--------
\x
(1 row)
-- this case used to be buggy
BEGIN;
UPDATE image SET title = 'beautiful image' WHERE title = 'beautiful picture';
UPDATE image SET raster = 43225 WHERE title = 'beautiful image';
SELECT lo_get(43224);
lo_get
--------
\x
(1 row)
COMMIT;
SELECT lo_get(43224); -- gone
ERROR: large object 43224 does not exist
SELECT lo_get(43225);
lo_get
--------
\x
(1 row)
DELETE FROM image;
SELECT lo_get(43225); -- gone
ERROR: large object 43225 does not exist
DROP TABLE image;
......@@ -27,4 +27,44 @@ DELETE FROM image;
SELECT lo_get(43214);
-- Now let's try it with an AFTER trigger
DROP TRIGGER t_raster ON image;
CREATE CONSTRAINT TRIGGER t_raster AFTER UPDATE OR DELETE ON image
DEFERRABLE INITIALLY DEFERRED
FOR EACH ROW EXECUTE PROCEDURE lo_manage(raster);
SELECT lo_create(43223);
SELECT lo_create(43224);
SELECT lo_create(43225);
INSERT INTO image (title, raster) VALUES ('beautiful image', 43223);
SELECT lo_get(43223);
UPDATE image SET raster = 43224 WHERE title = 'beautiful image';
SELECT lo_get(43223); -- gone
SELECT lo_get(43224);
-- test updating of unrelated column
UPDATE image SET title = 'beautiful picture' WHERE title = 'beautiful image';
SELECT lo_get(43224);
-- this case used to be buggy
BEGIN;
UPDATE image SET title = 'beautiful image' WHERE title = 'beautiful picture';
UPDATE image SET raster = 43225 WHERE title = 'beautiful image';
SELECT lo_get(43224);
COMMIT;
SELECT lo_get(43224); -- gone
SELECT lo_get(43225);
DELETE FROM image;
SELECT lo_get(43225); -- gone
DROP TABLE image;
......@@ -232,3 +232,13 @@ SELECT page_checksum(decode(repeat('00', :block_size), 'hex'), 1);
(1 row)
-- tests for sequences
create sequence test_sequence start 72057594037927937;
select tuple_data_split('test_sequence'::regclass, t_data, t_infomask, t_infomask2, t_bits)
from heap_page_items(get_raw_page('test_sequence', 0));
tuple_data_split
-------------------------------------------------------
{"\\x0100000000000001","\\x0000000000000000","\\x00"}
(1 row)
drop sequence test_sequence;
......@@ -318,7 +318,11 @@ tuple_data_split_internal(Oid relid, char *tupdata,
raw_attrs = initArrayResult(BYTEAOID, CurrentMemoryContext, false);
nattrs = tupdesc->natts;
if (rel->rd_rel->relam != HEAP_TABLE_AM_OID)
/*
* Sequences always use heap AM, but they don't show that in the catalogs.
*/
if (rel->rd_rel->relkind != RELKIND_SEQUENCE &&
rel->rd_rel->relam != HEAP_TABLE_AM_OID)
ereport(ERROR, (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("only heap AM is supported")));
......
......@@ -95,3 +95,9 @@ SHOW block_size \gset
SELECT fsm_page_contents(decode(repeat('00', :block_size), 'hex'));
SELECT page_header(decode(repeat('00', :block_size), 'hex'));
SELECT page_checksum(decode(repeat('00', :block_size), 'hex'), 1);
-- tests for sequences
create sequence test_sequence start 72057594037927937;
select tuple_data_split('test_sequence'::regclass, t_data, t_infomask, t_infomask2, t_bits)
from heap_page_items(get_raw_page('test_sequence', 0));
drop sequence test_sequence;
......@@ -2372,6 +2372,9 @@ ERROR: value 2025 out of bounds for option "siglen"
DETAIL: Valid values are between "1" and "2024".
create index trgm_idx on test_trgm using gist (t gist_trgm_ops(siglen=2024));
set enable_seqscan=off;
-- check index compatibility handling when opclass option is specified
alter table test_trgm alter column t type varchar(768);
alter table test_trgm alter column t type text;
select t,similarity(t,'qwertyu0988') as sml from test_trgm where t % 'qwertyu0988' order by sml desc, t;
t | sml
-------------+----------
......
......@@ -52,6 +52,10 @@ create index trgm_idx on test_trgm using gist (t gist_trgm_ops(siglen=2025));
create index trgm_idx on test_trgm using gist (t gist_trgm_ops(siglen=2024));
set enable_seqscan=off;
-- check index compatibility handling when opclass option is specified
alter table test_trgm alter column t type varchar(768);
alter table test_trgm alter column t type text;
select t,similarity(t,'qwertyu0988') as sml from test_trgm where t % 'qwertyu0988' order by sml desc, t;
select t,similarity(t,'gwertyu0988') as sml from test_trgm where t % 'gwertyu0988' order by sml desc, t;
select t,similarity(t,'gwertyu1988') as sml from test_trgm where t % 'gwertyu1988' order by sml desc, t;
......
......@@ -18,6 +18,7 @@
#include "funcapi.h"
#include "miscadmin.h"
#include "storage/bufmgr.h"
#include "storage/proc.h"
#include "storage/procarray.h"
#include "storage/smgr.h"
#include "utils/rel.h"
......@@ -385,6 +386,7 @@ pg_truncate_visibility_map(PG_FUNCTION_ARGS)
Relation rel;
ForkNumber fork;
BlockNumber block;
BlockNumber old_block;
rel = relation_open(relid, AccessExclusiveLock);
......@@ -394,15 +396,24 @@ pg_truncate_visibility_map(PG_FUNCTION_ARGS)
/* Forcibly reset cached file size */
RelationGetSmgr(rel)->smgr_vm_nblocks = InvalidBlockNumber;
/* Compute new and old size before entering critical section. */
fork = VISIBILITYMAP_FORKNUM;
block = visibilitymap_prepare_truncate(rel, 0);
if (BlockNumberIsValid(block))
{
fork = VISIBILITYMAP_FORKNUM;
smgrtruncate(RelationGetSmgr(rel), &fork, 1, &block);
}
old_block = BlockNumberIsValid(block) ? smgrnblocks(RelationGetSmgr(rel), fork) : 0;
/*
* WAL-logging, buffer dropping, file truncation must be atomic and all on
* one side of a checkpoint. See RelationTruncate() for discussion.
*/
Assert(!MyProc->delayChkpt);
MyProc->delayChkpt = true;
Assert(!MyProc->delayChkptEnd);
MyProc->delayChkptEnd = true;
START_CRIT_SECTION();
if (RelationNeedsWAL(rel))
{
XLogRecPtr lsn;
xl_smgr_truncate xlrec;
xlrec.blkno = 0;
......@@ -412,9 +423,18 @@ pg_truncate_visibility_map(PG_FUNCTION_ARGS)
XLogBeginInsert();
XLogRegisterData((char *) &xlrec, sizeof(xlrec));
XLogInsert(RM_SMGR_ID, XLOG_SMGR_TRUNCATE | XLR_SPECIAL_REL_UPDATE);
lsn = XLogInsert(RM_SMGR_ID,
XLOG_SMGR_TRUNCATE | XLR_SPECIAL_REL_UPDATE);
XLogFlush(lsn);
}
if (BlockNumberIsValid(block))
smgrtruncate2(RelationGetSmgr(rel), &fork, 1, &old_block, &block);
END_CRIT_SECTION();
MyProc->delayChkpt = false;
MyProc->delayChkptEnd = false;
/*
* Release the lock right away, not at commit time.
*
......
......@@ -244,6 +244,30 @@ select pgstathashindex('test_partition_hash_idx');
(4,8,0,1,0,0,0,100)
(1 row)
-- these should work for sequences
create sequence test_sequence;
select count(*) from pgstattuple('test_sequence');
count
-------
1
(1 row)
select pg_relpages('test_sequence');
pg_relpages
-------------
1
(1 row)
-- these should fail for sequences
select pgstatindex('test_sequence');
ERROR: relation "test_sequence" is not a btree index
select pgstatginindex('test_sequence');
ERROR: relation "test_sequence" is not a GIN index
select pgstathashindex('test_sequence');
ERROR: relation "test_sequence" is not a hash index
select pgstattuple_approx('test_sequence');
ERROR: "test_sequence" is not a table or materialized view
drop sequence test_sequence;
drop table test_partitioned;
drop view test_view;
drop foreign table test_foreign_table;
......
......@@ -335,7 +335,11 @@ pgstat_heap(Relation rel, FunctionCallInfo fcinfo)
pgstattuple_type stat = {0};
SnapshotData SnapshotDirty;
if (rel->rd_rel->relam != HEAP_TABLE_AM_OID)
/*
* Sequences always use heap AM, but they don't show that in the catalogs.
*/
if (rel->rd_rel->relkind != RELKIND_SEQUENCE &&
rel->rd_rel->relam != HEAP_TABLE_AM_OID)
ereport(ERROR,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("only heap AM is supported")));
......
......@@ -114,6 +114,18 @@ create index test_partition_hash_idx on test_partition using hash (a);
select pgstatindex('test_partition_idx');
select pgstathashindex('test_partition_hash_idx');
-- these should work for sequences
create sequence test_sequence;
select count(*) from pgstattuple('test_sequence');
select pg_relpages('test_sequence');
-- these should fail for sequences
select pgstatindex('test_sequence');
select pgstatginindex('test_sequence');
select pgstathashindex('test_sequence');
select pgstattuple_approx('test_sequence');
drop sequence test_sequence;
drop table test_partitioned;
drop view test_view;
drop foreign table test_foreign_table;
......
......@@ -432,7 +432,7 @@ pgxml_xpath(text *document, xmlChar *xpath, xpath_workspace *workspace)
workspace->ctxt->node = xmlDocGetRootElement(workspace->doctree);
/* compile the path */
comppath = xmlXPathCompile(xpath);
comppath = xmlXPathCtxtCompile(workspace->ctxt, xpath);
if (comppath == NULL)
xml_ereport(xmlerrcxt, ERROR, ERRCODE_EXTERNAL_ROUTINE_EXCEPTION,
"XPath Syntax Error");
......@@ -746,7 +746,7 @@ xpath_table(PG_FUNCTION_ARGS)
ctxt->node = xmlDocGetRootElement(doctree);
/* compile the path */
comppath = xmlXPathCompile(xpaths[j]);
comppath = xmlXPathCtxtCompile(ctxt, xpaths[j]);
if (comppath == NULL)
xml_ereport(xmlerrcxt, ERROR,
ERRCODE_EXTERNAL_ROUTINE_EXCEPTION,
......
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Files: COPYRIGHT
Copyright: 1996-2024, PostgreSQL Global Development Group
Copyright: 1996-2025, PostgreSQL Global Development Group
1994, The Regents of the University of California
License: PostgreSQL
......@@ -122,7 +122,7 @@ Copyright: no-info-found
License: JSON
Files: doc/src/sgml/html/legalnotice.html
Copyright: 1996-2024, the PostgreSQL Global Development Group.
Copyright: 1996-2025, the PostgreSQL Global Development Group.
1994, –5
License: PostgreSQL
......@@ -135,7 +135,7 @@ Copyright: no-info-found
License: JSON
Files: doc/src/sgml/legal.sgml
Copyright: 1996-2024, the PostgreSQL Global Development Group.
Copyright: 1996-2025, the PostgreSQL Global Development Group.
1994, 1995
License: PostgreSQL
......
postgresql-13 (13.19-0+deb11u1+apertis0) apertis; urgency=medium
* Sync from debian/bullseye-security.
-- Apertis CI <devel@lists.apertis.org> Fri, 14 Feb 2025 07:42:59 +0000
postgresql-13 (13.19-0+deb11u1) bullseye-security; urgency=medium
* New upstream version 13.19.
+ Harden PQescapeString and allied functions against invalidly-encoded
input strings (Andres Freund, Noah Misch)
Data-quoting functions supplied by libpq now fully check the encoding
validity of their input. If invalid characters are detected, they
report an error if possible. For the ones that lack an error return
convention, the output string is adjusted to ensure that the server will
report invalid encoding and no intervening processing will be fooled by
bytes that might happen to match single quote, backslash, etc.
The purpose of this change is to guard against SQL-injection attacks
that are possible if one of these functions is used to quote crafted
input. There is no hazard when the resulting string is sent directly to
a PostgreSQL server (which would check its encoding anyway), but there
is a risk when it is passed through psql or other client-side code.
Historically such code has not carefully vetted encoding, and in many
cases it's not clear what it should do if it did detect such a problem.
This fix is effective only if the data-quoting function, the server, and
any intermediate processing agree on the character encoding that's being
used. Applications that insert untrusted input into SQL commands should
take special care to ensure that that's true.
Applications and drivers that quote untrusted input without using these
libpq functions may be at risk of similar problems. They should first
confirm the data is valid in the encoding expected by the server.
The PostgreSQL Project thanks Stephen Fewer for reporting this problem.
(CVE-2025-1094)
-- Christoph Berg <myon@debian.org> Tue, 11 Feb 2025 11:27:41 +0100
postgresql-13 (13.18-0+deb11u1+apertis0) apertis; urgency=medium
* Sync from debian/bullseye-security.
-- Apertis CI <devel@lists.apertis.org> Fri, 22 Nov 2024 08:33:15 +0000
postgresql-13 (13.18-0+deb11u1) bullseye-security; urgency=medium
* New upstream version 13.18.
+ Restore functionality of ALTER {ROLE|DATABASE} SET role
The fix for CVE-2024-10978 accidentally caused settings for role to not
be applied if they come from non-interactive sources, including previous
ALTER {ROLE|DATABASE} commands and the PGOPTIONS environment variable.
-- Christoph Berg <myon@debian.org> Tue, 19 Nov 2024 15:36:12 +0100
postgresql-13 (13.17-0+deb11u1) bullseye-security; urgency=medium
* New upstream version 13.17.
+ Ensure cached plans are marked as dependent on the calling role when RLS
applies to a non-top-level table reference (Nathan Bossart)
If a CTE, subquery, sublink, security invoker view, or coercion
projection in a query references a table with row-level security
policies, we neglected to mark the resulting plan as potentially
dependent on which role is executing it. This could lead to later query
executions in the same session using the wrong plan, and then returning
or hiding rows that should have been hidden or returned instead.
The PostgreSQL Project thanks Wolfgang Walther for reporting this
problem. (CVE-2024-10976)
+ Make libpq discard error messages received during SSL or GSS protocol
negotiation (Jacob Champion)
An error message received before encryption negotiation is completed
might have been injected by a man-in-the-middle, rather than being real
server output. Reporting it opens the door to various security hazards;
for example, the message might spoof a query result that a careless user
could mistake for correct output. The best answer seems to be to
discard such data and rely only on libpq's own report of the connection
failure.
The PostgreSQL Project thanks Jacob Champion for reporting this problem.
(CVE-2024-10977)
+ Fix unintended interactions between SET SESSION AUTHORIZATION and SET
ROLE (Tom Lane)
The SQL standard mandates that SET SESSION AUTHORIZATION have a
side-effect of doing SET ROLE NONE. Our implementation of that was
flawed, creating more interaction between the two settings than
intended. Notably, rolling back a transaction that had done SET SESSION
AUTHORIZATION would revert ROLE to NONE even if that had not been the
previous state, so that the effective user ID might now be different
from what it had been before the transaction. Transiently setting
session_authorization in a function SET clause had a similar effect. A
related bug was that if a parallel worker inspected
current_setting('role'), it saw none even when it should see something
else.
The PostgreSQL Project thanks Tom Lane for reporting this problem.
(CVE-2024-10978)
+ Prevent trusted PL/Perl code from changing environment variables
(Andrew Dunstan, Noah Misch)
The ability to manipulate process environment variables such as PATH
gives an attacker opportunities to execute arbitrary code. Therefore,
trusted PLs must not offer the ability to do that. To fix plperl,
replace %ENV with a tied hash that rejects any modification attempt with
a warning. Untrusted plperlu retains the ability to change the
environment.
The PostgreSQL Project thanks Coby Abrams for reporting this problem.
(CVE-2024-10979)
-- Christoph Berg <myon@debian.org> Tue, 12 Nov 2024 15:12:10 +0100
postgresql-13 (13.16-0+deb11u1+apertis0) apertis; urgency=medium
* Sync from debian/bullseye-security.
......