Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Michael Paquier, Feike Steenbergen)
The previous coding allowed the owner of a foreign server object, or anyone he has granted server USAGE permission to, to see the options for all user mappings associated with that server. This might well include passwords for other users. Adjust the view definition to match the behavior of information_schema.user_mapping_options, namely that these options are visible to the user being mapped, or if the mapping is for PUBLIC and the current user is the server owner, or if the current user is a superuser. (CVE-2017-7486)
By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, you will need to do the following:
Restart the postmaster after adding allow_system_table_mods = true to postgresql.conf. (In versions supporting ALTER SYSTEM, you can use that to make the configuration change, but you'll still need a restart.)
In each database of the cluster, run the following commands as superuser:
SET search_path = pg_catalog;
CREATE OR REPLACE VIEW pg_user_mappings AS
U.oid AS umid,
S.oid AS srvid,
S.srvname AS srvname,
U.umuser AS umuser,
CASE WHEN U.umuser = 0 THEN
END AS usename,
CASE WHEN (U.umuser <> 0 AND A.rolname = current_user)
OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
ELSE NULL END AS umoptions
FROM pg_user_mapping U
LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN
pg_foreign_server S ON (U.umserver = S.oid);
Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. In PostgreSQL 9.5 and later, you can use
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
and then after fixing template0, undo that with
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
In prior versions, instead use
UPDATE pg_database SET datallowconn = true WHERE datname = 'template0';
UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';
Finally, remove the allow_system_table_mods configuration setting, and again restart the postmaster.
Prevent exposure of statistical information via leaky operators (Peter Eisentraut)
Some selectivity estimation functions in the planner will apply user-defined operators to values obtained from pg_statistic, such as most common values and histogram entries. This occurs before table permissions are checked, so a nefarious user could exploit the behavior to obtain these values for table columns he does not have permission to read. To fix, fall back to a default estimate if the operator's implementation function is not certified leak-proof and the calling user does not have permission to read the table column whose statistics are needed. At least one of these criteria is satisfied in most cases in practice. (CVE-2017-7484)
Restore libpq's recognition of the PGREQUIRESSL environment variable (Daniel Gustafsson)
Processing of this environment variable was unintentionally dropped in PostgreSQL 9.3, but its documentation remained. This creates a security hazard, since users might be relying on the environment variable to force SSL-encrypted connections, but that would no longer be guaranteed. Restore handling of the variable, but give it lower priority than PGSSLMODE, to avoid breaking configurations that work correctly with post-9.3 code. (CVE-2017-7485)
Fix possibly-invalid initial snapshot during logical decoding (Petr Jelinek, Andres Freund)
The initial snapshot created for a logical decoding replication slot was potentially incorrect. This could cause third-party tools that use logical decoding to copy incomplete/inconsistent initial data. This was more likely to happen if the source server was busy at the time of slot creation, or if another logical slot already existed.
If you are using a replication tool that depends on logical decoding, and it should have copied a nonempty data set at the start of replication, it is advisable to recreate the replica after installing this update, or to verify its contents against the source server.
Fix possible corruption of "init forks" of unlogged indexes (Robert Haas, Michael Paquier)
This could result in an unlogged index being set to an invalid state after a crash and restart. Such a problem would persist until the index was dropped and rebuilt.
Fix incorrect reconstruction of pg_subtrans entries when a standby server replays a prepared but uncommitted two-phase transaction (Tom Lane)
In most cases this turned out to have no visible ill effects, but in corner cases it could result in circular references in pg_subtrans, potentially causing infinite loops in queries that examine rows modified by the two-phase transaction.
Avoid possible crash in walsender due to failure to initialize a string buffer (Stas Kelvich, Fujii Masao)
Fix possible crash when rescanning a nearest-neighbor index-only scan on a GiST index (Tom Lane)
Prevent delays in postmaster's launching of multiple parallel worker processes (Tom Lane)
There could be a significant delay (up to tens of seconds) before satisfying a query's request for more than one worker process, or when multiple queries requested workers simultaneously. On most platforms this required unlucky timing, but on some it was the typical case.
Fix postmaster's handling of
fork() failure for a background worker process (Tom Lane)
Previously, the postmaster updated portions of its state as though the process had been launched successfully, resulting in subsequent confusion.
Fix possible "no relation entry for relid 0" error when planning nested set operations (Tom Lane)
Fix assorted minor issues in planning of parallel queries (Robert Haas)
Avoid applying "physical targetlist" optimization to custom scans (Dmitry Ivanov, Tom Lane)
This optimization supposed that retrieving all columns of a tuple is inexpensive, which is true for ordinary Postgres tuples; but it might not be the case for a custom scan provider.
Use the correct sub-expression when applying a FOR ALL row-level-security policy (Stephen Frost)
In some cases the WITH CHECK restriction would be applied when the USING restriction is more appropriate.
Ensure parsing of queries in extension scripts sees the results of immediately-preceding DDL (Julien Rouhaud, Tom Lane)
Due to lack of a cache flush step between commands in an extension script file, non-utility queries might not see the effects of an immediately preceding catalog change, such as ALTER TABLE ... RENAME.
Skip tablespace privilege checks when ALTER TABLE ... ALTER COLUMN TYPE rebuilds an existing index (Noah Misch)
The command failed if the calling user did not currently have CREATE privilege for the tablespace containing the index. That behavior seems unhelpful, so skip the check, allowing the index to be rebuilt where it is.
Fix ALTER TABLE ... VALIDATE CONSTRAINT to not recurse to child tables when the constraint is marked NO INHERIT (Amit Langote)
This fix prevents unwanted "constraint does not exist" failures when no matching constraint is present in the child tables.
Avoid dangling pointer in COPY ... TO when row-level security is active for the source table (Tom Lane)
Usually this had no ill effects, but sometimes it would cause unexpected errors or crashes.
Avoid accessing an already-closed relcache entry in CLUSTER and VACUUM FULL (Tom Lane)
With some bad luck, this could lead to indexes on the target relation getting rebuilt with the wrong persistence setting.
Fix VACUUM to account properly for pages that could not be scanned due to conflicting page pins (Andrew Gierth)
This tended to lead to underestimation of the number of tuples in the table. In the worst case of a small heavily-contended table, VACUUM could incorrectly report that the table contained no tuples, leading to very bad planning choices.
Ensure that bulk-tuple-transfer loops within a hash join are interruptible by query cancel requests (Tom Lane, Thomas Munro)
Fix incorrect support for certain box operators in SP-GiST (Nikita Glukhov)
SP-GiST index scans using the operators &< &> &<| and |&> would yield incorrect answers.
Fix integer-overflow problems in interval comparison (Kyotaro Horiguchi, Tom Lane)
The comparison operators for type interval could yield wrong answers for intervals larger than about 296000 years. Indexes on columns containing such large values should be reindexed, since they may be corrupt.
cursor_to_xml() to produce valid output with tableforest = false (Thomas Munro, Peter Eisentraut)
Previously it failed to produce a wrapping <table> element.
Fix roundoff problems in
make_interval() (Tom Lane)
These functions truncated, rather than rounded, when converting a floating-point value to integer microseconds; that could cause unexpectedly off-by-one results.
pg_get_object_address() to handle members of operator families correctly (Álvaro Herrera)
Fix cancelling of
pg_stop_backup() when attempting to stop a non-exclusive backup (Michael Paquier, David Steele)
pg_stop_backup() was cancelled while waiting for a non-exclusive backup to end, related state was left inconsistent; a new exclusive backup could not be started, and there were other minor problems.
Improve performance of pg_timezone_names view (Tom Lane, David Rowley)
Reduce memory management overhead for contexts containing many large blocks (Tom Lane)
Fix sloppy handling of corner-case errors from
close() (Tom Lane)
Neither of these system calls are likely to fail in typical situations, but if they did, fd.c could get quite confused.
Fix incorrect check for whether postmaster is running as a Windows service (Michael Paquier)
This could result in attempting to write to the event log when that isn't accessible, so that no logging happens at all.
Fix ecpg to support COMMIT PREPARED and ROLLBACK PREPARED (Masahiko Sawada)
Fix a double-free error when processing dollar-quoted string literals in ecpg (Michael Meskes)
Fix pgbench to handle the combination of --connect and --rate options correctly (Fabien Coelho)
Fix pgbench to honor the long-form option spelling --builtin, as per its documentation (Tom Lane)
Fix pg_dump/pg_restore to correctly handle privileges for the public schema when using --clean option (Stephen Frost)
Other schemas start out with no privileges granted, but public does not; this requires special-case treatment when it is dropped and restored due to the --clean option.
In pg_dump, fix incorrect schema and owner marking for comments and security labels of some types of database objects (Giuseppe Broccolo, Tom Lane)
In simple cases this caused no ill effects; but for example, a schema-selective restore might omit comments it should include, because they were not marked as belonging to the schema of their associated object.
Fix typo in pg_dump's query for initial privileges of a procedural language (Peter Eisentraut)
This resulted in pg_dump always believing that the language had no initial privileges. Since that's true for most procedural languages, ill effects from this bug are probably rare.
Avoid emitting an invalid list file in pg_restore -l when SQL object names contain newlines (Tom Lane)
Replace newlines by spaces, which is sufficient to make the output valid for pg_restore -L's purposes.
Fix pg_upgrade to transfer comments and security labels attached to "large objects" (blobs) (Stephen Frost)
Previously, blobs were correctly transferred to the new database, but any comments or security labels attached to them were lost.
Improve error handling in contrib/adminpack's
pg_file_write() function (Noah Misch)
Notably, it failed to detect errors reported by
In contrib/dblink, avoid leaking the previous unnamed connection when establishing a new unnamed connection (Joe Conway)
Fix contrib/pg_trgm's extraction of trigrams from regular expressions (Tom Lane)
In some cases it would produce a broken data structure that could never match anything, leading to GIN or GiST indexscans that use a trigram index not finding any matches to the regular expression.
In contrib/postgres_fdw, allow join conditions that contain shippable extension-provided functions to be pushed to the remote server (David Rowley, Ashutosh Bapat)
Support Tcl 8.6 in MSVC builds (Álvaro Herrera)
Sync our copy of the timezone library with IANA release tzcode2017b (Tom Lane)
This fixes a bug affecting some DST transitions in January 2038.
Update time zone data files to tzdata release 2017b for DST law changes in Chile, Haiti, and Mongolia, plus historical corrections for Ecuador, Kazakhstan, Liberia, and Spain. Switch to numeric abbreviations for numerous time zones in South America, the Pacific and Indian oceans, and some Asian and Middle Eastern countries.
The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.
Use correct daylight-savings rules for POSIX-style time zone names in MSVC builds (David Rowley)
The Microsoft MSVC build scripts neglected to install the posixrules file in the timezone directory tree. This resulted in the timezone code falling back to its built-in rule about what DST behavior to assume for a POSIX-style time zone name. For historical reasons that still corresponds to the DST rules the USA was using before 2007 (i.e., change on first Sunday in April and last Sunday in October). With this fix, a POSIX-style zone name will use the current and historical DST transition dates of the US/Eastern zone. If you don't want that, remove the posixrules file, or replace it with a copy of some other zone file (see Section 8.5.3). Note that due to caching, you may need to restart the server to get such changes to take effect.