#13925: postgresql-12.4
-------------------------+-----------------------
Reporter: bdubbs | Owner: renodr
Type: enhancement | Status: assigned
Priority: high | Milestone: 10.0
Component: BOOK | Version: SVN
Severity: normal | Resolution:
Keywords: |
-------------------------+-----------------------
Changes (by renodr):
* priority: normal => high
Comment:
{{{
Set a secure search_path in logical replication walsenders and apply
workers (Noah Misch)
A malicious user of either the publisher or subscriber database could
potentially cause execution of arbitrary SQL code by the role running
replication, which is often a superuser. Some of the risks here are
equivalent to those described in CVE-2018-1058, and are mitigated in this
patch by ensuring that the replication sender and receiver execute with
empty search_path settings. (As with CVE-2018-1058, that change might
cause problems for under-qualified names used in replicated tables' DDL.)
Other risks are inherent in replicating objects that belong to untrusted
roles; the most we can do is document that there is a hazard to consider.
(CVE-2020-14349)
Make contrib modules' installation scripts more secure (Tom Lane)
Attacks similar to those described in CVE-2018-1058 could be carried
out against an extension installation script, if the attacker can create
objects in either the extension's target schema or the schema of some
prerequisite extension. Since extensions often require superuser privilege
to install, this can open a path to obtaining superuser privilege. To
mitigate this risk, be more careful about the search_path used to run an
installation script; disable check_function_bodies within the script; and
fix catalog-adjustment queries used in some contrib modules to ensure they
are secure. Also provide documentation to help third-party extension
authors make their installation scripts secure. This is not a complete
solution; extensions that depend on other extensions can still be at risk
if installed carelessly. (CVE-2020-14350)
Fix edge cases in partition pruning (Etsuro Fujita, Dmitry Dolgov)
When there are multiple partition key columns, generation of pruning
tests could misbehave if some columns had no constraining WHERE clauses or
multiple constraining clauses. This could lead to server crashes,
incorrect query results, or assertion failures.
Fix construction of parameterized BitmapAnd and BitmapOr index scans
on the inside of partition-wise nestloop joins (Tom Lane)
A plan in which such a scan needed to use a value from the outside of
the join would usually crash at execution.
Fix incorrect plan execution when a partitioned table is subject to
both static and run-time partition pruning in the same query, and a new
partition is added concurrently with the query (Amit Langote, Tom Lane)
In logical replication walsender, fix failure to send feedback
messages after sending a keepalive message (Álvaro Herrera)
This is a relatively minor problem when using built-in logical
replication, because the built-in walreceiver will send a feedback reply
(which clears the incorrect state) fairly frequently anyway. But with some
other replication systems, such as pglogical, it causes significant
performance issues.
Fix firing of column-specific UPDATE triggers in logical replication
subscribers (Tom Lane)
The code neglected to account for the possibility of column numbers
being different between the publisher and subscriber tables, so that if
those were indeed different, wrong decisions might be made about which
triggers to fire.
Update oldest xmin and LSN values during pg_replication_slot_advance()
(Michael Paquier)
This function previously failed to do that, possibly preventing
resource cleanup (such as removal of no-longer-needed WAL segments) after
manual advancement of a replication slot.
Fix slow execution of ts_headline() (Tom Lane)
The phrase-search fix added in our previous set of minor releases
could cause ts_headline() to take unreasonable amounts of time for long
documents; to make matters worse, the query was not cancellable within the
troublesome loop.
Ensure the repeat() function can be interrupted by query cancel (Joe
Conway)
Fix pg_current_logfile() to not include a carriage return (\r) in its
result on Windows (Tom Lane)
Ensure that pg_read_file() and related functions read until EOF is
reached (Joe Conway)
Previously, if not given a specific data length to read, these
functions would stop at whatever file length was reported by stat().
That's unhelpful for pipes and other sorts of virtual files.
Forbid numeric NaN values in jsonpath computations (Alexander
Korotkov)
Neither SQL nor JSON have the concept of NaN (not-a-number), but the
jsonpath code attempted to allow such values anyway. This necessarily
leads to nonstandard behavior, so it seems better to reject such values at
the outset.
Handle single Inf or NaN inputs correctly in floating-point aggregates
(Tom Lane)
The affected aggregates are corr(), covar_pop(), regr_intercept(),
regr_r2(), regr_slope(), regr_sxx(), regr_sxy(), regr_syy(), stddev_pop(),
and var_pop(). The correct answer in such cases is NaN, but an algorithmic
change introduced in PostgreSQL v12 had caused these aggregates to produce
zero instead.
Fix mis-handling of NaN inputs during parallel aggregation on numeric-
type columns (Tom Lane)
If some partial aggregation workers found only NaNs while others found
only non-NaNs, the results were combined incorrectly, possibly leading to
the wrong overall result (i.e., not NaN when it should be).
Reject time-of-day values greater than 24 hours (Tom Lane)
The intention of the datetime input code is to allow “24:00:00” or
equivalently “23:59:60”, but no larger value. However, the range check was
miscoded so that it would accept “23:59:60.nnn” with nonzero fractional-
second nnn. In timestamp values this would result in wrapping into the
first second of the next day. In time and timetz values, the stored value
would actually be more than 24 hours, causing dump/reload failures and
possibly other misbehavior.
Undo double-quoting of index names in EXPLAIN's non-text output
formats (Tom Lane, Euler Taveira)
Fix EXPLAIN's accounting for resource usage, particularly buffer
accesses, in parallel workers in a plan using Gather Merge nodes (Jehan-
Guillaume de Rorthais)
Fix timing of constraint revalidation in ALTER TABLE (David Rowley)
If ALTER TABLE needs to fully rewrite the table's contents (for
example, due to change of a column's data type) and also needs to scan the
table to re-validate foreign keys or CHECK constraints, it sometimes did
things in the wrong order, leading to odd errors such as “could not read
block 0 in file "base/nnnnn/nnnnn": read only 0 of 8192 bytes”.
Fix REINDEX CONCURRENTLY to preserve the index's replication identity
flag (Michael Paquier)
Previously, reindexing a table's replica identity index caused the
setting to be lost, preventing old tuple values from being included in
future logical-decoding output.
Work around incorrect not-null markings for
pg_subscription.subslotname and pg_subscription_rel.srsublsn (Tom Lane)
The bootstrap catalog data incorrectly marks these two catalog columns
as always non-null. There's no easy way to correct that mistake in
existing installations (though v13 and later will have the correct
markings). The main place that depends on that marking being correct is
JIT-enabled tuple deconstruction, so teach it to explicitly ignore the
marking for these two columns. Also adjust some C code that accessed
srsublsn without checking to see if it's null; a crash from that is
improbable but perhaps not impossible.
Cope with LATERAL references in restriction clauses attached to an un-
flattened sub-SELECT in the FROM clause (Tom Lane)
This oversight could result in assertion failures or crashes at query
execution.
Use the query-specified collation for operators invoked during
selectivity estimation (Tom Lane)
Previously, the collation of the underlying database column was used.
But using the query's collation is arguably more correct. More
importantly, now that we have nondeterministic collations, there are cases
where an operator will fail outright if given a nondeterministic
collation. We don't want planning to fail in cases where the query itself
would work, so this means that we must use the query's collation when
invoking operators for estimation purposes.
Avoid believing that a never-analyzed foreign table has zero tuples
(Tom Lane)
This primarily affected the planner's estimate of the number of groups
that would be obtained by GROUP BY.
Remove bogus warning about “leftover placeholder tuple” in BRIN index
de-summarization (Álvaro Herrera)
The case can occur legitimately after a cancelled vacuum, so warning
about it is overly noisy.
Fix selection of tablespaces for “shared fileset” temporary files
(Magnus Hagander, Tom Lane)
If temp_tablespaces is empty or explicitly names the database's
primary tablespace, such files got placed into the pg_default tablespace
rather than the database's primary tablespace as expected.
Fix corner-case error in masking of SP-GiST index pages during WAL
consistency checking (Alexander Korotkov)
This could cause false failure reports when wal_consistency_checking
is enabled.
Improve error handling in the server's buffile module (Thomas Munro)
Fix some cases where I/O errors were indistinguishable from reaching
EOF, or were not reported at all. Also add details such as block numbers
and byte counts where appropriate.
Fix conflict-checking anomalies in SERIALIZABLE isolation mode (Peter
Geoghegan)
If a concurrently-inserted tuple was updated by a different concurrent
transaction, and neither tuple version was visible to the current
transaction's snapshot, serialization conflict checking could draw the
wrong conclusions about whether the tuple was relevant to the results of
the current transaction. This could allow a serializable transaction to
commit when it should have failed with a serialization error.
Avoid repeated marking of dead btree index entries as dead (Masahiko
Sawada)
While functionally harmless, this led to useless WAL traffic when
checksums are enabled or wal_log_hints is on.
Fix checkpointer process to discard file sync requests when fsync is
off (Heikki Linnakangas)
Such requests are treated as no-ops if fsync is off, but we forgot to
remove them from the checkpointer's table of pending actions. This would
lead to bloat of that table, as well as possible assertion failures if
fsync is later re-enabled.
Avoid trouble during cleanup of a non-exclusive backup when JIT
compilation has been activated during the backup (Robert Haas)
Fix failure of some code paths to acquire the correct lock before
modifying pg_control (Nathan Bossart, Fujii Masao)
This oversight could allow pg_control to be written out with an
inconsistent checksum, possibly causing trouble later, including inability
to restart the database if it crashed before the next pg_control update.
Fix errors in currtid() and currtid2() (Michael Paquier)
These functions (which are undocumented and used only by ancient
versions of the ODBC driver) contained coding errors that could result in
crashes, or in confusing error messages such as “could not open file” when
applied to a relation having no storage.
Avoid calling elog() or palloc() while holding a spinlock (Michael
Paquier, Tom Lane)
Logic associated with replication slots had several violations of this
coding rule. While the odds of trouble are quite low, an error in the
called function would lead to a stuck spinlock.
Fix assertion in logical replication subscriber to allow use of
REPLICA IDENTITY FULL (Euler Taveira)
This was just an incorrect assertion, so it has no impact on standard
production builds.
Ensure that libpq continues to try to read from the database
connection socket after a write failure (Tom Lane)
This is important not only to ensure that we collect any final error
message from a dying server process, but because we do not consider the
connection lost until we see a read failure. This oversight allowed libpq
to continue trying to send COPY data indefinitely after a mid-transfer
loss of connection, rather than reporting failure to the application.
Fix bugs in libpq's management of GSS encryption state (Tom Lane)
A connection using GSS encryption could freeze up when attempting to
reset it after a server restart, or when moving on to the next one of a
list of candidate servers.
Fix ecpg crash with bytea and cursor variables (Jehan-Guillaume de
Rorthais)
Report out-of-disk-space errors properly in pg_dump and pg_basebackup
(Justin Pryzby, Tom Lane, Álvaro Herrera)
Some code paths could produce silly reports like “could not write
file: Success”.
Make pg_restore cope with data-offset-less custom-format archive files
when it needs to restore data items out of order (David Gilman, Tom Lane)
pg_dump will produce such files if it cannot seek its output (for
example, if the output is piped to something). This fix primarily improves
the ability to do a parallel restore from such a file.
Fix parallel restore of tables having both table-level privileges and
per-column privileges (Tom Lane)
The table-level privilege grants have to be applied first, but a
parallel restore did not reliably order them that way; this could lead to
“tuple concurrently updated” errors, or to disappearance of some per-
column privilege grants. The fix for this is to include dependency links
between such entries in the archive file, meaning that a new dump has to
be taken with a corrected pg_dump to ensure that the problem will not
recur.
Ensure that pg_upgrade runs with vacuum_defer_cleanup_age set to zero
in the target cluster (Bruce Momjian)
If the target cluster's configuration has been modified to set
vacuum_defer_cleanup_age to a nonzero value, that prevented freezing of
the system catalogs from working properly, which caused the upgrade to
fail in confusing ways. Ensure that any such setting is overridden for the
duration of the upgrade.
Fix pg_recvlogical to drain pending messages before exiting (Noah
Misch)
Without this, the replication sender might detect a send failure and
exit without making the expected final update to the replication slot's
LSN position. That led to re-transmitting data after the next connection.
It was also possible to miss error messages sent after the last data that
pg_recvlogical wants to consume.
Fix pg_rewind's handling of just-deleted files in the source data
directory (Justin Pryzby, Michael Paquier)
When working with an on-line source database, concurrent file
deletions are possible, but pg_rewind would get confused if deletion
happened between seeing a file's directory entry and examining it with
stat().
Make pg_test_fsync use binary I/O mode on Windows (Michael Paquier)
Previously it wrote the test file in text mode, which is not an
accurate reflection of PostgreSQL's actual usage.
Fix contrib/amcheck to not complain about deleted index pages that are
empty (Alexander Korotkov)
This state of affairs is normal during WAL replay.
Fix failure to initialize local state correctly in contrib/dblink (Joe
Conway)
With the right combination of circumstances, this could lead to
dblink_close() issuing an unexpected remote COMMIT.
Fix contrib/pgcrypto's misuse of deflate() (Tom Lane)
The pgp_sym_encrypt functions could produce incorrect compressed data
due to mishandling of zlib's API requirements. We have no reports of this
error manifesting with stock zlib, but it can be seen when using IBM's
zlibNX implementation.
Fix corner case in decompression logic in contrib/pgcrypto's
pgp_sym_decrypt functions (Kyotaro Horiguchi, Michael Paquier)
A compressed stream can validly end with an empty packet, but the
decompressor failed to handle this and would complain about corrupt data.
Support building our NLS code with Microsoft Visual Studio 2015 or
later (Juan José Santamaría Flecha, Davinder Singh, Amit Kapila)
Avoid possible failure of our MSVC install script when there is a file
named configure several levels above the source code tree (Arnold Müller)
This could confuse some logic that looked for configure to identify
the top level of the source tree.
}}}
Includes security fixes for CVE-2020-14349 and CVE-2020-14350
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/13925#comment:2>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
