Obstruct shell, SQL, and conninfo injection via database and role names. Due to simplistic quoting and confusion of database names with conninfo strings, roles with the CREATEDB or CREATEROLE option could escalate to superuser privileges when a superuser next ran certain maintenance commands. The new coding rule for PQconnectdbParams() calls, documented at conninfo_array_parse(), is to pass expand_dbname=true and wrap literal database names in a trivial connection string. Escape zero-length values in appendConnStrVal(). Back-patch to 9.1 (all supported versions).
Nathan Bossart, Michael Paquier, and Noah Misch. Reviewed by Peter Eisentraut. Reported by Nathan Bossart. Security: CVE-2016-5424 Branch ------ REL9_1_STABLE Details ------- http://git.postgresql.org/pg/commitdiff/a2385cac135bb8498a12b1af2cde18244c7be2b1 Modified Files -------------- contrib/pg_upgrade/check.c | 5 +- contrib/pg_upgrade/dump.c | 5 +- contrib/pg_upgrade/option.c | 6 ++ contrib/pg_upgrade/pg_upgrade.c | 18 ++-- contrib/pg_upgrade/pg_upgrade.h | 5 + contrib/pg_upgrade/server.c | 17 ++- contrib/pg_upgrade/util.c | 204 +++++++++++++++++++++++++++++++++++ contrib/pg_upgrade/version.c | 10 +- contrib/pg_upgrade/version_old_8_3.c | 34 ++++-- src/bin/pg_dump/dumputils.c | 204 +++++++++++++++++++++++++++++++++++ src/bin/pg_dump/dumputils.h | 3 + src/bin/pg_dump/pg_backup.h | 2 +- src/bin/pg_dump/pg_backup_archiver.c | 24 +++-- src/bin/pg_dump/pg_backup_db.c | 9 +- src/bin/pg_dump/pg_dumpall.c | 155 ++------------------------ src/bin/psql/command.c | 15 ++- src/bin/scripts/Makefile | 2 +- src/bin/scripts/clusterdb.c | 9 +- src/bin/scripts/reindexdb.c | 14 ++- src/bin/scripts/vacuumdb.c | 11 +- src/interfaces/libpq/fe-connect.c | 13 ++- 21 files changed, 572 insertions(+), 193 deletions(-) -- Sent via pgsql-committers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-committers
