[COMMITTERS] pgsql: Require update permission for the large object written by lo_put

Tom Lane Thu, 10 Aug 2017 06:37:57 -0700

Require update permission for the large object written by lo_put().

lo_put() surely should require UPDATE permission, the same as lowrite(),
but it failed to check for that, as reported by Chapman Flack.  Oversight
in commit c50b7c09d; backpatch to 9.4 where that was introduced.


Tom Lane and Michael Paquier

Security: CVE-2017-7548

Branch
------
REL9_6_STABLE

Details
-------
https://git.postgresql.org/pg/commitdiff/52a414387e192a89f5fec19d9876159d03cf112b

Modified Files
--------------
src/backend/libpq/be-fsstubs.c           | 12 ++++++++++++
src/test/regress/expected/privileges.out | 10 ++++++++++
src/test/regress/sql/privileges.sql      |  4 ++++
3 files changed, 26 insertions(+)


-- 
Sent via pgsql-committers mailing list (pgsql-committers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-committers

[COMMITTERS] pgsql: Require update permission for the large object written by lo_put

Reply via email to