Require update permission for the large object written by lo_put().

lo_put() surely should require UPDATE permission, the same as lowrite(),
but it failed to check for that, as reported by Chapman Flack.  Oversight
in commit c50b7c09d; backpatch to 9.4 where that was introduced.

Tom Lane and Michael Paquier

Security: CVE-2017-7548



Modified Files
src/backend/libpq/be-fsstubs.c           | 12 ++++++++++++
src/test/regress/expected/privileges.out | 10 ++++++++++
src/test/regress/sql/privileges.sql      |  4 ++++
3 files changed, 26 insertions(+)

Sent via pgsql-committers mailing list (
To make changes to your subscription:

Reply via email to