Skip to main content

Browse the archive

https://github.com/postgres/postgres
07 April 2024, 13:56:23 UTC
sort by:
Revision Author Date Message Commit Date
fd7fdbc Marc G. Fournier 01 October 2010, 13:40:30 UTC Tag 7.4.30 01 October 2010, 13:40:30 UTC
b68319c Tom Lane 30 September 2010, 21:23:01 UTC Use a separate interpreter for each calling SQL userid in plperl and pltcl. There are numerous methods by which a Perl or Tcl function can subvert the behavior of another such function executed later; for example, by redefining standard functions or operators called by the target function. If the target function is SECURITY DEFINER, or is called by such a function, this means that any ordinary SQL user with Perl or Tcl language usage rights can do essentially anything with the privileges of the target function's owner. To close this security hole, create a separate Perl or Tcl interpreter for each SQL userid under which plperl or pltcl functions are executed within a session. However, all plperlu or pltclu functions run within a session still share a single interpreter, since they all execute at the trust level of a database superuser anyway. Note: this change results in a functionality loss when libperl has been built without the "multiplicity" option: it's no longer possible to call plperl functions under different userids in one session, since such a libperl can't support multiple interpreters in one process. However, such a libperl already failed to support concurrent use of plperl and plperlu, so it's likely that few people use such versions with Postgres. Security: CVE-2010-3433 30 September 2010, 21:23:01 UTC
8ecec04 Peter Eisentraut 30 September 2010, 19:10:51 UTC Translation updates for 7.4.30 30 September 2010, 19:10:51 UTC
1bab343 Tom Lane 30 September 2010, 18:28:05 UTC Update release notes for releases 9.0.1, 8.4.5, 8.3.12, 8.2.18, 8.1.22, 8.0.26, and 7.4.30. 30 September 2010, 18:28:05 UTC
42c3871 Tom Lane 25 September 2010, 19:57:05 UTC Further fixes to the pg_get_expr() security fix in back branches. It now emerges that the JDBC driver expects to be able to use pg_get_expr() on an output of a sub-SELECT. So extend the check logic to be able to recurse into a sub-SELECT to see if the argument is ultimately coming from an appropriate column. Per report from Thomas Kellerer. 25 September 2010, 21:01:39 UTC
dbf859c Tom Lane 24 September 2010, 17:48:47 UTC Still more .gitignore cleanup. Fix overly-enthusiastic ignores, as identified by git ls-files -i --exclude-standard 24 September 2010, 17:48:47 UTC
1e4a7c4 Tom Lane 23 September 2010, 20:53:53 UTC Prevent show_session_authorization from crashing when session_authorization hasn't been set. The only known case where this can happen is when show_session_authorization is invoked in an autovacuum process, which is possible if an index function calls it, as for example in bug #5669 from Andrew Geery. We could perhaps try to return a sensible value, such as the name of the cluster-owning superuser; but that seems like much more trouble than the case is worth, and in any case it could create new possible failure modes. Simply returning an empty string seems like the most appropriate fix. Back-patch to all supported versions, even those before autovacuum, just in case there's another way to provoke this crash. 23 September 2010, 20:53:53 UTC
767ae95 Tom Lane 23 September 2010, 19:09:10 UTC Another missing .gitignore entry ... 23 September 2010, 19:09:10 UTC
54bf75a Tom Lane 23 September 2010, 02:33:14 UTC More fixes for libpq's .gitignore file. The previous patches failed to cover a lot of symlinks that are only added in platform-specific cases. Make the lists match what's in the Makefile for each branch. 23 September 2010, 02:33:14 UTC
ebcb677 Tom Lane 23 September 2010, 00:23:09 UTC Do some copy-editing on the Git usage docs. 23 September 2010, 00:23:09 UTC
64f3b78 Tom Lane 22 September 2010, 22:26:39 UTC Fix documentation gitignore for pre-9.0 doc build methods. 22 September 2010, 22:26:39 UTC
ec85761 Tom Lane 22 September 2010, 21:22:31 UTC Some more gitignore cleanups: cover contrib and PL regression test outputs. Also do some further work in the back branches, where quite a bit wasn't covered by Magnus' original back-patch. 22 September 2010, 21:22:31 UTC
da907fd Magnus Hagander 22 September 2010, 18:48:53 UTC Remove anonymous cvs instructions, and replace them with instructions for git. Change other references from cvs to git as well. 22 September 2010, 18:48:53 UTC
6b4453f Magnus Hagander 22 September 2010, 10:57:22 UTC Convert cvsignore to gitignore, and add .gitignore for build targets. 22 September 2010, 10:57:22 UTC
0364fb9 Tom Lane 21 September 2010, 18:43:33 UTC Back-patch replacement of README.CVS with README.git. In older branches, also git-ify the "make distdir" rule. 21 September 2010, 18:43:33 UTC
a0baa96 Peter Eisentraut 17 August 2010, 04:49:31 UTC Backpatch some blatant spelling mistakes 17 August 2010, 04:49:31 UTC
28d27cf Tom Lane 16 August 2010, 17:33:30 UTC Arrange to fsync the contents of lockfiles (both postmaster.pid and the socket lockfile) when writing them. The lack of an fsync here may well explain two different reports we've seen of corrupted lockfile contents, which doesn't particularly bother the running server but can prevent a new server from starting if the old one crashes. Per suggestion from Alvaro. Back-patch to all supported versions. 16 August 2010, 17:33:30 UTC
9217dee Tom Lane 16 August 2010, 00:07:00 UTC Fix psql's copy of utf2ucs() to match the backend's copy exactly; in particular, propagate a fix in the test to see whether a UTF8 character has length 4 bytes. This is likely of little real-world consequence because 5-or-more-byte UTF8 sequences are not supported by Postgres nor seen anywhere in the wild, but still we may as well get it right. Problem found by Joseph Adams. Bug is aboriginal, so back-patch all the way. 16 August 2010, 00:07:00 UTC
1207827 Robert Haas 11 August 2010, 19:04:16 UTC Fix one more incorrect errno definition in the ECPG manual. Again, back-patch all the way to 7.4. 11 August 2010, 19:04:16 UTC
11dce14 Robert Haas 11 August 2010, 18:53:04 UTC Fix incorrect errno definitions in ECPG manual. ecpgerrno.h hasn't materially changed since PostgreSQL 7.4, so this has been wrong for a very long time. Back-patch all the way. Satoshi Nagayasu 11 August 2010, 18:53:04 UTC
ef2b138 Tom Lane 09 August 2010, 18:51:12 UTC Fix incorrect logic in plpgsql for cleanup after evaluation of non-simple expressions. We need to deal with this when handling subscripts in an array assignment, and also when catching an exception. In an Assert-enabled build these omissions led to Assert failures, but I think in a normal build the only consequence would be short-term memory leakage; which may explain why this wasn't reported from the field long ago. Back-patch to all supported versions. 7.4 doesn't have exceptions, but otherwise these bugs go all the way back. Heikki Linnakangas and Tom Lane 09 August 2010, 18:51:12 UTC
10c0565 Tom Lane 30 July 2010, 17:57:32 UTC Improved version of patch to protect pg_get_expr() against misuse: look through join alias Vars to avoid breaking join queries, and move the test to someplace where it will catch more possible ways of calling a function. We still ought to throw away the whole thing in favor of a data-type-based solution, but that's not feasible in the back branches. Completion of back-port of my patch of yesterday. 30 July 2010, 17:57:32 UTC
678e0d9 Tom Lane 09 July 2010, 22:58:25 UTC Avoid an Assert failure in deconstruct_array() by making get_attstatsslot() use the actual element type of the array it's disassembling, rather than trusting the type OID passed in by its caller. This is needed because sometimes the planner passes in a type OID that's only binary-compatible with the target column's type, rather than being an exact match. Per an example from Bernd Helmle. Possibly we should refactor get_attstatsslot/free_attstatsslot to not expect the caller to supply type ID data at all, but for now I'll just do the minimum-change fix. Back-patch to 7.4. Bernd's test case only crashes back to 8.0, but since these subroutines are the same in 7.4, I suspect there may be variant cases that would crash 7.4 as well. 09 July 2010, 22:58:25 UTC
1cf269c Tom Lane 08 July 2010, 00:14:41 UTC Fix "cannot handle unplanned sub-select" error that can occur when a sub-select contains a join alias reference that expands into an expression containing another sub-select. Per yesterday's report from Merlin Moncure and subsequent off-list investigation. Back-patch to 7.4. Older versions didn't attempt to flatten sub-selects in ways that would trigger this problem. 08 July 2010, 00:14:41 UTC
97f29c8 Heikki Linnakangas 05 July 2010, 09:27:57 UTC The previous fix in CVS HEAD and 8.4 for handling the case where a cursor being used in a PL/pgSQL FOR loop is closed was inadequate, as Tom Lane pointed out. The bug affects FOR statement variants too, because you can close an implicitly created cursor too by guessing the "<unnamed portal X>" name created for it. To fix that, "pin" the portal to prevent it from being dropped while it's being used in a PL/pgSQL FOR loop. Backpatch all the way to 7.4 which is the oldest supported version. 05 July 2010, 09:27:57 UTC
5e77769 Tom Lane 03 July 2010, 04:03:46 UTC Fix assorted misstatements and poor wording in the descriptions of the I/O formats for geometric types. Per bug #5536 from Jon Strait, and my own testing. Back-patch to all supported branches, since this doco has been wrong right along -- we certainly haven't changed the I/O behavior of these types in many years. 03 July 2010, 04:03:46 UTC
fa8ccf5 Heikki Linnakangas 30 June 2010, 18:11:43 UTC stringToNode() and deparse_expression_pretty() crash on invalid input, but we have nevertheless exposed them to users via pg_get_expr(). It would be too much maintenance effort to rigorously check the input, so put a hack in place instead to restrict pg_get_expr() so that the argument must come from one of the system catalog columns known to contain valid expressions. Per report from Rushabh Lathia. Backpatch to 7.4 which is the oldest supported version at the moment. 30 June 2010, 18:11:43 UTC
873b9b8 Tom Lane 15 June 2010, 19:04:59 UTC Fix dblink_build_sql_insert() and related functions to handle dropped columns correctly. In passing, get rid of some dead logic in the underlying get_sql_insert() etc functions --- there is no caller that will pass null value-arrays to them. Per bug report from Robert Voinea. 15 June 2010, 19:04:59 UTC
240076b Tom Lane 15 June 2010, 16:22:58 UTC Consolidate and improve checking of key-column-attnum arguments for dblink_build_sql_insert() and related functions. In particular, be sure to reject references to dropped and out-of-range column numbers. The numbers are still interpreted as physical column numbers, though, for backward compatibility. This patch replaces Joe's patch of 2010-02-03, which handled only some aspects of the problem. 15 June 2010, 16:22:58 UTC
5ab2c66 Tom Lane 14 June 2010, 20:50:11 UTC Rearrange dblink's dblink_build_sql_insert() and related routines to open and lock the target relation just once per SQL function call. The original coding obtained and released lock several times per call. Aside from saving a not-insignificant number of cycles, this eliminates possible race conditions if someone tries to modify the relation's schema concurrently. Also centralize locking and permission-checking logic. Problem noted while investigating a trouble report from Robert Voinea --- his problem is still to be fixed, though. 14 June 2010, 20:50:11 UTC
6742c60 Itagaki Takahiro 10 June 2010, 00:42:34 UTC Fix incorrect change in dblink introduced by the previous commit "Fix connection leak in dblink". 10 June 2010, 00:42:34 UTC
71dca6e Itagaki Takahiro 09 June 2010, 01:00:50 UTC Fix connection leak in dblink when dblink_connect() or dblink_connect_u() end with "duplicate connection name" errors. Backported to release 7.4. 09 June 2010, 01:00:50 UTC
9f3cf8a Andrew Dunstan 17 May 2010, 20:46:03 UTC > Follow up a visit from the style police. 17 May 2010, 20:46:03 UTC
5356cf7 Robert Haas 16 May 2010, 03:55:47 UTC Fix longstanding typo in V1 calling conventions documentation. Erik Rijkers 16 May 2010, 03:55:47 UTC
00a8012 Tom Lane 15 May 2010, 18:11:41 UTC Improve documentation of pg_restore's -l and -L switches to point out their interactions with filtering switches, such as -n and -t. Per a complaint from Russell Smith. 15 May 2010, 18:11:41 UTC
ab9536b Marc G. Fournier 14 May 2010, 03:44:21 UTC tag 7.4.29 14 May 2010, 03:44:21 UTC
c30e3d8 Tom Lane 13 May 2010, 21:27:44 UTC Update release notes with security issues. Security: CVE-2010-1169, CVE-2010-1170 13 May 2010, 21:27:44 UTC
765b01b Tom Lane 13 May 2010, 19:16:52 UTC Use an entity instead of non-ASCII letter. Thom Brown 13 May 2010, 19:16:52 UTC
4aadfba Tom Lane 13 May 2010, 18:29:54 UTC Prevent PL/Tcl from loading the "unknown" module from pltcl_modules unless that is a regular table or view owned by a superuser. This prevents a trojan horse attack whereby any unprivileged SQL user could create such a table and insert code into it that would then get executed in other users' sessions whenever they call pltcl functions. Worse yet, because the code was automatically loaded into both the "normal" and "safe" interpreters at first use, the attacker could execute unrestricted Tcl code in the "normal" interpreter without there being any pltclu functions anywhere, or indeed anyone else using pltcl at all: installing pltcl is sufficient to open the hole. Change the initialization logic so that the "unknown" code is only loaded into an interpreter when the interpreter is first really used. (That doesn't add any additional security in this particular context, but it seems a prudent change, and anyway the former behavior violated the principle of least astonishment.) Security: CVE-2010-1170 13 May 2010, 18:29:54 UTC
60028fd Andrew Dunstan 13 May 2010, 16:44:35 UTC Abandon the use of Perl's Safe.pm to enforce restrictions in plperl, as it is fundamentally insecure. Instead apply an opmask to the whole interpreter that imposes restrictions on unsafe operations. These restrictions are much harder to subvert than is Safe.pm, since there is no container to be broken out of. Backported to release 7.4. In releases 7.4, 8.0 and 8.1 this also includes the necessary backporting of the two interpreters model for plperl and plperlu adopted in release 8.2. In versions 8.0 and up, the use of Perl's POSIX module to undo its locale mangling on Windows has become insecure with these changes, so it is replaced by our own routine, which is also faster. Nice side effects of the changes include that it is now possible to use perl's "strict" pragma in a natural way in plperl, and that perl's $a and $b variables now work as expected in sort routines, and that function compilation is significantly faster. Tim Bunce and Andrew Dunstan, with reviews from Alex Hunsaker and Alexey Klyukin. Security: CVE-2010-1169 13 May 2010, 16:44:35 UTC
e274064 Peter Eisentraut 13 May 2010, 07:05:04 UTC Translation update 13 May 2010, 07:05:04 UTC
03bbb02 Tom Lane 12 May 2010, 23:28:06 UTC Preliminary release notes for releases 8.4.4, 8.3.11, 8.2.17, 8.1.21, 8.0.25, 7.4.29. 12 May 2010, 23:28:06 UTC
47bdd80 Tom Lane 08 May 2010, 16:40:52 UTC Work around a subtle portability problem in use of printf %s format. Depending on which spec you read, field widths and precisions in %s may be counted either in bytes or characters. Our code was assuming bytes, which is wrong at least for glibc's implementation, and in any case libc might have a different idea of the prevailing encoding than we do. Hence, for portable results we must avoid using anything more complex than just "%s" unless the string to be printed is known to be all-ASCII. This patch fixes the cases I could find, including the psql formatting failure reported by Hernan Gonzalez. In HEAD only, I also added comments to some places where it appears safe to continue using "%.*s". 08 May 2010, 16:40:52 UTC
79c712a Tom Lane 01 May 2010, 22:47:15 UTC Add code to InternalIpcMemoryCreate() to handle the case where shmget() returns EINVAL for an existing shared memory segment. Although it's not terribly sensible, that behavior does meet the POSIX spec because EINVAL is the appropriate error code when the existing segment is smaller than the requested size, and the spec explicitly disclaims any particular ordering of error checks. Moreover, it does in fact happen on OS X and probably other BSD-derived kernels. (We were able to talk NetBSD into changing their code, but purging that behavior from the wild completely seems unlikely to happen.) We need to distinguish collision with a pre-existing segment from invalid size request in order to behave sensibly, so it's worth some extra code here to get it right. Per report from Gavin Kistner and subsequent investigation. Back-patch to all supported versions, since any of them could get used with a kernel having the debatable behavior. 01 May 2010, 22:47:15 UTC
25681e0 Tom Lane 30 April 2010, 19:16:27 UTC Fix multiple memory leaks in PLy_spi_execute_fetch_result: it would leak memory if the result had zero rows, and also if there was any sort of error while converting the result tuples into Python data. Reported and partially fixed by Andres Freund. Back-patch to all supported versions. Note: I haven't tested the 7.4 fix. 7.4's configure check for python is so obsolete it doesn't work on my current machines :-(. The logic change is pretty straightforward though. 30 April 2010, 19:16:27 UTC
f9f0683 Andrew Dunstan 03 April 2010, 17:55:24 UTC Sync perl's ppport.h on all branches back to 7.4 with recent update on HEAD, ensuring we can build older branches with modern Perl installations. 03 April 2010, 17:55:24 UTC
2154452 Tom Lane 02 April 2010, 16:17:31 UTC Ensure that contrib/pgstattuple functions respond to cancel interrupts reasonably promptly, by adding CHECK_FOR_INTERRUPTS in the per-page loops. Tatsuhito Kasahara 02 April 2010, 16:17:31 UTC
b60e3dd Alvaro Herrera 25 March 2010, 14:46:06 UTC Prevent ALTER USER f RESET ALL from removing the settings that were put there by a superuser -- "ALTER USER f RESET setting" already disallows removing such a setting. Apply the same treatment to ALTER DATABASE d RESET ALL when run by a database owner that's not superuser. 25 March 2010, 14:46:06 UTC
26ef5e9 Tom Lane 20 March 2010, 00:58:46 UTC Clear error_context_stack and debug_query_string at the beginning of proc_exit, so that we won't try to attach any context printouts to messages that get emitted while exiting. Per report from Dennis Koegel, the context functions won't necessarily work after we've started shutting down the backend, and it seems possible that debug_query_string could be pointing at freed storage as well. The context information doesn't seem particularly relevant to such messages anyway, so there's little lost by suppressing it. Back-patch to all supported branches. I can only demonstrate a crash with log_disconnections messages back to 8.1, but the risk seems real in 8.0 and before anyway. 20 March 2010, 00:58:46 UTC
2eec67a Magnus Hagander 17 March 2010, 18:04:01 UTC Typo fixes. Fujii Masao 17 March 2010, 18:04:01 UTC
249271d Marc G. Fournier 12 March 2010, 04:06:01 UTC tag 7.4.28 12 March 2010, 04:06:01 UTC
d0d6885 Tom Lane 10 March 2010, 01:59:30 UTC Preliminary release notes for releases 8.4.3, 8.3.10, 8.2.16, 8.1.20, 8.0.24, 7.4.28. 10 March 2010, 01:59:30 UTC
f9ed879 Magnus Hagander 08 March 2010, 12:38:54 UTC Add missing space in example. Tim Landscheidt 08 March 2010, 12:38:54 UTC
821ed69 Tom Lane 06 March 2010, 00:46:27 UTC When reading pg_hba.conf and similar files, do not treat @file as an inclusion unless (1) the @ isn't quoted and (2) the filename isn't empty. This guards against unexpectedly treating usernames or other strings in "flat files" as inclusion requests, as seen in a recent trouble report from Ed L. The empty-filename case would be guaranteed to misbehave anyway, because our subsequent path-munging behavior results in trying to read the directory containing the current input file. I think this might finally explain the report at http://archives.postgresql.org/pgsql-bugs/2004-05/msg00132.php of a crash after printing "authentication file token too long, skipping", since I was able to duplicate that message (though not a crash) on a platform where stdio doesn't refuse to read directories. We never got far in investigating that problem, but now I'm suspicious that the trigger condition was an @ in the flat password file. Back-patch to all active branches since the problem can be demonstrated in all branches except HEAD. The test case, creating a user named "@", doesn't cause a problem in HEAD since we got rid of the flat password file. Nonetheless it seems like a good idea to not consider quoted @ as a file inclusion spec, so I changed HEAD too. 06 March 2010, 00:46:27 UTC
f82e8e7 Tom Lane 03 March 2010, 20:31:50 UTC Fix a couple of places that would loop forever if attempts to read a stdio file set ferror() but never set feof(). This is known to be the case for recent glibc when trying to read a directory as a file, and might be true for other platforms/cases too. Per report from Ed L. (There is more that we ought to do about his report, but this is one easily identifiable issue.) 03 March 2010, 20:31:50 UTC
8b33d83 Tom Lane 25 February 2010, 23:45:29 UTC Back-patch addition of ssl_renegotiation_limit into 7.4 through 8.1. 25 February 2010, 23:45:29 UTC
a0b3d52 Joe Conway 03 February 2010, 23:02:28 UTC Check to ensure the number of primary key fields supplied does not exceed the total number of non-dropped source table fields for dblink_build_sql_*(). Addresses bug report from Rushabh Lathia. Backpatch all the way to the 7.3 branch. 03 February 2010, 23:02:28 UTC
572f475 Tom Lane 01 February 2010, 02:46:08 UTC Change regexp engine's ccondissect/crevdissect routines to perform DFA matching before recursing instead of after. The DFA match eliminates unworkable midpoint choices a lot faster than the recursive check, in most cases, so doing it first can speed things up; particularly in pathological cases such as recently exhibited by Michael Glaesemann. In addition, apply some cosmetic changes that were applied upstream (in the Tcl project) at the same time, in order to sync with upstream version 1.15 of regexec.c. Upstream apparently intends to backpatch this, so I will too. The pathological behavior could be unpleasant if encountered in the field, which seems to justify any risk of introducing new bugs. Tom Lane, reviewed by Donal K. Fellows of Tcl project 01 February 2010, 02:46:08 UTC
cd79a50 Tom Lane 25 January 2010, 01:58:57 UTC Apply Tcl_Init() to the "hold" interpreter created by pltcl. You might think this is unnecessary since that interpreter is never used to run code --- but it turns out that's wrong. As of Tcl 8.5, the "clock" command (alone among builtin Tcl commands) is partially implemented by loaded-on-demand Tcl code, which means that it fails if there's not unknown-command support, and also that it's impossible to run it directly in a safe interpreter. The way they get around the latter is that Tcl_CreateSlave() automatically sets up an alias command that forwards any execution of "clock" in a safe slave interpreter to its parent interpreter. Thus, when attempting to execute "clock" in trusted pltcl, the command actually executes in the "hold" interpreter, where it will fail if unknown-command support hasn't been introduced by sourcing the standard init.tcl script, which is done by Tcl_Init(). (This is a pretty dubious design decision on the Tcl boys' part, if you ask me ... but they didn't.) Back-patch all the way. It's not clear that anyone would try to use ancient versions of pltcl with a recent Tcl, but it's not clear they wouldn't, either. Also add a regression test using "clock", in branches that have regression test support for pltcl. Per recent trouble report from Kyle Bateman. 25 January 2010, 01:58:57 UTC
10dedbf Tom Lane 07 January 2010, 19:53:47 UTC Make bit/varbit substring() treat any negative length as meaning "all the rest of the string". The previous coding treated only -1 that way, and would produce an invalid result value for other negative values. We ought to fix it so that 2-parameter bit substring() is a different C function and the 3-parameter form throws error for negative length, but that takes a pg_proc change which is impractical in the back branches; and in any case somebody might be relying on -1 working this way. So just do this as a back-patchable fix. 07 January 2010, 19:53:47 UTC
df4b86a Marc G. Fournier 10 December 2009, 03:26:04 UTC tag 7.4.27 10 December 2009, 03:26:04 UTC
1b4f16b Tom Lane 10 December 2009, 00:32:06 UTC Update release notes for releases 8.4.2, 8.3.9, 8.2.15, 8.1.19, 8.0.23, 7.4.27. 10 December 2009, 00:32:06 UTC
9d97bb7 Tom Lane 09 December 2009, 21:59:07 UTC Prevent indirect security attacks via changing session-local state within an allegedly immutable index function. It was previously recognized that we had to prevent such a function from executing SET/RESET ROLE/SESSION AUTHORIZATION, or it could trivially obtain the privileges of the session user. However, since there is in general no privilege checking for changes of session-local state, it is also possible for such a function to change settings in a way that might subvert later operations in the same session. Examples include changing search_path to cause an unexpected function to be called, or replacing an existing prepared statement with another one that will execute a function of the attacker's choosing. The present patch secures VACUUM, ANALYZE, and CREATE INDEX/REINDEX against these threats, which are the same places previously deemed to need protection against the SET ROLE issue. GUC changes are still allowed, since there are many useful cases for that, but we prevent security problems by forcing a rollback of any GUC change after completing the operation. Other cases are handled by throwing an error if any change is attempted; these include temp table creation, closing a cursor, and creating or deleting a prepared statement. (In 7.4, the infrastructure to roll back GUC changes doesn't exist, so we settle for rejecting changes of "search_path" in these contexts.) Original report and patch by Gurjeet Singh, additional analysis by Tom Lane. Security: CVE-2009-4136 09 December 2009, 21:59:07 UTC
5293cc8 Magnus Hagander 09 December 2009, 06:37:09 UTC Reject certificates with embedded NULLs in the commonName field. This stops attacks where an attacker would put <attack>\0<propername> in the field and trick the validation code that the certificate was for <attack>. This is a very low risk attack since it reuqires the attacker to trick the CA into issuing a certificate with an incorrect field, and the common PostgreSQL deployments are with private CAs, and not external ones. Also, default mode in 8.4 does not do any name validation, and is thus also not vulnerable - but the higher security modes are. Backpatch all the way. Even though versions 8.3.x and before didn't have certificate name validation support, they still exposed this field for the user to perform the validation in the application code, and there is no way to detect this problem through that API. Security: CVE-2009-4034 09 December 2009, 06:37:09 UTC
32eb482 Peter Eisentraut 08 December 2009, 21:54:26 UTC Translation updates 08 December 2009, 21:54:26 UTC
8fa5419 Tom Lane 02 December 2009, 17:42:02 UTC Ignore attempts to set "application_name" in the connection startup packet. This avoids a useless connection retry and complaint in the postmaster log when receiving a connection from 8.5 or later libpq. Backpatch in all supported branches, but of course *not* HEAD. 02 December 2009, 17:42:02 UTC
b88ad6e Alvaro Herrera 10 November 2009, 18:01:46 UTC Fix longstanding problems in VACUUM caused by untimely interruptions In VACUUM FULL, an interrupt after the initial transaction has been recorded as committed can cause postmaster to restart with the following error message: PANIC: cannot abort transaction NNNN, it was already committed This problem has been reported many times. In lazy VACUUM, an interrupt after the table has been truncated by lazy_truncate_heap causes other backends' relcache to still point to the removed pages; this can cause future INSERT and UPDATE queries to error out with the following error message: could not read block XX of relation 1663/NNN/MMMM: read only 0 of 8192 bytes The window to this race condition is extremely narrow, but it has been seen in the wild involving a cancelled autovacuum process. The solution for both problems is to inhibit interrupts in both operations until after the respective transactions have been committed. It's not a complete solution, because the transaction could theoretically be aborted by some other error, but at least fixes the most common causes of both problems. 10 November 2009, 18:01:46 UTC
7c0e804 Tom Lane 30 October 2009, 20:59:23 UTC Make the overflow guards in ExecChooseHashTableSize be more protective. The original coding ensured nbuckets and nbatch didn't exceed INT_MAX, which while not insane on its own terms did nothing to protect subsequent code like "palloc(nbatch * sizeof(BufFile *))". Since enormous join size estimates might well be planner error rather than reality, it seems best to constrain the initial sizes to be not more than work_mem/sizeof(pointer), thus ensuring the allocated arrays don't exceed work_mem. We will allow nbatch to get bigger than that during subsequent ExecHashIncreaseNumBatches calls, but we should still guard against integer overflow in those palloc requests. Per bug #5145 from Bernt Marius Johnsen. Although the given test case only seems to fail back to 8.2, previous releases have variants of this issue, so patch all supported branches. 30 October 2009, 20:59:23 UTC
4ce8236 Tom Lane 16 October 2009, 22:09:16 UTC Rewrite pam_passwd_conv_proc to be more robust: avoid assuming that the pam_message array contains exactly one PAM_PROMPT_ECHO_OFF message. Instead, deal with however many messages there are, and don't throw error for PAM_ERROR_MSG and PAM_TEXT_INFO messages. This logic is borrowed from openssh 5.2p1, which hopefully has seen more real-world PAM usage than we have. Per bug #5121 from Ryan Douglas, which turned out to be caused by the conv_proc being called with zero messages. Apparently that is normal behavior given the combination of Linux pam_krb5 with MS Active Directory as the domain controller. Patch all the way back, since this code has been essentially untouched since 7.4. (Surprising we've not heard complaints before.) 16 October 2009, 22:09:16 UTC
f0e9229 Heikki Linnakangas 08 October 2009, 04:47:06 UTC Fix off-by-one bug in bitncmp(): When comparing a number of bits divisible by 8, bitncmp() may dereference a pointer one byte out of bounds. Chris Mikkelson (bug #5101) 08 October 2009, 04:47:06 UTC
693cebf Tom Lane 26 September 2009, 18:25:35 UTC Fix RelationCacheInitializePhase2 (Phase3, in HEAD) to cope with the possibility of shared-inval messages causing a relcache flush while it tries to fill in missing data in preloaded relcache entries. There are actually two distinct failure modes here: 1. The flush could delete the next-to-be-processed cache entry, causing the subsequent hash_seq_search calls to go off into the weeds. This is the problem reported by Michael Brown, and I believe it also accounts for bug #5074. The simplest fix is to restart the hashtable scan after we've read any new data from the catalogs. It appears that pre-8.4 branches have not suffered from this failure, because by chance there were no other catalogs sharing the same hash chains with the catalogs that RelationCacheInitializePhase2 had work to do for. However that's obviously pretty fragile, and it seems possible that derivative versions with additional system catalogs might be vulnerable, so I'm back-patching this part of the fix anyway. 2. The flush could delete the *current* cache entry, in which case the pointer to the newly-loaded data would end up being stored into an already-deleted Relation struct. As long as it was still deleted, the only consequence would be some leaked space in CacheMemoryContext. But it seems possible that the Relation struct could already have been recycled, in which case this represents a hard-to-reproduce clobber of cached data structures, with unforeseeable consequences. The fix here is to pin the entry while we work on it. In passing, also change RelationCacheInitializePhase2 to Assert that formrdesc() set up the relation's cached TupleDesc (rd_att) with the correct type OID and hasoids values. This is more appropriate than silently updating the values, because the original tupdesc might already have been copied into the catcache. However this part of the patch is not in HEAD because it fails due to some questionable recent changes in formrdesc :-(. That will be cleaned up in a subsequent patch. 26 September 2009, 18:25:35 UTC
b8218dc Tom Lane 08 September 2009, 04:26:17 UTC Remove outside-the-scanner references to "yyleng". It seems the flex developers have decided to change yyleng from int to size_t. This has already happened in the latest release of OS X, and will start happening elsewhere once the next release of flex appears. Rather than trying to divine how it's declared in any particular build, let's just remove the one existing not-very-necessary external usage. Back-patch to all supported branches; not so much because users in the field are likely to care about building old branches with cutting-edge flex, as to keep OSX-based buildfarm members from having problems with old branches. 08 September 2009, 04:26:17 UTC
ef31ff1 Marc G. Fournier 04 September 2009, 05:33:18 UTC Tag 7.4.26 04 September 2009, 05:33:18 UTC
02a87f1 Tom Lane 03 September 2009, 22:14:41 UTC Final updates of release notes for 8.4.1, 8.3.8, 8.2.14, 8.1.18, 8.0.22, 7.4.26. 03 September 2009, 22:14:41 UTC
fd28d83 Tom Lane 03 September 2009, 22:09:06 UTC Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer functions. This extends the previous patch that forbade SETting these variables inside security-definer functions. RESET is equally a security hole, since it would allow regaining privileges of the caller; furthermore it can trigger Assert failures and perhaps other internal errors, since the code is not expecting these variables to change in such contexts. The previous patch did not cover this case because assign hooks don't really have enough information, so move the responsibility for preventing this into guc.c. Problem discovered by Heikki Linnakangas. Security: no CVE assigned yet, extends CVE-2007-6600 03 September 2009, 22:09:06 UTC
8422728 Peter Eisentraut 03 September 2009, 18:49:05 UTC Translation updates 03 September 2009, 18:49:05 UTC
199c6d5 Peter Eisentraut 02 September 2009, 13:23:13 UTC Improve picksplit debug message Missed this earlier because the translation site was broken for the 7.4 branch. 02 September 2009, 13:23:13 UTC
322404c Bruce Momjian 27 August 2009, 01:26:40 UTC Update release notes for 7.4.26, 8.0.22, 8.1.18, 8.2.14, 8.3.8, 8.4.1. 27 August 2009, 01:26:40 UTC
deab233 Tom Lane 24 August 2009, 16:18:49 UTC Fix inclusions of readline/editline header files so that we only attempt to #include the version of history.h that is in the same directory as the readline.h we are using. This avoids problems in some scenarios where both readline and editline are installed. Report and patch by Zdenek Kotala. 24 August 2009, 16:18:49 UTC
2e78dc8 Tom Lane 18 August 2009, 21:23:58 UTC Fix overflow for INTERVAL 'x ms' where x is more than a couple million, and integer datetimes are in use. Per bug report from Hubert Depesz Lubaczewski. Alex Hunsaker 18 August 2009, 21:23:58 UTC
c5b758b Andrew Dunstan 10 August 2009, 02:39:09 UTC Re-add documentation for --no-readline option of psql, mistakenly removed a decade ago. Backpatch to release 7.4. 10 August 2009, 02:39:09 UTC
6119329 Tom Lane 07 August 2009, 20:16:49 UTC Try to defend against the possibility that libpq is still in COPY_IN state when we reach the post-COPY "pump it dry" error recovery code that was added 2006-11-24. Per a report from Neil Best, there is at least one code path in which this occurs, leading to an infinite loop in code that's supposed to be making it more robust not less so. A reasonable response seems to be to call PQputCopyEnd() again, so let's try that. Back-patch to all versions that contain the cleanup loop. 07 August 2009, 20:16:49 UTC
34f662d Tom Lane 23 June 2009, 16:25:35 UTC Fix an ancient error in dist_ps (distance from point to line segment), which a number of other geometric operators also depend on. It miscalculated the slope of the perpendicular to the given line segment anytime that slope was other than 0, infinite, or +/-1. In some cases the error would be masked because the true closest point on the line segment was one of its endpoints rather than the intersection point, but in other cases it could give an arbitrarily bad answer. Per bug #4872 from Nick Roosevelt. Bug goes clear back to Berkeley days, so patch all supported branches. Make a couple of cosmetic adjustments while at it. 23 June 2009, 16:25:35 UTC
b99bb3b Tom Lane 10 June 2009, 16:32:02 UTC Fix cash_in() to behave properly in locales where frac_digits is zero, eg Japan. Report and fix by Itagaki Takahiro. Also fix CASHDEBUG printout format for branches with 64-bit money type, and some minor comment cleanup. Back-patch to 7.4, because it's broken all the way back. 10 June 2009, 16:32:02 UTC
bc4df3b Andrew Dunstan 05 June 2009, 20:33:59 UTC Adjust recent PERL_SYS_INIT3 call to avoid platforms where it might fail, and to remove compilation warning. Backpatch the release 7.4 05 June 2009, 20:33:59 UTC
d68475e Andrew Dunstan 04 June 2009, 16:01:23 UTC Initialise perl library as documented in perl API. Backpatch to release 7.4. 04 June 2009, 16:01:23 UTC
f16cd6e Tom Lane 02 May 2009, 20:18:21 UTC Split the release notes into a separate file for each (active) major branch, as per my recent proposal. release.sgml itself is now just a stub that should change rarely; ideally, only once per major release to add a new include line. Most editing work will occur in the release-N.N.sgml files. To update a back branch for a minor release, just copy the appropriate release-N.N.sgml file(s) into the back branch. This commit doesn't change the end-product documentation at all, only the source layout. However, it makes it easy to start omitting ancient information from newer branches' documentation, should we ever decide to do that. 02 May 2009, 20:18:21 UTC
2a0f7d1 Tom Lane 01 May 2009, 19:29:42 UTC When checking for datetime field overflow, we should allow a fractional-second part that rounds up to exactly 1.0 second. The previous coding rejected input like "00:12:57.9999999999999999999999999999", with the exact number of nines needed to cause failure varying depending on float-timestamp option and possibly on platform. Obviously this should round up to the next integral second, if we don't have enough precision to distinguish the value from that. Per bug #4789 from Robert Kruus. In passing, fix a missed check for fractional seconds in one copy of the "is it greater than 24:00:00" code. Broken all the way back, so patch all the way back. 01 May 2009, 19:29:42 UTC
9af91a5 Tom Lane 25 April 2009, 16:45:34 UTC Fix the handling of sub-SELECTs appearing in the arguments of an outer-level aggregate function. By definition, such a sub-SELECT cannot reference any variables of query levels between itself and the aggregate's semantic level (else the aggregate would've been assigned to that lower level instead). So the correct, most efficient implementation is to treat the sub-SELECT as being a sub-select of that outer query level, not the level the aggregate syntactically appears in. Not doing so also confuses the heck out of our parameter-passing logic, as illustrated in bug report from Daniel Grace. Fortunately, we were already copying the whole Aggref expression up to the outer query level, so all that's needed is to delay SS_process_sublinks processing of the sub-SELECT until control returns to the outer level. This has been broken since we introduced spec-compliant treatment of outer aggregates in 7.4; so patch all the way back. 25 April 2009, 16:45:34 UTC
41a74fa Bruce Momjian 25 April 2009, 15:53:26 UTC Remove HELIOS Software GmbH name and copyright from AIX dynloader files, per approval from Helmut Tschemernjak, President. Only back branches; files removed from CVS HEAD. 25 April 2009, 15:53:26 UTC
65face6 Magnus Hagander 15 April 2009, 18:58:26 UTC Remove beer-ware license from crypt-md5.c, per approval from Poul-Henning Kamp. This makes the file the same standard 2-clause BSD as the rest of PostgreSQL. 15 April 2009, 18:58:26 UTC
ca1316d Teodor Sigaev 07 April 2009, 17:49:40 UTC Fix 'all at one page bug' in picksplit method of R-tree emulation. Add defense from buggy user-defined picksplit to GiST. 07 April 2009, 17:49:40 UTC
1b40567 Tom Lane 07 April 2009, 15:54:30 UTC Defend against non-ASCII letters in fuzzystrmatch code. The functions still don't behave very sanely for multibyte encodings, but at least they won't be indexing off the ends of static arrays. 07 April 2009, 15:54:30 UTC
7ca0bae Tom Lane 04 April 2009, 04:54:07 UTC Rewrite interval_hash() so that the hashcodes are equal for values that interval_eq() considers equal. I'm not sure how that fundamental requirement escaped us through multiple revisions of this hash function, but there it is; it's been wrong since interval_hash was first written for PG 7.1. Per bug #4748 from Roman Kononov. Backpatch to all supported releases. This patch changes the contents of hash indexes for interval columns. That's no particular problem for PG 8.4, since we've broken on-disk compatibility of hash indexes already; but it will require a migration warning note in the next minor releases of all existing branches: "if you have any hash indexes on columns of type interval, REINDEX them after updating". 04 April 2009, 04:54:07 UTC
ed00200 Tom Lane 31 March 2009, 22:56:28 UTC Fix contrib/pgstattuple and contrib/pageinspect to prevent attempts to read temporary tables of other sessions; that is unsafe because of the way our buffer management works. Per report from Stuart Bishop. This is redundant with the bufmgr.c checks in HEAD, but not at all redundant in the back branches. 31 March 2009, 22:56:28 UTC
e3c0d67 Marc G. Fournier 13 March 2009, 02:39:42 UTC tag 7.4.25 13 March 2009, 02:39:42 UTC
dbb6d2f Tom Lane 12 March 2009, 22:36:46 UTC Update back-branch release notes. 12 March 2009, 22:36:46 UTC
aff86a8 Tom Lane 12 March 2009, 00:54:04 UTC Fix core dump due to null-pointer dereference in to_char() when datetime format codes are misapplied to a numeric argument. (The code still produces a pretty bogus error message in such cases, but I'll settle for stopping the crash for now.) Per bug #4700 from Sergey Burladyan. Problem exists in all supported branches, so patch all the way back. In HEAD, also clean up some ugly coding in the nearby cache management code. 12 March 2009, 00:54:04 UTC
cb5a81b Heikki Linnakangas 05 March 2009, 14:29:26 UTC Add MUST (Mauritius Island Summer Time) to the list of known abbreviations. Mauritius began using DST in the summer 2008-2009; the Olson library has been updated already. Xavier Bugaud 05 March 2009, 14:29:26 UTC
4c13245 Tom Lane 04 March 2009, 22:08:53 UTC Put back our old workaround for machines that declare cbrt() in math.h but fail to provide the function itself. Not sure how we escaped testing anything later than 7.3 on such cases, but they still exist, as per André Volpato's report about AIX 5.3. 04 March 2009, 22:08:53 UTC
back to top