Require update permission for the large object written by lo_put().
Tom Lane <tgl@sss.pgh.pa.us>
Require update permission for the large object written by lo_put(). lo_put() surely should require UPDATE permission, the same as lowrite(), but it failed to check for that, as reported by Chapman Flack. Oversight in commit c50b7c09d; backpatch to 9.4 where that was introduced. Tom Lane and Michael Paquier Security: CVE-2017-7548
Files
| Path | Change | +/− |
|---|---|---|
| src/backend/libpq/be-fsstubs.c | modified | +12 −0 |
| src/test/regress/expected/privileges.out | modified | +10 −0 |
| src/test/regress/sql/privileges.sql | modified | +4 −0 |