Re: Fwd: Problem with a "complex" upsert

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Dean Rasheed <dean.a.rasheed@gmail.com>
Cc: Andres Freund <andres@anarazel.de>, Amit Langote <Langote_Amit_f8@lab.ntt.co.jp>, Mario De Frutos Dieguez <mariodefrutos@gmail.com>, pgsql-bugs@lists.postgresql.org
Date: 2018-08-06T16:41:21Z
Lists: pgsql-bugs
I wrote:
> Attached is our finished patch against HEAD.  This is pretty much all
> Dean's work, but I'm posting it on his behalf because it's late in the UK
> and he's gone offline for the day.  In the interests of getting a
> full set of buildfarm testing on the patch before Monday's wrap deadline,
> I'm going to finish up back-porting the patch and push it tonight.

Final(?) note on this thread --- the security team realized over the
weekend that this bug constitutes a security issue, because you can do
more than crash the server.  We don't normally consider simple crashes
as being CVE-worthy problems, but in this case, there's potential for
datatype confusion, which can be leveraged to allow disclosure of server
memory (as we've seen in other bugs before).  We also realized that it's
possible to update a column you supposedly don't have privilege to update,
as long as there's some other column you do.

We've retroactively obtained a CVE number and will be describing this as
a security problem in the release notes.

			regards, tom lane


Commits

  1. Fix INSERT ON CONFLICT UPDATE through a view that isn't just SELECT *.