Re: Fwd: Problem with a "complex" upsert
Mario De Frutos Dieguez <mariodefrutos@gmail.com>
From: Mario de Frutos Dieguez <mariodefrutos@gmail.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Dean Rasheed <dean.a.rasheed@gmail.com>,
Andres Freund <andres@anarazel.de>, Amit Langote <Langote_Amit_f8@lab.ntt.co.jp>, pgsql-bugs@lists.postgresql.org
Date: 2018-08-06T16:48:19Z
Lists: pgsql-bugs
Wow glad to have discovered it by chance! Great news to have it fixed :)))) 2018-08-06 18:41 GMT+02:00 Tom Lane <tgl@sss.pgh.pa.us>: > I wrote: >> Attached is our finished patch against HEAD. This is pretty much all >> Dean's work, but I'm posting it on his behalf because it's late in the UK >> and he's gone offline for the day. In the interests of getting a >> full set of buildfarm testing on the patch before Monday's wrap deadline, >> I'm going to finish up back-porting the patch and push it tonight. > > Final(?) note on this thread --- the security team realized over the > weekend that this bug constitutes a security issue, because you can do > more than crash the server. We don't normally consider simple crashes > as being CVE-worthy problems, but in this case, there's potential for > datatype confusion, which can be leveraged to allow disclosure of server > memory (as we've seen in other bugs before). We also realized that it's > possible to update a column you supposedly don't have privilege to update, > as long as there's some other column you do. > > We've retroactively obtained a CVE number and will be describing this as > a security problem in the release notes. > > regards, tom lane >
Commits
-
Fix INSERT ON CONFLICT UPDATE through a view that isn't just SELECT *.
- 5ad143cda092 9.5.14 landed
- f6a124d019a4 10.5 landed
- e7154b6acfeb 11.0 landed
- b8a1247a34e2 12.0 landed
- b484bffe7d0e 9.6.10 landed