Re: Fwd: Problem with a "complex" upsert

Mario De Frutos Dieguez <mariodefrutos@gmail.com>

From: Mario de Frutos Dieguez <mariodefrutos@gmail.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Dean Rasheed <dean.a.rasheed@gmail.com>, Andres Freund <andres@anarazel.de>, Amit Langote <Langote_Amit_f8@lab.ntt.co.jp>, pgsql-bugs@lists.postgresql.org
Date: 2018-08-06T16:48:19Z
Lists: pgsql-bugs
Wow glad to have discovered it by chance! Great news to have it fixed :))))

2018-08-06 18:41 GMT+02:00 Tom Lane <tgl@sss.pgh.pa.us>:
> I wrote:
>> Attached is our finished patch against HEAD.  This is pretty much all
>> Dean's work, but I'm posting it on his behalf because it's late in the UK
>> and he's gone offline for the day.  In the interests of getting a
>> full set of buildfarm testing on the patch before Monday's wrap deadline,
>> I'm going to finish up back-porting the patch and push it tonight.
>
> Final(?) note on this thread --- the security team realized over the
> weekend that this bug constitutes a security issue, because you can do
> more than crash the server.  We don't normally consider simple crashes
> as being CVE-worthy problems, but in this case, there's potential for
> datatype confusion, which can be leveraged to allow disclosure of server
> memory (as we've seen in other bugs before).  We also realized that it's
> possible to update a column you supposedly don't have privilege to update,
> as long as there's some other column you do.
>
> We've retroactively obtained a CVE number and will be describing this as
> a security problem in the release notes.
>
>                         regards, tom lane
>


Commits

  1. Fix INSERT ON CONFLICT UPDATE through a view that isn't just SELECT *.