|
35 | 35 |
|
36 | 36 | <listitem> |
37 | 37 | <!-- |
| 38 | +Author: Noah Misch <noah@leadboat.com> |
| 39 | +Branch: master [ffa2d37e5] 2019-08-05 07:48:41 -0700 |
| 40 | +Branch: REL_12_STABLE [9993fa9dd] 2019-08-05 07:48:45 -0700 |
| 41 | +Branch: REL_11_STABLE [21f94c51f] 2019-08-05 07:48:45 -0700 |
| 42 | +Branch: REL_10_STABLE [2062007cb] 2019-08-05 07:48:45 -0700 |
| 43 | +Branch: REL9_6_STABLE [7da46192d] 2019-08-05 07:48:45 -0700 |
| 44 | +Branch: REL9_5_STABLE [752fa3dbf] 2019-08-05 07:48:45 -0700 |
| 45 | +Branch: REL9_4_STABLE [86737438b] 2019-08-05 07:48:46 -0700 |
| 46 | +--> |
| 47 | + <para> |
| 48 | + Require schema qualification to cast to a temporary type when using |
| 49 | + functional cast syntax (Noah Misch) |
| 50 | + </para> |
| 51 | + |
| 52 | + <para> |
| 53 | + We have long required invocations of temporary functions to |
| 54 | + explicitly specify the temporary schema, that |
| 55 | + is <literal>pg_temp.<replaceable>func_name</replaceable>(<replaceable>args</replaceable>)</literal>. |
| 56 | + Require this as well for casting to temporary types using functional |
| 57 | + notation, for |
| 58 | + example <literal>pg_temp.<replaceable>type_name</replaceable>(<replaceable>arg</replaceable>)</literal>. |
| 59 | + Otherwise it's possible to capture a function call using a temporary |
| 60 | + object, allowing privilege escalation in much the same ways that we |
| 61 | + blocked in CVE-2007-2138. |
| 62 | + (CVE-2019-10208) |
| 63 | + </para> |
| 64 | + </listitem> |
| 65 | + |
| 66 | + <listitem> |
| 67 | +<!-- |
| 68 | +Author: Tom Lane <tgl@sss.pgh.pa.us> |
| 69 | +Branch: master [4766dce0d] 2019-08-05 11:20:31 -0400 |
| 70 | +Branch: REL_12_STABLE [de4b75c15] 2019-08-05 11:20:33 -0400 |
| 71 | +Branch: REL_11_STABLE [a034418cf] 2019-08-05 11:20:34 -0400 |
| 72 | +--> |
| 73 | + <para> |
| 74 | + Fix execution of hashed subplans that require cross-type comparison |
| 75 | + (Tom Lane, Andreas Seltenreich) |
| 76 | + </para> |
| 77 | + |
| 78 | + <para> |
| 79 | + Hashed subplans used the outer query's original comparison operator |
| 80 | + to compare entries of the hash table. This is the wrong thing if |
| 81 | + that operator is cross-type, since all the hash table entries will |
| 82 | + be of the subquery's output type. For the set of hashable |
| 83 | + cross-type operators in core <productname>PostgreSQL</productname>, |
| 84 | + this mistake seems nearly harmless on 64-bit machines, but it can |
| 85 | + result in crashes or perhaps unauthorized disclosure of server |
| 86 | + memory on 32-bit machines. Extensions might provide hashable |
| 87 | + cross-type operators that create larger risks. |
| 88 | + (CVE-2019-10209) |
| 89 | + </para> |
| 90 | + </listitem> |
| 91 | + |
| 92 | + <listitem> |
| 93 | +<!-- |
38 | 94 | Author: Tom Lane <tgl@sss.pgh.pa.us> |
39 | 95 | Branch: master Release: REL_12_BR [f946a4091] 2019-06-24 16:43:21 -0400 |
40 | 96 | Branch: REL_11_STABLE [afaf48afb] 2019-06-24 16:43:05 -0400 |
|