]> granicus.if.org Git - postgresql/commit
projects / postgresql / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1560996) | patch
Require update permission for the large object written by lo_put().
authorTom Lane <tgl@sss.pgh.pa.us>
Mon, 7 Aug 2017 14:19:01 +0000 (10:19 -0400)
committerTom Lane <tgl@sss.pgh.pa.us>
Mon, 7 Aug 2017 14:19:20 +0000 (10:19 -0400)
commit52a414387e192a89f5fec19d9876159d03cf112b
tree4c2c003d69f481d81bb6ff55c15cb3bde0f47d76tree | snapshot
parent156099630320fcb72d41ae90b91f15ed0dfbc271commit | diff
Require update permission for the large object written by lo_put().

lo_put() surely should require UPDATE permission, the same as lowrite(),
but it failed to check for that, as reported by Chapman Flack.  Oversight
in commit c50b7c09d; backpatch to 9.4 where that was introduced.

Tom Lane and Michael Paquier

Security: CVE-2017-7548
src/backend/libpq/be-fsstubs.c diff | blob | history
src/test/regress/expected/privileges.out diff | blob | history
src/test/regress/sql/privileges.sql diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.