From 9b8271c5a655ef1c35141b266d5039da8d3b2337 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Mon, 8 Aug 2016 11:56:10 -0400 Subject: [PATCH] Last-minute updates for release notes. Security: CVE-2016-5423, CVE-2016-5424 --- doc/src/sgml/release-9.1.sgml | 80 +++++++++++++++++++ doc/src/sgml/release-9.2.sgml | 80 +++++++++++++++++++ doc/src/sgml/release-9.3.sgml | 80 +++++++++++++++++++ doc/src/sgml/release-9.4.sgml | 80 +++++++++++++++++++ doc/src/sgml/release-9.5.sgml | 145 ++++++++++++++++++++++++++++++++++ 5 files changed, 465 insertions(+) diff --git a/doc/src/sgml/release-9.1.sgml b/doc/src/sgml/release-9.1.sgml index b3a7aa16cc..a66ca0d5b3 100644 --- a/doc/src/sgml/release-9.1.sgml +++ b/doc/src/sgml/release-9.1.sgml @@ -40,6 +40,72 @@ + + + Fix possible mis-evaluation of + nested CASE-WHEN expressions (Heikki + Linnakangas, Michael Paquier, Tom Lane) + + + + A CASE expression appearing within the test value + subexpression of another CASE could become confused about + whether its own test value was null or not. Also, inlining of a SQL + function implementing the equality operator used by + a CASE expression could result in passing the wrong test + value to functions called within a CASE expression in the + SQL function's body. If the test values were of different data + types, a crash might result; moreover such situations could be abused + to allow disclosure of portions of server memory. (CVE-2016-5423) + + + + + + Fix client programs' handling of special characters in database and + role names (Noah Misch, Nathan Bossart, Michael Paquier) + + + + Numerous places in vacuumdb and other client programs + could become confused by database and role names containing double + quotes or backslashes. Tighten up quoting rules to make that safe. + Also, ensure that when a conninfo string is used as a database name + parameter to these programs, it is correctly treated as such throughout. + + + + Fix handling of paired double quotes + in psql's \connect + and \password commands to match the documentation. + + + + Introduce a new + + + pg_dumpall now refuses to deal with database and role + names containing carriage returns or newlines, as it seems impractical + to quote those characters safely on Windows. In future we may reject + such names on the server side, but that step has not been taken yet. + + + + These are considered security fixes because crafted object names + containing special characters could have been used to execute + commands with superuser privileges the next time a superuser + executes pg_dumpall or other routine maintenance + operations. (CVE-2016-5424) + + + Fix corner-case misbehaviors for IS NULL/IS NOT @@ -77,6 +143,20 @@ + + + Fix several one-byte buffer over-reads in to_number() + (Peter Eisentraut) + + + + In several cases the to_number() function would read one + more character than it should from the input string. There is a + small chance of a crash, if the input happens to be adjacent to the + end of memory. + + + Avoid unsafe intermediate state during expensive paths diff --git a/doc/src/sgml/release-9.2.sgml b/doc/src/sgml/release-9.2.sgml index 22430cb501..c801f98c3f 100644 --- a/doc/src/sgml/release-9.2.sgml +++ b/doc/src/sgml/release-9.2.sgml @@ -34,6 +34,72 @@ + + + Fix possible mis-evaluation of + nested CASE-WHEN expressions (Heikki + Linnakangas, Michael Paquier, Tom Lane) + + + + A CASE expression appearing within the test value + subexpression of another CASE could become confused about + whether its own test value was null or not. Also, inlining of a SQL + function implementing the equality operator used by + a CASE expression could result in passing the wrong test + value to functions called within a CASE expression in the + SQL function's body. If the test values were of different data + types, a crash might result; moreover such situations could be abused + to allow disclosure of portions of server memory. (CVE-2016-5423) + + + + + + Fix client programs' handling of special characters in database and + role names (Noah Misch, Nathan Bossart, Michael Paquier) + + + + Numerous places in vacuumdb and other client programs + could become confused by database and role names containing double + quotes or backslashes. Tighten up quoting rules to make that safe. + Also, ensure that when a conninfo string is used as a database name + parameter to these programs, it is correctly treated as such throughout. + + + + Fix handling of paired double quotes + in psql's \connect + and \password commands to match the documentation. + + + + Introduce a new + + + pg_dumpall now refuses to deal with database and role + names containing carriage returns or newlines, as it seems impractical + to quote those characters safely on Windows. In future we may reject + such names on the server side, but that step has not been taken yet. + + + + These are considered security fixes because crafted object names + containing special characters could have been used to execute + commands with superuser privileges the next time a superuser + executes pg_dumpall or other routine maintenance + operations. (CVE-2016-5424) + + + Fix corner-case misbehaviors for IS NULL/IS NOT @@ -71,6 +137,20 @@ + + + Fix several one-byte buffer over-reads in to_number() + (Peter Eisentraut) + + + + In several cases the to_number() function would read one + more character than it should from the input string. There is a + small chance of a crash, if the input happens to be adjacent to the + end of memory. + + + Avoid unsafe intermediate state during expensive paths diff --git a/doc/src/sgml/release-9.3.sgml b/doc/src/sgml/release-9.3.sgml index 81feb3e442..c75f1109e1 100644 --- a/doc/src/sgml/release-9.3.sgml +++ b/doc/src/sgml/release-9.3.sgml @@ -34,6 +34,72 @@ + + + Fix possible mis-evaluation of + nested CASE-WHEN expressions (Heikki + Linnakangas, Michael Paquier, Tom Lane) + + + + A CASE expression appearing within the test value + subexpression of another CASE could become confused about + whether its own test value was null or not. Also, inlining of a SQL + function implementing the equality operator used by + a CASE expression could result in passing the wrong test + value to functions called within a CASE expression in the + SQL function's body. If the test values were of different data + types, a crash might result; moreover such situations could be abused + to allow disclosure of portions of server memory. (CVE-2016-5423) + + + + + + Fix client programs' handling of special characters in database and + role names (Noah Misch, Nathan Bossart, Michael Paquier) + + + + Numerous places in vacuumdb and other client programs + could become confused by database and role names containing double + quotes or backslashes. Tighten up quoting rules to make that safe. + Also, ensure that when a conninfo string is used as a database name + parameter to these programs, it is correctly treated as such throughout. + + + + Fix handling of paired double quotes + in psql's \connect + and \password commands to match the documentation. + + + + Introduce a new + + + pg_dumpall now refuses to deal with database and role + names containing carriage returns or newlines, as it seems impractical + to quote those characters safely on Windows. In future we may reject + such names on the server side, but that step has not been taken yet. + + + + These are considered security fixes because crafted object names + containing special characters could have been used to execute + commands with superuser privileges the next time a superuser + executes pg_dumpall or other routine maintenance + operations. (CVE-2016-5424) + + + Fix corner-case misbehaviors for IS NULL/IS NOT @@ -78,6 +144,20 @@ + + + Fix several one-byte buffer over-reads in to_number() + (Peter Eisentraut) + + + + In several cases the to_number() function would read one + more character than it should from the input string. There is a + small chance of a crash, if the input happens to be adjacent to the + end of memory. + + + Do not run the planner on the query contained in CREATE diff --git a/doc/src/sgml/release-9.4.sgml b/doc/src/sgml/release-9.4.sgml index 7849e02f0d..443c772846 100644 --- a/doc/src/sgml/release-9.4.sgml +++ b/doc/src/sgml/release-9.4.sgml @@ -33,6 +33,72 @@ + + + Fix possible mis-evaluation of + nested CASE-WHEN expressions (Heikki + Linnakangas, Michael Paquier, Tom Lane) + + + + A CASE expression appearing within the test value + subexpression of another CASE could become confused about + whether its own test value was null or not. Also, inlining of a SQL + function implementing the equality operator used by + a CASE expression could result in passing the wrong test + value to functions called within a CASE expression in the + SQL function's body. If the test values were of different data + types, a crash might result; moreover such situations could be abused + to allow disclosure of portions of server memory. (CVE-2016-5423) + + + + + + Fix client programs' handling of special characters in database and + role names (Noah Misch, Nathan Bossart, Michael Paquier) + + + + Numerous places in vacuumdb and other client programs + could become confused by database and role names containing double + quotes or backslashes. Tighten up quoting rules to make that safe. + Also, ensure that when a conninfo string is used as a database name + parameter to these programs, it is correctly treated as such throughout. + + + + Fix handling of paired double quotes + in psql's \connect + and \password commands to match the documentation. + + + + Introduce a new + + + pg_dumpall now refuses to deal with database and role + names containing carriage returns or newlines, as it seems impractical + to quote those characters safely on Windows. In future we may reject + such names on the server side, but that step has not been taken yet. + + + + These are considered security fixes because crafted object names + containing special characters could have been used to execute + commands with superuser privileges the next time a superuser + executes pg_dumpall or other routine maintenance + operations. (CVE-2016-5424) + + + Fix corner-case misbehaviors for IS NULL/IS NOT @@ -77,6 +143,20 @@ + + + Fix several one-byte buffer over-reads in to_number() + (Peter Eisentraut) + + + + In several cases the to_number() function would read one + more character than it should from the input string. There is a + small chance of a crash, if the input happens to be adjacent to the + end of memory. + + + Do not run the planner on the query contained in CREATE diff --git a/doc/src/sgml/release-9.5.sgml b/doc/src/sgml/release-9.5.sgml index 26f1d2847e..fa3537de10 100644 --- a/doc/src/sgml/release-9.5.sgml +++ b/doc/src/sgml/release-9.5.sgml @@ -36,6 +36,128 @@ + + Fix possible mis-evaluation of + nested CASE-WHEN expressions (Heikki + Linnakangas, Michael Paquier, Tom Lane) + + + + A CASE expression appearing within the test value + subexpression of another CASE could become confused about + whether its own test value was null or not. Also, inlining of a SQL + function implementing the equality operator used by + a CASE expression could result in passing the wrong test + value to functions called within a CASE expression in the + SQL function's body. If the test values were of different data + types, a crash might result; moreover such situations could be abused + to allow disclosure of portions of server memory. (CVE-2016-5423) + + + + + + + Fix client programs' handling of special characters in database and + role names (Noah Misch, Nathan Bossart, Michael Paquier) + + + + Numerous places in vacuumdb and other client programs + could become confused by database and role names containing double + quotes or backslashes. Tighten up quoting rules to make that safe. + Also, ensure that when a conninfo string is used as a database name + parameter to these programs, it is correctly treated as such throughout. + + + + Fix handling of paired double quotes + in psql's \connect + and \password commands to match the documentation. + + + + Introduce a new + + + pg_dumpall now refuses to deal with database and role + names containing carriage returns or newlines, as it seems impractical + to quote those characters safely on Windows. In future we may reject + such names on the server side, but that step has not been taken yet. + + + + These are considered security fixes because crafted object names + containing special characters could have been used to execute + commands with superuser privileges the next time a superuser + executes pg_dumpall or other routine maintenance + operations. (CVE-2016-5424) + + + + + + + Fix several one-byte buffer over-reads in to_number() + (Peter Eisentraut) + + + + In several cases the to_number() function would read one + more character than it should from the input string. There is a + small chance of a crash, if the input happens to be adjacent to the + end of memory. + + + + +