Prevent row-level security policies from being bypassed via selectivity estimators (Dean Rasheed)
Some of the planner's selectivity estimators apply user-defined operators to values found in pg_statistic (e.g., most-common values). A leaky operator therefore can disclose some of the entries in a data column, even if the calling user lacks permission to read that column. In CVE-2017-7484 we added restrictions to forestall that, but we failed to consider the effects of row-level security. A user who has SQL permission to read a column, but who is forbidden to see certain rows due to RLS policy, might still learn something about those rows' contents via a leaky operator. This patch further tightens the rules, allowing leaky operators to be applied to statistics data only when there is no relevant RLS policy. (CVE-2019-10130)
Avoid access to already-freed memory during partition routing error reports (Michael Paquier)
This mistake could lead to a crash, and in principle it might be possible to use it to disclose server memory contents. (CVE-2019-10129)
Fix buffer-overflow hazards in SCRAM verifier parsing (Jonathan Katz, Heikki Linnakangas, Michael Paquier)
Any authenticated user could cause a stack-based buffer overflow by changing their own password to a purpose-crafted value. In addition to the ability to crash the PostgreSQL server, this could suffice for executing arbitrary code as the PostgreSQL operating system account.
A similar overflow hazard existed in libpq, which could allow a rogue server to crash a client or perhaps execute arbitrary code as the client's operating system account.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2019-10164)
⇑ Upgrade to 11.3 released on 2019-05-09 - docs
Prevent row-level security policies from being bypassed via selectivity estimators (Dean Rasheed)
Some of the planner's selectivity estimators apply user-defined operators to values found in pg_statistic (e.g., most-common values). A leaky operator therefore can disclose some of the entries in a data column, even if the calling user lacks permission to read that column. In CVE-2017-7484 we added restrictions to forestall that, but we failed to consider the effects of row-level security. A user who has SQL permission to read a column, but who is forbidden to see certain rows due to RLS policy, might still learn something about those rows' contents via a leaky operator. This patch further tightens the rules, allowing leaky operators to be applied to statistics data only when there is no relevant RLS policy. (CVE-2019-10130)
Avoid access to already-freed memory during partition routing error reports (Michael Paquier)
This mistake could lead to a crash, and in principle it might be possible to use it to disclose server memory contents. (CVE-2019-10129)
Avoid catalog corruption when an ALTER TABLE on a partitioned table finds that a partitioned index is reusable (Amit Langote, Tom Lane)
This occurs, for example, when ALTER COLUMN TYPE finds that no physical table rewrite is required.
Avoid catalog corruption when a temporary table with ON COMMIT DROP and an identity column is created in a single-statement transaction (Peter Eisentraut)
This hazard was overlooked because the case is not actually useful, since the temporary table would be dropped immediately after creation.
Fix failure in ALTER INDEX ... ATTACH PARTITION if the partitioned table contains more dropped columns than its partition does (Álvaro Herrera)
Fix failure to attach a partition's existing index to a newly-created partitioned index in some cases (Amit Langote, Álvaro Herrera)
This would lead to errors such as “index ... not found in partition” in subsequent DDL that uses the partitioned index.
Avoid crash when an EPQ recheck is performed for a partitioned query result relation (Amit Langote)
This occurs when using READ COMMITTED isolation level and another session has concurrently updated some of the target row(s).
Fix tuple routing in multi-level partitioned tables that have dropped attributes (Amit Langote, Michael Paquier)
Fix failure when the slow path of foreign key constraint initial validation is applied to partitioned tables (Hadi Moshayedi, Tom Lane, Andres Freund)
This didn't manifest except in the uncommon cases where the fast path can't be used (such as permissions problems).
Fix behavior for an UPDATE or DELETE on an inheritance tree or partitioned table in which every table can be excluded (Amit Langote, Tom Lane)
In such cases, the query did not report the correct set of output columns when a RETURNING clause was present, and if there were any statement-level triggers that should be fired, it didn't fire them.
When accessing a partition directly, and constraint_exclusion is set to on, use the partition's partition constraint as well as any CHECK constraints for exclusion checking (Amit Langote, Tom Lane)
This change restores the behavior to what it was in v10.
Avoid server crash when an error occurs while trying to persist a cursor query across a transaction commit (Tom Lane)
If a procedure attempts to commit while it has an open explicit or implicit cursor (for example, a PL/pgSQL FOR-loop query), the cursor must be executed to completion and its results saved before the transaction commit can be performed. An error occurring during such execution led to a crash.
Avoid throwing incorrect errors for updates of temporary tables and unlogged tables when a FOR ALL TABLES publication exists (Peter Eisentraut)
Such tables should be ignored for publication purposes, but some parts of the code failed to do so.
Fix handling of explicit DEFAULT items in an INSERT ... VALUES command with multiple VALUES rows, if the target relation is an updatable view (Amit Langote, Dean Rasheed)
When the updatable view has no default for the column but its underlying table has one, a single-row INSERT ... VALUES will use the underlying table's default. In the multi-row case, however, NULL was always used. Correct it to act like the single-row case.
Fix CREATE VIEW to allow zero-column views (Ashutosh Sharma)
We should allow this for consistency with allowing zero-column tables. Since a table can be converted to a view, zero-column views could be created even with the restriction in place, leading to dump/reload failures.
Add missing support for CREATE TABLE IF NOT EXISTS ... AS EXECUTE ... (Andreas Karlsson)
The combination of IF NOT EXISTS and EXECUTE should work, but the grammar omitted it.
Ensure that sub-SELECTs appearing in row-level-security policy expressions are executed with the correct user's permissions (Dean Rasheed)
Previously, if the table having the RLS policy was accessed via a view, such checks might be executed as the user calling the view, not as the view owner as they should be.
Accept XML documents as valid values of type xml when xmloption is set to content, as required by SQL:2006 and later (Chapman Flack)
Previously PostgreSQL followed the SQL:2003 definition, which doesn't allow this. But that creates a serious problem for dump/restore: there is no setting of xmloption that will accept all valid XML data. Hence, switch to the 2006 definition.
pg_dump is also modified to emit SET xmloption = content while restoring data, ensuring that dump/restore works even if the prevailing setting is document.
Improve server's startup-time checks for whether a pre-existing shared memory segment is still in use (Noah Misch)
The postmaster is now more likely to detect that there are still active processes from a previous postmaster incarnation, even if the postmaster.pid file has been removed.
Avoid possible division-by-zero in btree index vacuum logic (Piotr Stefaniak, Alexander Korotkov)
This could lead to incorrect decisions about whether index cleanup is needed.
Avoid counting parallel workers' transactions as separate transactions (Haribabu Kommi)
Fix incompatibility of GIN-index WAL records (Alexander Korotkov)
A fix applied in February's minor releases was not sufficiently careful about backwards compatibility, leading to problems if a standby server of that vintage reads GIN page-deletion WAL records generated by a primary server of a previous minor release.
Fix possible crash while executing a SHOW command in a replication connection (Michael Paquier)
Avoid server memory leak when fetching rows from a portal one at a time (Tom Lane)
Avoid memory leak when a partition's relation cache entry is rebuilt (Amit Langote, Tom Lane)
Tolerate EINVAL and ENOSYS error results, where appropriate, for fsync and sync_file_range calls (Thomas Munro, James Sewell)
The previous change to panic on file synchronization failures turns out to have been excessively paranoid for certain cases where a failure is predictable and essentially means “operation not supported”.
Report correct relation name in autovacuum's pg_stat_activity display during BRIN summarize operations (Álvaro Herrera)
Avoid crash when trying to plan a partition-wise join when GEQO is active (Tom Lane)
Fix “failed to build any N-way joins” planner failures with lateral references leading out of FULL outer joins (Tom Lane)
Fix misplanning of queries in which a set-returning function is applied to a relation that is provably empty (Tom Lane, Julien Rouhaud)
In v10, this oversight only led to slightly inefficient plans, but in v11 it could cause “set-valued function called in context that cannot accept a set” errors.
Check the appropriate user's permissions when enforcing rules about letting a leaky operator see pg_statistic data (Dean Rasheed)
When an underlying table is being accessed via a view, consider the privileges of the view owner while deciding whether leaky operators may be applied to the table's statistics data, rather than the privileges of the user making the query. This makes the planner's rules about what data is visible match up with the executor's, avoiding unnecessarily-poor plans.
Fix planner's parallel-safety assessment for grouped queries (Etsuro Fujita)
Previously, target-list evaluation work that could have been parallelized might not be.
Fix mishandling of “included” index columns in planner's unique-index logic (Tom Lane)
This could result in failing to recognize that a unique index with included columns proves uniqueness of a query result, leading to a poor plan.
Fix incorrect strictness check for array coercion expressions (Tom Lane)
This might allow, for example, incorrect inlining of a strict SQL function, leading to non-enforcement of the strictness condition.
Speed up planning when there are many equality conditions and many potentially-relevant foreign key constraints (David Rowley)
Avoid O(N^2) performance issue when rolling back a transaction that created many tables (Tomas Vondra)
Fix corner-case server crashes in dynamic shared memory allocation (Thomas Munro, Robert Haas)
Fix race conditions in management of dynamic shared memory (Thomas Munro)
These could lead to “dsa_area could not attach to segment” or “cannot unpin a segment that is not pinned” errors.
Fix race condition in which a hot-standby postmaster could fail to shut down after receiving a smart-shutdown request (Tom Lane)
Fix possible crash when pg_identify_object_as_address() is given invalid input (Álvaro Herrera)
Fix possible “could not access status of transaction” failures in txid_status() (Thomas Munro)
Fix authentication failure when attempting to use SCRAM authentication with mixed OpenSSL library versions (Michael Paquier, Peter Eisentraut)
If libpq is using OpenSSL 1.0.1 or older while the server is using OpenSSL 1.0.2 or newer, the negotiation of which SASL mechanism to use went wrong, leading to a confusing “channel binding not supported by this build” error message.
Tighten validation of encoded SCRAM-SHA-256 and MD5 passwords (Jonathan Katz)
A password string that had the right initial characters could be mistaken for one that is correctly hashed into SCRAM-SHA-256 or MD5 format. The password would be accepted but would be unusable later.
Fix handling of lc_time settings that imply an encoding different from the database's encoding (Juan José Santamaría Flecha, Tom Lane)
Localized month or day names that include non-ASCII characters previously caused unexpected errors or wrong output in such locales.
Create the current_logfiles file with the same permissions as other files in the server's data directory (Haribabu Kommi)
Previously it used the permissions specified by log_file_mode, but that can cause problems for backup utilities.
Fix incorrect operator_precedence_warning checks involving unary minus operators (Rikard Falkeborn)
Disallow NaN as a value for floating-point server parameters (Tom Lane)
Rearrange REINDEX processing to avoid assertion failures when reindexing individual indexes of pg_class (Andres Freund, Tom Lane)
Fix planner assertion failure for parameterized dummy paths (Tom Lane)
Insert correct test function in the result of SnapBuildInitialSnapshot() (Antonin Houska)
No core code cares about this, but some extensions do.
Fix intermittent “could not reattach to shared memory” session startup failures on Windows (Noah Misch)
A previously unrecognized source of these failures is creation of thread stacks for a process's default thread pool. Arrange for such stacks to be allocated in a different memory region.
Fix error detection in directory scanning on Windows (Konstantin Knizhnik)
Errors, such as lack of permissions to read the directory, were not detected or reported correctly; instead the code silently acted as though the directory were empty.
Fix grammar problems in ecpg (Tom Lane)
A missing semicolon led to mistranslation of SET (but not variable = DEFAULTSET ) in ecpg programs, producing syntactically invalid output that the server would reject. Additionally, in a variable TO DEFAULTDROP TYPE or DROP DOMAIN command that listed multiple type names, only the first type name was actually processed.
Sync ecpg's syntax for CREATE TABLE AS with the server's (Daisuke Higuchi)
Fix possible buffer overruns in ecpg's processing of include filenames (Liu Huailing, Fei Wu)
Fix pg_rewind failures due to failure to remove some transient files in the target data directory (Michael Paquier)
Make pg_verify_checksums verify that the data directory it's pointed at is of the right PostgreSQL version (Michael Paquier)
Avoid crash in contrib/postgres_fdw when a query using remote grouping or aggregation has a SELECT-list item that is an uncorrelated sub-select, outer reference, or parameter symbol (Tom Lane)
Change contrib/postgres_fdw to report an error when a remote partition chosen to insert a routed row into is also an UPDATE subplan target that will be updated later in the same command (Amit Langote, Etsuro Fujita)
Previously, such situations led to server crashes or incorrect results of the UPDATE. Allowing such cases to work correctly is a matter for future work.
In contrib/pg_prewarm, avoid indefinitely respawning background worker processes if prewarming fails for some reason (Mithun Cy)
Avoid crash in contrib/vacuumlo if an lo_unlink() call failed (Tom Lane)
Sync our copy of the timezone library with IANA tzcode release 2019a (Tom Lane)
This corrects a small bug in zic that caused it to output an incorrect year-2440 transition in the Africa/Casablanca zone, and adds support for zic's new -r option.
Update time zone data files to tzdata release 2019a for DST law changes in Palestine and Metlakatla, plus historical corrections for Israel.
Etc/UCT is now a backward-compatibility link to Etc/UTC, instead of being a separate zone that generates the abbreviation UCT, which nowadays is typically a typo. PostgreSQL will still accept UCT as an input zone abbreviation, but it won't output it.
⇑ Upgrade to 11.4 released on 2019-06-20 - docs
Fix buffer-overflow hazards in SCRAM verifier parsing (Jonathan Katz, Heikki Linnakangas, Michael Paquier)
Any authenticated user could cause a stack-based buffer overflow by changing their own password to a purpose-crafted value. In addition to the ability to crash the PostgreSQL server, this could suffice for executing arbitrary code as the PostgreSQL operating system account.
A similar overflow hazard existed in libpq, which could allow a rogue server to crash a client or perhaps execute arbitrary code as the client's operating system account.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2019-10164)
Fix assorted errors in run-time partition pruning logic (Tom Lane, Amit Langote, David Rowley)
These mistakes could lead to wrong answers in queries on partitioned tables, if the comparison value used for pruning is dynamically determined, or if multiple range-partitioned columns are involved in pruning decisions, or if stable (not immutable) comparison operators are involved.
Fix possible crash while trying to copy trigger definitions to a new partition (Tom Lane)
Fix failure of ALTER TABLE ... ALTER COLUMN TYPE when the table has a partial exclusion constraint (Tom Lane)
Fix failure of COMMENT command for comments on domain constraints (Daniel Gustafsson, Michael Paquier)
Prevent possible memory clobber when there are duplicate columns in a hash aggregate's hash key list (Andrew Gierth)
Fix incorrect argument null-ness checking during partial aggregation of aggregates with zero or multiple arguments (David Rowley, Kyotaro Horiguchi, Andres Freund)
Fix faulty generation of merge-append plans (Tom Lane)
This mistake could lead to “could not find pathkey item to sort” errors.
Fix incorrect printing of queries with duplicate join names (Philip Dubé)
This oversight caused a dump/restore failure for views containing such queries.
Fix conversion of JSON string literals to JSON-type output columns in json_to_record() and json_populate_record() (Tom Lane)
Such cases should produce the literal as a standalone JSON value, but the code misbehaved if the literal contained any characters requiring escaping.
Fix misoptimization of {1,1} quantifiers in regular expressions (Tom Lane)
Such quantifiers were treated as no-ops and optimized away; but the documentation specifies that they impose greediness, or non-greediness in the case of the non-greedy variant {1,1}?, on the subexpression they're attached to, and this did not happen. The misbehavior occurred only if the subexpression contained capturing parentheses or a back-reference.
Avoid writing an invalid empty btree index page in the unlikely case that a failure occurs while processing INCLUDEd columns during a page split (Peter Geoghegan)
The invalid page would not affect normal index operations, but it might cause failures in subsequent VACUUMs. If that has happened to one of your indexes, recover by reindexing the index.
Avoid possible failures while initializing a new process's pg_stat_activity data (Tom Lane)
Certain operations that could fail, such as converting strings extracted from an SSL certificate into the database encoding, were being performed inside a critical section. Failure there would result in database-wide lockup due to violating the access protocol for shared pg_stat_activity data.
Fix race condition in check to see whether a pre-existing shared memory segment is still in use by a conflicting postmaster (Tom Lane)
Fix unsafe coding in walreceiver's signal handler (Tom Lane)
This avoids rare problems in which the walreceiver process would crash or deadlock when commanded to shut down.
Avoid attempting to do database accesses for parameter checking in processes that are not connected to a specific database (Vignesh C, Andres Freund)
This error could result in failures like “cannot read pg_class without having selected a database”.
Avoid possible hang in libpq if using SSL and OpenSSL's pending-data buffer contains an exact multiple of 256 bytes (David Binderman)
Improve initdb's handling of multiple equivalent names for the system time zone (Tom Lane, Andrew Gierth)
Make initdb examine the /etc/localtime symbolic link, if that exists, to break ties between equivalent names for the system time zone. This makes initdb more likely to select the time zone name that the user would expect when multiple identical time zones exist. It will not change the behavior if /etc/localtime is not a symlink to a zone data file, nor if the time zone is determined from the TZ environment variable.
Separately, prefer UTC over other spellings of that time zone, when neither TZ nor /etc/localtime provide a hint. This fixes an annoyance introduced by tzdata 2019a's change to make the UCT and UTC zone names equivalent: initdb was then preferring UCT, which almost nobody wants.
Fix ordering of GRANT commands emitted by pg_dump and pg_dumpall for databases and tablespaces (Nathan Bossart, Michael Paquier)
If cascading grants had been issued, restore might fail due to the GRANT commands being given in an order that didn't respect their interdependencies.
Make pg_dump recreate table partitions using CREATE TABLE then ATTACH PARTITION, rather than including PARTITION OF in the creation command (Álvaro Herrera, David Rowley)
This avoids problems with the partition's column order possibly being changed to match the parent's. Also, a partition is now restorable from the dump (as a standalone table) even if its parent table isn't restored; the ATTACH will fail, but that can just be ignored.
Fix misleading error reports from reindexdb (Julien Rouhaud)
Ensure that vacuumdb returns correct status if an error occurs while using parallel jobs (Julien Rouhaud)
Fix contrib/auto_explain to not cause problems in parallel queries (Tom Lane)
Previously, a parallel worker might try to log its query even if the parent query were not being logged by auto_explain. This would work sometimes, but it's confusing, and in some cases it resulted in failures like “could not find key N in shm TOC”.
Also, fix an off-by-one error that resulted in not necessarily logging every query even when the sampling rate is set to 1.0.
In contrib/postgres_fdw, account for possible data modifications by local BEFORE ROW UPDATE triggers (Shohei Mochizuki)
If a trigger modified a column that was otherwise not changed by the UPDATE, the new value was not transmitted to the remote server.
On Windows, avoid failure when the database encoding is set to SQL_ASCII and we attempt to log a non-ASCII string (Noah Misch)
The code had been assuming that such strings must be in UTF-8, and would throw an error if they didn't appear to be validly encoded. Now, just transmit the untranslated bytes to the log.
Make PL/pgSQL's header files C++-safe (George Tarasov)