Confine additional operations within “security restricted operation” sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER
, CREATE INDEX
, REINDEX
, REFRESH MATERIALIZED VIEW
, and pg_amcheck activated the “security restricted operation” protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2022-1552)
⇑ Upgrade to 14.3 released on 2022-05-12 - docs
Confine additional operations within “security restricted operation” sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER
, CREATE INDEX
, REINDEX
, REFRESH MATERIALIZED VIEW
, and pg_amcheck activated the “security restricted operation” protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2022-1552)
Fix default signature length for gist_ltree_ops
indexes (Tomas Vondra, Alexander Korotkov)
The default signature length (hash size) for GiST indexes on ltree
columns was accidentally changed while upgrading that operator class to support operator class parameters. If any operations had been done on such an index without first upgrading the ltree
extension to version 1.2, they were done assuming that the signature length was 28 bytes rather than the intended 8. This means it is very likely that such indexes are now corrupt. For safety we recommend re-indexing all GiST indexes on ltree
columns after installing this update. (Note that GiST indexes on ltree[]
columns, that is arrays of ltree
, are not affected.)
Stop using query-provided column aliases for the columns of whole-row variables that refer to plain tables (Tom Lane)
The column names in tuples produced by a whole-row variable (such as tbl.*
in contexts other than the top level of a SELECT
list) are now always those of the associated named composite type, if there is one. We'd previously attempted to make them track any column aliases that had been applied to the FROM
entry the variable refers to. But that's semantically dubious, because really then the output of the variable is not at all of the composite type it claims to be. Previous attempts to deal with that inconsistency had bad results up to and including storing unreadable data on disk, so just give up on the whole idea.
In cases where it's important to be able to relabel such columns, a workaround is to introduce an extra level of sub-SELECT
, so that the whole-row variable is referring to the sub-SELECT
's output and not to a plain table. Then the variable is of type record
to begin with and there's no issue.
Fix incorrect roundoff when extracting epoch values from intervals (Peter Eisentraut)
The new numeric
-based code for EXTRACT()
failed to yield results equivalent to the old float
-based code, as a result of accidentally truncating the DAYS_PER_YEAR
value to an integer.
Defend against pg_stat_get_replication_slot(NULL)
(Andres Freund)
This function should be marked strict in the catalog data, but it was not in v14, so add a run-time check instead.
Fix incorrect output for types timestamptz
and timetz
in table_to_xmlschema()
and allied functions (Renan Soares Lopes)
The xmlschema output for these types included a malformed regular expression.
Avoid core dump in parser for a VALUES
clause with zero columns (Tom Lane)
Fix planner failure when a Result plan node appears immediately underneath an Append node (Etsuro Fujita)
Recently-added code to support asynchronous remote queries failed to handle this case, leading to crashes or errors about unrecognized node types.
Fix planner failure if a query using SEARCH
or CYCLE
features contains a duplicate CTE name (Tom Lane, Kyotaro Horiguchi)
When the name of the recursive WITH
query is re-used within itself, the planner could crash or report odd errors such as “could not find attribute 2 in subquery targetlist”.
Fix planner errors for GROUPING()
constructs that reference outer query levels (Richard Guo, Tom Lane)
Fix plan generation for index-only scans on indexes with both returnable and non-returnable columns (Tom Lane)
The previous coding could try to read non-returnable columns in addition to the returnable ones. This was fairly harmless because it didn't actually do anything with the bogus values, but it fell foul of a recently-added error check that rejected such a plan.
Avoid accessing a no-longer-pinned shared buffer while attempting to lock an outdated tuple during EvalPlanQual (Tom Lane)
The code would touch the buffer a couple more times after releasing its pin. In theory another process could recycle the buffer (or more likely, try to defragment its free space) as soon as the pin is gone, probably leading to failure to find the newer version of the tuple.
Fix query-lifespan memory leak in an IndexScan node that is performing reordering (Aliaksandr Kalenik)
Fix ALTER FUNCTION
to support changing a function's parallelism property and its SET
-variable list in the same command (Tom Lane)
The parallelism property change was lost if the same command also updated the function's SET
clause.
Tighten lookup of the index “owned by” a constraint (Tom Lane, Japin Li)
Some code paths mistook the index depended on by a foreign key constraint for one owned by a unique or primary key constraint, resulting in odd errors during certain ALTER TABLE
operations on tables having foreign key constraints.
Fix bogus errors from attempts to alter system columns of tables (Tom Lane)
The system should just tell you that you can't do it, but sometimes it would report “no owned sequence found” instead.
Fix mis-sorting of table rows when CLUSTER
ing using an index whose leading key is an expression (Peter Geoghegan, Thomas Munro)
The table would be rebuilt with the correct data, but in an order having little to do with the index order.
Prevent data loss if a system crash occurs shortly after a sorted GiST index build (Heikki Linnakangas)
The code path for building GiST indexes using sorting neglected to fsync
the file upon completion. This could result in a corrupted index if the operating system crashed shortly later.
Fix risk of deadlock failures while dropping a partitioned index (Jimmy Yih, Gaurab Dey, Tom Lane)
Ensure that the required table and index locks are taken in the standard order (parents before children, tables before indexes). The previous coding for DROP INDEX
did it differently, and so could deadlock against concurrent queries taking these locks in the standard order.
Fix race condition between DROP TABLESPACE
and checkpointing (Nathan Bossart)
The checkpoint forced by DROP TABLESPACE
could sometimes fail to remove all dead files from the tablespace's directory, leading to a bogus “tablespace is not empty” error.
Fix possible trouble in crash recovery after a TRUNCATE
command that overlaps a checkpoint (Kyotaro Horiguchi, Heikki Linnakangas, Robert Haas)
TRUNCATE
must ensure that the table's disk file is truncated before the checkpoint is allowed to complete. Otherwise, replay starting from that checkpoint might find unexpected data in the supposedly-removed pages, possibly causing replay failure.
Fix unsafe toast-data accesses during temporary object cleanup (Andres Freund)
Temporary-object deletion during server process exit could fail with “FATAL: cannot fetch toast data without an active snapshot”. This was usually harmless since the next use of that temporary schema would clean up successfully.
Re-allow underscore as the first character in a custom parameter name (Japin Li)
Such names were unintentionally disallowed in v14.
Add regress
option for the compute_query_id
parameter (Michael Paquier)
This is intended to facilitate testing, by allowing query IDs to be computed but not shown in EXPLAIN
output.
Improve wait logic in RegisterSyncRequest (Thomas Munro)
If we run out of space in the checkpointer sync request queue (which is hopefully rare on real systems, but is common when testing with a very small buffer pool), we wait for it to drain. While waiting, we should report that as a wait event so that users know what is going on, and also watch for postmaster death, since otherwise the loop might never terminate if the checkpointer has already exited.
Wake up for latch events when the checkpointer is waiting between writes (Thomas Munro)
This improves responsiveness to backends sending sync requests. The change also creates a proper wait event class for these waits.
Fix “PANIC: xlog flush request is not satisfied” failure during standby promotion when there is a missing WAL continuation record (Sami Imseih)
Fix possibility of self-deadlock in hot standby conflict handling (Andres Freund)
With unlucky timing, the WAL-applying process could get stuck while waiting for some other process to release a buffer lock.
Fix possible mis-identification of the correct ancestor relation to publish logical replication changes through (Tomas Vondra, Hou zj, Amit Kapila)
If publish_via_partition_root
is enabled, and there are multiple publications naming different ancestors of the currently-modified relation, the wrong ancestor might be chosen for reporting the change.
Ensure that logical replication apply workers can be restarted even when we're up against the max_sync_workers_per_subscription
limit (Amit Kapila)
Faulty coding of the limit check caused a restarted worker to exit immediately, leaving fewer workers than there should be.
Include unchanged replica identity key columns in the WAL log for an update, if they are stored out-of-line (Dilip Kumar, Amit Kapila)
Otherwise subscribers cannot see the values and will fail to replicate the update.
Cope correctly with platforms that have no support for altering the server process's display in ps(1) (Andrew Dunstan)
Few platforms are like this (the only supported one is Cygwin), so we'd managed not to notice that refactoring introduced a potential memory clobber.
Make the server more robust against missed timer interrupts (Michael Harris, Tom Lane)
An optimization added in v14 meant that if a server process somehow missed a timer interrupt, it would never again ask the kernel for another one, thus breaking timeout detection for the remainder of the session. This seems unduly fragile, so add a recovery path.
Disallow execution of SPI functions during PL/Perl function compilation (Tom Lane)
Perl can be convinced to execute user-defined code during compilation of a PL/Perl function. However, it's not okay for such code to try to invoke SQL operations via SPI. That results in a crash, and if it didn't crash it would be a security hazard, because we really don't want code execution during function validation. Put in a check to give a friendlier error message instead.
Make libpq accept root-owned SSL private key files (David Steele)
This change synchronizes libpq's rules for safe ownership and permissions of SSL key files with the rules the server has used since release 9.6. Namely, in addition to the current rules, allow the case where the key file is owned by root and has permissions rw-r-----
or less. This is helpful for system-wide management of key files.
Fix behavior of libpq's PQisBusy()
function after a connection failure (Tom Lane)
If we'd detected a write failure, PQisBusy()
would always return true, which is the wrong thing: we want input processing to carry on normally until we've read whatever is available from the server. The practical effect of this error is that applications using libpq's async-query API would typically detect connection loss only when PQconsumeInput()
returns a hard failure. With this fix, a connection loss will normally be reported via an error PGresult
object, which is a much cleaner behavior for most applications.
Re-allow database
.schema
.table
patterns in psql, pg_dump, and pg_amcheck (Mark Dilger)
Versions before v14 silently ignored all but the schema
and table
fragments of a pattern containing more than one dot. Refactoring in v14 accidentally broke that use-case. Reinstate it, but now complain if the first fragment is not the name of the current database.
Make pg_ctl recheck postmaster aliveness while waiting for stop/restart/promote actions (Tom Lane)
pg_ctl would verify that the postmaster is alive as a side-effect of sending the stop or promote signal, but then it just naively waited to see the on-disk state change. If the postmaster died uncleanly without having removed its PID file or updated the control file, pg_ctl would wait until timeout. Instead make it recheck every so often that the postmaster process is still there.
Fix error handling in pg_waldump (Kyotaro Horiguchi, Andres Freund)
While trying to read a WAL file to determine the WAL segment size, pg_waldump would report an incorrect error for the case of a too-short file. In addition, the file name reported in this and related error messages could be garbage.
Ensure that contrib/pageinspect
functions cope with all-zero pages (Michael Paquier)
This is a legitimate edge case, but the module was mostly unprepared for it. Arrange to return nulls, or no rows, as appropriate; that seems more useful than raising an error.
In contrib/pageinspect
, add defenses against incorrect page “special space” contents, tighten checks for correct page size, and add some missing checks that an index is of the expected type (Michael Paquier, Justin Pryzby, Julien Rouhaud)
These changes make it less likely that the module will crash on bad data.
In contrib/postgres_fdw
, disable batch insertion when BEFORE INSERT ... FOR EACH ROW
triggers exist on the foreign table (Etsuro Fujita)
Such a trigger might query the table it's on and expect to see previously-inserted rows. With batch insertion, those rows might not be visible yet, so disable the feature to avoid unexpected behavior.
In contrib/postgres_fdw
, verify that ORDER BY
clauses are safe to ship before requesting a remotely-ordered query, and include a USING
clause if necessary (Ronan Dunklau)
This fix prevents situations where the remote server might sort in a different order than we intend. While sometimes that would be only cosmetic, it could produce thoroughly wrong results if the remote data is used as input for a locally-performed merge join.
Fix configure to handle platforms that have sys/epoll.h
but not sys/signalfd.h
(Tom Lane)
Update JIT code to work with LLVM 14 (Thomas Munro)
Clean up assorted failures under clang's -fsanitize=undefined
checks (Tom Lane, Andres Freund, Zhihong Yu)
Most of these changes are just for pro-forma compliance with the letter of the C and POSIX standards, and are unlikely to have any effect on production builds.
Do not add OpenSSL dependencies to libpq's pkg-config
file when building without OpenSSL (Fabrice Fontaine)
Fix PL/Perl so it builds on C compilers that don't support statements nested within expressions (Tom Lane)
Fix possible build failure of pg_dumpall on Windows, when not using MSVC to build (Andres Freund)
In Windows builds, use gendef instead of pexports to build DEF files (Andrew Dunstan)
This adapts the build process to work on recent MSys tool chains.
Prevent extra expansion of shell wildcard patterns in programs built under MinGW (Andrew Dunstan)
For some reason the C library provided by MinGW will expand shell wildcard characters in a program's command-line arguments by default. This is confusing, not least because it doesn't happen under MSVC, so turn it off.
Update time zone data files to tzdata release 2022a for DST law changes in Palestine, plus historical corrections for Chile and Ukraine.