Quick Links

pgsql: Require update permission for the large object written by lo_put

From:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:	pgsql-committers(at)postgresql(dot)org
Subject:	pgsql: Require update permission for the large object written by lo_put
Date:	2017-08-07 14:19:40
Message-ID:	E1deise-0003La-Lb@gemulon.postgresql.org
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-committers

Require update permission for the large object written by lo_put().

lo_put() surely should require UPDATE permission, the same as lowrite(),
but it failed to check for that, as reported by Chapman Flack. Oversight
in commit c50b7c09d; backpatch to 9.4 where that was introduced.

Tom Lane and Michael Paquier

Security: CVE-2017-7548

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/8d9881911f0d30e0783a6bb1363b94a2c817433d

Modified Files
--------------
src/backend/libpq/be-fsstubs.c | 12 ++++++++++++
src/test/regress/expected/privileges.out | 10 ++++++++++
src/test/regress/sql/privileges.sql | 4 ++++
3 files changed, 26 insertions(+)

Browse pgsql-committers by date

	From	Date	Subject
Next Message	Peter Eisentraut	2017-08-07 14:53:29	pgsql: Fix handling of dropped columns in logical replication
Previous Message	Noah Misch	2017-08-07 14:10:58	pgsql: Again match pg_user_mappings to information_schema.user_mapping_