| From: | Noah Misch <noah(at)leadboat(dot)com> |
|---|---|
| To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | pgsql: Ban role pg_signal_backend from more superuser backend types. |
| Date: | 2023-11-06 14:17:12 |
| Message-ID: | E1r00Pf-004Baj-S3@gemulon.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Ban role pg_signal_backend from more superuser backend types.
Documentation says it cannot signal "a backend owned by a superuser".
On the contrary, it could signal background workers, including the
logical replication launcher. It could signal autovacuum workers and
the autovacuum launcher. Block all that. Signaling autovacuum workers
and those two launchers doesn't stall progress beyond what one could
achieve other ways. If a cluster uses a non-core extension with a
background worker that does not auto-restart, this could create a denial
of service with respect to that background worker. A background worker
with bugs in its code for responding to terminations or cancellations
could experience those bugs at a time the pg_signal_backend member
chooses. Back-patch to v11 (all supported versions).
Reviewed by Jelte Fennema-Nio. Reported by Hemanth Sandrana and
Mahendrakar Srinivasarao.
Security: CVE-2023-5870
Branch
------
REL_16_STABLE
Details
-------
https://git.postgresql.org/pg/commitdiff/78541273156c74ed20acdc141cf2f996098cd794
Modified Files
--------------
src/backend/storage/ipc/signalfuncs.c | 9 +++++++--
src/test/regress/expected/privileges.out | 18 ++++++++++++++++++
src/test/regress/sql/privileges.sql | 15 +++++++++++++++
3 files changed, 40 insertions(+), 2 deletions(-)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2023-11-06 14:43:21 | Re: pgsql: Migrate logical slots to the new node during an upgrade. |
| Previous Message | Peter Eisentraut | 2023-11-06 12:45:34 | pgsql: Translation updates |