From a9c718bd2d35586da8ebdefa0b72fe7e0d1a725b Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Mon, 10 May 2021 13:10:29 -0400 Subject: [PATCH] Last-minute updates for release notes. Security: CVE-2021-32027, CVE-2021-32028, CVE-2021-32029 --- doc/src/sgml/release-12.sgml | 64 ++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/doc/src/sgml/release-12.sgml b/doc/src/sgml/release-12.sgml index d2f7550ee8..75ea9db343 100644 --- a/doc/src/sgml/release-12.sgml +++ b/doc/src/sgml/release-12.sgml @@ -36,6 +36,69 @@ + + Prevent integer overflows in array subscripting calculations + (Tom Lane) + + + + The array code previously did not complain about cases where an + array's lower bound plus length overflows an integer. This resulted + in later entries in the array becoming inaccessible (since their + subscripts could not be written as integers), but more importantly + it confused subsequent assignment operations. This could lead to + memory overwrites, with ensuing crashes or unwanted data + modifications. + (CVE-2021-32027) + + + + + + + Fix mishandling of junk columns in INSERT + ... ON CONFLICT ... UPDATE target lists (Tom Lane) + + + + If the UPDATE list contains any multi-column + sub-selects (which give rise to junk columns in addition to the + results proper), the UPDATE path would end up + storing tuples that include the values of the extra junk columns. + That's fairly harmless in the short run, but if new columns are + added to the table then the values would become accessible, possibly + leading to malfunctions if they don't match the datatypes of the + added columns. + + + + In addition, in versions supporting cross-partition updates, + a cross-partition update triggered by such a case had the reverse + problem: the junk columns were removed from the target list, + typically causing an immediate crash due to malfunction of the + multi-column sub-select mechanism. + (CVE-2021-32028) + + + + +