From d03c0413343ac5a79bc2f6ee5abc84c873efd863 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Mon, 5 Aug 2019 11:49:14 -0400 Subject: [PATCH] Last-minute updates for release notes. Security: CVE-2019-10208, CVE-2019-10209 --- doc/src/sgml/release-11.sgml | 56 ++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/doc/src/sgml/release-11.sgml b/doc/src/sgml/release-11.sgml index e651b3f497..61e00ee570 100644 --- a/doc/src/sgml/release-11.sgml +++ b/doc/src/sgml/release-11.sgml @@ -35,6 +35,62 @@ + + Require schema qualification to cast to a temporary type when using + functional cast syntax (Noah Misch) + + + + We have long required invocations of temporary functions to + explicitly specify the temporary schema, that + is pg_temp.func_name(args). + Require this as well for casting to temporary types using functional + notation, for + example pg_temp.type_name(arg). + Otherwise it's possible to capture a function call using a temporary + object, allowing privilege escalation in much the same ways that we + blocked in CVE-2007-2138. + (CVE-2019-10208) + + + + + + + Fix execution of hashed subplans that require cross-type comparison + (Tom Lane, Andreas Seltenreich) + + + + Hashed subplans used the outer query's original comparison operator + to compare entries of the hash table. This is the wrong thing if + that operator is cross-type, since all the hash table entries will + be of the subquery's output type. For the set of hashable + cross-type operators in core PostgreSQL, + this mistake seems nearly harmless on 64-bit machines, but it can + result in crashes or perhaps unauthorized disclosure of server + memory on 32-bit machines. Extensions might provide hashable + cross-type operators that create larger risks. + (CVE-2019-10209) + + + + +