Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit cc6c63f

Browse filesBrowse files
tglsfdctglsfdc
committed
Last-minute updates for release notes.
Security: CVE-2021-32027, CVE-2021-32028, CVE-2021-32029
1 parent 0fcb8e2 commit cc6c63f
Copy full SHA for cc6c63f

File tree

Expand file treeCollapse file tree

1 file changed

+63
-0
lines changed
Filter options
Expand file treeCollapse file tree

1 file changed

+63
-0
lines changed

‎doc/src/sgml/release-9.6.sgml

Copy file name to clipboardExpand all lines: doc/src/sgml/release-9.6.sgml
+63Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,69 @@
4242
<listitem>
4343
<!--
4444
Author: Tom Lane <tgl@sss.pgh.pa.us>
45+
Branch: master [f02b9085a] 2021-05-10 10:44:38 -0400
46+
Branch: REL_13_STABLE [467395bfd] 2021-05-10 10:44:38 -0400
47+
Branch: REL_12_STABLE [3b0f6a7ae] 2021-05-10 10:44:38 -0400
48+
Branch: REL_11_STABLE [06bfbe854] 2021-05-10 10:44:38 -0400
49+
Branch: REL_10_STABLE [2fb809d3e] 2021-05-10 10:44:38 -0400
50+
Branch: REL9_6_STABLE [0c1caa48d] 2021-05-10 10:44:38 -0400
51+
-->
52+
<para>
53+
Prevent integer overflows in array subscripting calculations
54+
(Tom Lane)
55+
</para>
56+
57+
<para>
58+
The array code previously did not complain about cases where an
59+
array's lower bound plus length overflows an integer. This resulted
60+
in later entries in the array becoming inaccessible (since their
61+
subscripts could not be written as integers), but more importantly
62+
it confused subsequent assignment operations. This could lead to
63+
memory overwrites, with ensuing crashes or unwanted data
64+
modifications.
65+
(CVE-2021-32027)
66+
</para>
67+
</listitem>
68+
69+
<listitem>
70+
<!--
71+
Author: Tom Lane <tgl@sss.pgh.pa.us>
72+
Branch: master [049e1e2ed] 2021-05-10 11:02:29 -0400
73+
Branch: REL_13_STABLE [4a8656a7e] 2021-05-10 11:02:29 -0400
74+
Branch: REL_12_STABLE [a5fa3e067] 2021-05-10 11:02:29 -0400
75+
Branch: REL_11_STABLE [b7d1f32ff] 2021-05-10 11:02:29 -0400
76+
Branch: REL_10_STABLE [52a441362] 2021-05-10 11:02:30 -0400
77+
Branch: REL9_6_STABLE [0fcb8e2e0] 2021-05-10 11:02:30 -0400
78+
-->
79+
<para>
80+
Fix mishandling of <quote>junk</quote> columns in <literal>INSERT
81+
... ON CONFLICT ... UPDATE</literal> target lists (Tom Lane)
82+
</para>
83+
84+
<para>
85+
If the <literal>UPDATE</literal> list contains any multi-column
86+
sub-selects (which give rise to junk columns in addition to the
87+
results proper), the <literal>UPDATE</literal> path would end up
88+
storing tuples that include the values of the extra junk columns.
89+
That's fairly harmless in the short run, but if new columns are
90+
added to the table then the values would become accessible, possibly
91+
leading to malfunctions if they don't match the datatypes of the
92+
added columns.
93+
</para>
94+
95+
<para>
96+
In addition, in versions supporting cross-partition updates,
97+
a cross-partition update triggered by such a case had the reverse
98+
problem: the junk columns were removed from the target list,
99+
typically causing an immediate crash due to malfunction of the
100+
multi-column sub-select mechanism.
101+
(CVE-2021-32028)
102+
</para>
103+
</listitem>
104+
105+
<listitem>
106+
<!--
107+
Author: Tom Lane <tgl@sss.pgh.pa.us>
45108
Branch: master [69d5ca484] 2021-04-13 15:10:18 -0400
46109
Branch: REL_13_STABLE [c39aa1e87] 2021-04-13 15:10:18 -0400
47110
Branch: REL_12_STABLE [a7fcb6285] 2021-04-13 15:10:18 -0400

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.