|
40 | 40 |
|
41 | 41 | <itemizedlist> |
42 | 42 |
|
| 43 | + <listitem> |
| 44 | + <para> |
| 45 | + Fix possible mis-evaluation of |
| 46 | + nested <literal>CASE</>-<literal>WHEN</> expressions (Heikki |
| 47 | + Linnakangas, Michael Paquier, Tom Lane) |
| 48 | + </para> |
| 49 | + |
| 50 | + <para> |
| 51 | + A <literal>CASE</> expression appearing within the test value |
| 52 | + subexpression of another <literal>CASE</> could become confused about |
| 53 | + whether its own test value was null or not. Also, inlining of a SQL |
| 54 | + function implementing the equality operator used by |
| 55 | + a <literal>CASE</> expression could result in passing the wrong test |
| 56 | + value to functions called within a <literal>CASE</> expression in the |
| 57 | + SQL function's body. If the test values were of different data |
| 58 | + types, a crash might result; moreover such situations could be abused |
| 59 | + to allow disclosure of portions of server memory. (CVE-2016-5423) |
| 60 | + </para> |
| 61 | + </listitem> |
| 62 | + |
| 63 | + <listitem> |
| 64 | + <para> |
| 65 | + Fix client programs' handling of special characters in database and |
| 66 | + role names (Noah Misch, Nathan Bossart, Michael Paquier) |
| 67 | + </para> |
| 68 | + |
| 69 | + <para> |
| 70 | + Numerous places in <application>vacuumdb</> and other client programs |
| 71 | + could become confused by database and role names containing double |
| 72 | + quotes or backslashes. Tighten up quoting rules to make that safe. |
| 73 | + Also, ensure that when a conninfo string is used as a database name |
| 74 | + parameter to these programs, it is correctly treated as such throughout. |
| 75 | + </para> |
| 76 | + |
| 77 | + <para> |
| 78 | + Fix handling of paired double quotes |
| 79 | + in <application>psql</>'s <command>\connect</> |
| 80 | + and <command>\password</> commands to match the documentation. |
| 81 | + </para> |
| 82 | + |
| 83 | + <para> |
| 84 | + Introduce a new <option>-reuse-previous</> option |
| 85 | + in <application>psql</>'s <command>\connect</> command to allow |
| 86 | + explicit control of whether to re-use connection parameters from a |
| 87 | + previous connection. (Without this, the choice is based on whether |
| 88 | + the database name looks like a conninfo string, as before.) This |
| 89 | + allows secure handling of database names containing special |
| 90 | + characters in <application>pg_dumpall</> scripts. |
| 91 | + </para> |
| 92 | + |
| 93 | + <para> |
| 94 | + <application>pg_dumpall</> now refuses to deal with database and role |
| 95 | + names containing carriage returns or newlines, as it seems impractical |
| 96 | + to quote those characters safely on Windows. In future we may reject |
| 97 | + such names on the server side, but that step has not been taken yet. |
| 98 | + </para> |
| 99 | + |
| 100 | + <para> |
| 101 | + These are considered security fixes because crafted object names |
| 102 | + containing special characters could have been used to execute |
| 103 | + commands with superuser privileges the next time a superuser |
| 104 | + executes <application>pg_dumpall</> or other routine maintenance |
| 105 | + operations. (CVE-2016-5424) |
| 106 | + </para> |
| 107 | + </listitem> |
| 108 | + |
43 | 109 | <listitem> |
44 | 110 | <para> |
45 | 111 | Fix corner-case misbehaviors for <literal>IS NULL</>/<literal>IS NOT |
|
77 | 143 | </para> |
78 | 144 | </listitem> |
79 | 145 |
|
| 146 | + <listitem> |
| 147 | + <para> |
| 148 | + Fix several one-byte buffer over-reads in <function>to_number()</> |
| 149 | + (Peter Eisentraut) |
| 150 | + </para> |
| 151 | + |
| 152 | + <para> |
| 153 | + In several cases the <function>to_number()</> function would read one |
| 154 | + more character than it should from the input string. There is a |
| 155 | + small chance of a crash, if the input happens to be adjacent to the |
| 156 | + end of memory. |
| 157 | + </para> |
| 158 | + </listitem> |
| 159 | + |
80 | 160 | <listitem> |
81 | 161 | <para> |
82 | 162 | Avoid unsafe intermediate state during expensive paths |
|
0 commit comments