E.27. Release 13.16
Release date: 2024-08-08
This release contains a variety of fixes from 13.15. For information about new features in major release 13, see Section E.43.
E.27.1. Migration to Version 13.16
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.14, see Section E.29.
E.27.2. Changes
Prevent unauthorized code execution during pg_dump (Masahiko Sawada) §
An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter
restrict_nonsystem_relation_kind
that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.The PostgreSQL Project thanks Noah Misch for reporting this problem. (CVE-2024-7348)
Fix failure after attaching a table as a partition, if the table had previously had inheritance children (Álvaro Herrera) §
Fix
ALTER TABLE DETACH PARTITION
for cases involving inconsistent index-based constraints (Álvaro Herrera, Tender Wang) § §When a partitioned table has an index that is not associated with a constraint, but a partition has an equivalent index that is, then detaching the partition would misbehave, leaving the ex-partition's constraint with an incorrect
coninhcount
value. This would cause trouble during any further manipulations of that constraint.Fix handling of polymorphic output arguments for procedures (Tom Lane) § §
The SQL
CALL
statement did not resolve the correct data types for such arguments, leading to errors such as “cannot display a value of type anyelement”, or even outright crashes. (ButCALL
in PL/pgSQL worked correctly.)Fix behavior of stable functions called from a
CALL
statement's argument list (Tom Lane) §If the
CALL
is within an atomic context (e.g. there's an outer transaction block), such functions were passed the wrong snapshot, causing them to see stale values of rows modified since the start of the outer transaction.Detect integer overflow in
money
calculations (Joseph Koshakow) §None of the arithmetic functions for the
money
type checked for overflow before, so they would silently give wrong answers for overflowing cases.Fix over-aggressive clamping of the scale argument in
round(numeric)
andtrunc(numeric)
(Dean Rasheed) §These functions clamped their scale argument to +/-2000, but there are valid use-cases for it to be larger; the functions returned incorrect results in such cases. Instead clamp to the actual allowed range of type
numeric
.Prevent
pg_sequence_last_value()
from failing on unlogged sequences on standby servers and on temporary sequences of other sessions (Nathan Bossart) §Make it return NULL in these cases instead of throwing an error.
Fix parsing of ignored operators in
websearch_to_tsquery()
(Tom Lane) §Per the manual, punctuation in the input of
websearch_to_tsquery()
is ignored except for the special cases of dashes and quotes. However, parentheses and a few other characters appearing immediately before anor
could causeor
to be treated as a data word, rather than as anOR
operator as expected.Detect another integer overflow case while computing new array dimensions (Joseph Koshakow) §
Reject applying array dimensions
[-2147483648:2147483647]
to an empty array. This is closely related to CVE-2023-5869, but appears harmless since the array still ends up empty.Detect another case of a new catalog cache entry becoming stale while detoasting its fields (Noah Misch) §
An in-place update occurring while we expand out-of-line fields in a catalog tuple could be missed, leading to a catalog cache entry that lacks the in-place change but is not known to be stale. This is only possible in the
pg_database
catalog, so the effects are narrow, but misbehavior is possible.Correctly check updatability of view columns targeted by
INSERT
...DEFAULT
(Tom Lane) §If such a column is non-updatable, we should give an error reporting that. But the check was missed and then later code would report an unhelpful error such as “attribute number
N
not found in view targetlist”.Avoid reporting an unhelpful internal error for incorrect recursive queries (Tom Lane) §
Rearrange the order of error checks so that we throw an on-point error when a
WITH RECURSIVE
query does not have a self-reference within the second arm of theUNION
, but does have one self-reference in some other place such asORDER BY
.Don't throw an error if a queued
AFTER
trigger no longer exists (Tom Lane) §It's possible for a transaction to execute an operation that queues a deferred
AFTER
trigger for later execution, and then to drop the trigger before that happens. Formerly this led to weird errors such as “could not find triggerNNNN
”. It seems better to silently do nothing if the trigger no longer exists at the time when it would have been executed.Fix failure to remove
pg_init_privs
entries for column-level privileges when their table is dropped (Tom Lane) §If an extension grants some column-level privileges on a table it creates, relevant catalog entries would remain behind after the extension is dropped. This was harmless until/unless the table's OID was re-used for another relation, when it could interfere with what pg_dump dumps for that relation.
Fix selection of an arbiter index for
ON CONFLICT
when the desired index has expressions or predicates (Tom Lane) §If a query using
ON CONFLICT
accesses the target table through an updatable view, it could fail with “there is no unique or exclusion constraint matching the ON CONFLICT specification”, even though a matching index does exist.Refuse to modify a temporary table of another session with
ALTER TABLE
(Tom Lane) §Permissions checks normally would prevent this case from arising, but it is possible to reach it by altering a parent table whose child is another session's temporary table. Throw an error if we discover that such a child table belongs to another session.
Fix failure to recalculate sub-queries generated from
MIN()
orMAX()
aggregates (Tom Lane) §In some cases the aggregate result computed at one row of the outer query could be re-used for later rows when it should not be. This has only been seen to happen when the outer query uses
DISTINCT
that is implemented with hash aggregation, but other cases may exist.Avoid crashing when a JIT-inlined backend function throws an error (Tom Lane) §
The error state can include pointers into the dynamically loaded module holding the JIT-compiled code (for error location strings). In some code paths the module could get unloaded before the error report is processed, leading to SIGSEGV when the location strings are accessed.
Cope with behavioral changes in libxml2 version 2.13.x (Erik Wienhold, Tom Lane) §
Notably, we now suppress “chunk is not well balanced” errors from libxml2, unless that is the only reported error. This is to make error reports consistent between 2.13.x and earlier libxml2 versions. In earlier versions, that message was almost always redundant or outright incorrect, so 2.13.x substantially reduced the number of cases in which it's reported.
Fix handling of subtransactions of prepared transactions when starting a hot standby server (Heikki Linnakangas) §
When starting a standby's replay at a shutdown checkpoint WAL record, transactions that had been prepared but not yet committed on the primary are correctly understood as being still in progress. But subtransactions of a prepared transaction (created by savepoints or PL/pgSQL exception blocks) were not accounted for and would be treated as aborted. That led to inconsistency if the prepared transaction was later committed.
Prevent incorrect initialization of logical replication slots (Masahiko Sawada) §
In some cases a replication slot's start point within the WAL stream could be set to a point within a transaction, leading to assertion failures or incorrect decoding results.
Avoid memory leakage after servicing a notify or sinval interrupt (Tom Lane) §
The processing functions for these events could switch the current memory context to TopMemoryContext, resulting in session-lifespan leakage of any data allocated before the incorrect setting gets replaced. There were observable leaks associated with (at least) encoding conversion of incoming queries and parameters attached to Bind messages.
Avoid possibly missing end-of-input events on Windows sockets (Thomas Munro) §
Windows reports an FD_CLOSE event only once after the remote end of the connection disconnects. With unlucky timing, we could miss that report and wait indefinitely, or at least until a timeout elapsed, expecting more input.
Fix buffer overread in JSON parse error reports for incomplete byte sequences (Jacob Champion) §
It was possible to walk off the end of the input buffer by a few bytes when the last bytes comprise an incomplete multi-byte character. While usually harmless, in principle this could cause a crash.
Disable creation of stateful TLS session tickets by OpenSSL (Daniel Gustafsson) § § §
This avoids possible failures with clients that think receipt of a session ticket means that TLS session resumption is supported.
When replanning a PL/pgSQL “simple expression”, check it's still simple (Tom Lane) §
Certain fairly-artificial cases, such as dropping a referenced function and recreating it as an aggregate, could lead to surprising failures such as “unexpected plan node type”.
Fix incompatibility between PL/Perl and Perl 5.40 (Andrew Dunstan) §
Fix recursive
RECORD
-returning PL/Python functions (Tom Lane) §If we recurse to a new call of the same function that passes a different column definition list (
AS
clause), it would fail because the inner call would overwrite the outer call's idea of what rowtype to return.Don't corrupt PL/Python's
TD
dictionary during a recursive trigger call (Tom Lane) §If a PL/Python-language trigger caused another one to be invoked, the
TD
dictionary created for the inner one would overwrite the outer one'sTD
dictionary.Fix PL/Tcl's reporting of invalid list syntax in the result of a function returning tuple (Erik Wienhold, Tom Lane) §
Such a case could result in a crash, or in emission of misleading context information that actually refers to the previous Tcl error.
Avoid non-thread-safe usage of
strerror()
in libpq (Peter Eisentraut) §Certain error messages returned by OpenSSL could become garbled in multi-threaded applications.
Ensure that
pg_restore
-l
reports dependent TOC entries correctly (Tom Lane) §If
-l
was specified together with selective-restore options such as-n
or-N
, dependent TOC entries such as comments would be omitted from the listing, even when an actual restore would have selected them.In
contrib/postgres_fdw
, do not sendFETCH FIRST WITH TIES
clauses to the remote server (Japin Li) §The remote server might not implement this clause, or might interpret it differently than we would locally, so don't risk attempting remote execution.
Avoid clashing with system-provided
<regex.h>
headers (Thomas Munro) §This fixes a compilation failure on macOS version 15 and up.
Fix otherwise-harmless assertion failures in
REINDEX CONCURRENTLY
applied to an SP-GiST index (Tom Lane) §