Home > mailing lists

Re: Side effect of CVE-2017-7484 fix? - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: Side effect of CVE-2017-7484 fix?
Date	October 22, 2018 16:46:44
Msg-id	82920.1540216004@sss.pgh.pa.us Whole thread Raw
In response to	Side effect of CVE-2017-7484 fix? (Dilip Kumar <dilipbalaut@gmail.com>)
Responses	Re: Side effect of CVE-2017-7484 fix? (Dilip Kumar <dilipbalaut@gmail.com>) Re: Side effect of CVE-2017-7484 fix? (Robert Haas <robertmhaas@gmail.com>)
List	pgsql-hackers

Tree view

Dilip Kumar <dilipbalaut@gmail.com> writes:
> As part of the security fix
> (e2d4ef8de869c57e3bf270a30c12d48c2ce4e00c), we have restricted the
> users from accessing the statistics of the table if the user doesn't
> have privileges on the table and the function is not leakproof.  Now,
> as a side effect of this, if the user has the privileges on the root
> partitioned table but does not have privilege on the child tables, the
> user will be able to access the data of the child table but it won't
> be able to access the statistics of the child table. This may result
> in a bad plan.

This was complained of already,
https://www.postgresql.org/message-id/flat/3876.1531261875%40sss.pgh.pa.us

            regards, tom lane

pgsql-hackers by date:

From: Dilip Kumar
Date: 22 October 2018, 15:04:19
Subject: Re: Side effect of CVE-2017-7484 fix?

From: Amit Langote
Date: 22 October 2018, 17:03:03
Subject: Re: CVE-2017-7484-induced bugs, or, btree cmp functions are not leakproof?

Re: Side effect of CVE-2017-7484 fix? - Mailing list pgsql-hackers

Previous

Next