Home > mailing lists

Side effect of CVE-2017-7484 fix? - Mailing list pgsql-hackers

From	Dilip Kumar
Subject	Side effect of CVE-2017-7484 fix?
Date	October 22, 2018 08:40:09
Msg-id	CAFiTN-tWSO0riLe3_cfsrLjfoUU6iFN8+rP2Y06BEgLH9HP5+w@mail.gmail.com Whole thread Raw
Responses	Re: Side effect of CVE-2017-7484 fix? (Stephen Frost <sfrost@snowman.net>) Re: Side effect of CVE-2017-7484 fix? (David Fetter <david@fetter.org>) Re: Side effect of CVE-2017-7484 fix? (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-hackers

Tree view

As part of the security fix
(e2d4ef8de869c57e3bf270a30c12d48c2ce4e00c), we have restricted the
users from accessing the statistics of the table if the user doesn't
have privileges on the table and the function is not leakproof.  Now,
as a side effect of this, if the user has the privileges on the root
partitioned table but does not have privilege on the child tables, the
user will be able to access the data of the child table but it won't
be able to access the statistics of the child table. This may result
in a bad plan.   I am not sure what should be the fix.  Should we
allow to access the statistics of the table if a user has privilege on
its parent table?

-- 
Regards,
Dilip Kumar
EnterpriseDB: http://www.enterprisedb.com

pgsql-hackers by date:

From: Pavel Stehule
Date: 22 October 2018, 07:31:53
Subject: Re: SQL:2011 PERIODS vs Postgres Ranges?

From: Stephen Frost
Date: 22 October 2018, 08:41:23
Subject: Re: Side effect of CVE-2017-7484 fix?

Side effect of CVE-2017-7484 fix? - Mailing list pgsql-hackers

Previous

Next