Home > mailing lists

Re: Side effect of CVE-2017-7484 fix? - Mailing list pgsql-hackers

From	Dilip Kumar
Subject	Re: Side effect of CVE-2017-7484 fix?
Date	October 23, 2018 09:33:15
Msg-id	CAFiTN-uvx5OOOkqVuDDJ+7LV4q7+Bu_TNhdV=M0-uUEtM12s7w@mail.gmail.com Whole thread Raw
In response to	Re: Side effect of CVE-2017-7484 fix? (Tom Lane <tgl@sss.pgh.pa.us>)
List	pgsql-hackers

Tree view

On Mon, Oct 22, 2018 at 7:16 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> Dilip Kumar <dilipbalaut@gmail.com> writes:
> > As part of the security fix
> > (e2d4ef8de869c57e3bf270a30c12d48c2ce4e00c), we have restricted the
> > users from accessing the statistics of the table if the user doesn't
> > have privileges on the table and the function is not leakproof.  Now,
> > as a side effect of this, if the user has the privileges on the root
> > partitioned table but does not have privilege on the child tables, the
> > user will be able to access the data of the child table but it won't
> > be able to access the statistics of the child table. This may result
> > in a bad plan.
>
> This was complained of already,
> https://www.postgresql.org/message-id/flat/3876.1531261875%40sss.pgh.pa.us
>
>                         regards, tom lane

Ok, I see.  Thanks.

-- 
Regards,
Dilip Kumar
EnterpriseDB: http://www.enterprisedb.com

pgsql-hackers by date:

From: Michael Paquier
Date: 23 October 2018, 08:40:30
Subject: Re: Restore CurrentUserId only if 'prevUser' is valid when aborttransaction

From: Haribabu Kommi
Date: 23 October 2018, 09:49:23
Subject: Re: Pluggable Storage - Andres's take

Re: Side effect of CVE-2017-7484 fix? - Mailing list pgsql-hackers

Previous

Next