[COMMITTERS] pgsql: Make json{b}_populate_recordset() use the right tupledescriptor - Mailing list pgsql-committers

From Tom Lane
Subject [COMMITTERS] pgsql: Make json{b}_populate_recordset() use the right tupledescriptor
Date
Msg-id E1eBjLa-0002l0-Ru@gemulon.postgresql.org
Whole thread Raw
List pgsql-committers
Make json{b}_populate_recordset() use the right tuple descriptor.

json{b}_populate_recordset() used the tuple descriptor created from the
query-level AS clause without worrying about whether it matched the actual
input record type.  If it didn't, that would usually result in a crash,
though disclosure of server memory contents seems possible as well, for a
skilled attacker capable of issuing crafted SQL commands.  Instead, use
the query-supplied descriptor only when there is no input tuple to look at,
and otherwise get a tuple descriptor based on the input tuple's own type
marking.  The core code will detect any type mismatch in the latter case.

Michael Paquier and Tom Lane, per a report from David Rowley.
Back-patch to 9.3 where this functionality was introduced.

Security: CVE-2017-15098

Branch
------
REL9_6_STABLE

Details
-------
https://git.postgresql.org/pg/commitdiff/38e825632be777a6ea4a39796e121c39728403b3

Modified Files
--------------
src/backend/utils/adt/jsonfuncs.c   | 36 +++++++++++++++++++++++++-----------
src/test/regress/expected/json.out  | 13 +++++++++++++
src/test/regress/expected/jsonb.out | 13 +++++++++++++
src/test/regress/sql/json.sql       |  6 ++++++
src/test/regress/sql/jsonb.sql      |  6 ++++++
5 files changed, 63 insertions(+), 11 deletions(-)


--
Sent via pgsql-committers mailing list (pgsql-committers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-committers

pgsql-committers by date:

Previous
From: Noah Misch
Date:
Subject: [COMMITTERS] pgsql: start-scripts: switch to $PGUSER before opening $PGLOG.
Next
From: Tom Lane
Date:
Subject: [COMMITTERS] pgsql: Last-minute updates for release notes.