Home > mailing lists

pgsql: Check for CREATE privilege on the schema in CREATE STATISTICS. - Mailing list pgsql-committers

From	Nathan Bossart
Subject	pgsql: Check for CREATE privilege on the schema in CREATE STATISTICS.
Date	November 10 18:01:06
Msg-id	E1vITOE-005vvG-0G@gemulon.postgresql.org Whole thread Raw
List	pgsql-committers

Tree view

Check for CREATE privilege on the schema in CREATE STATISTICS.

This omission allowed table owners to create statistics in any
schema, potentially leading to unexpected naming conflicts.  For
ALTER TABLE commands that require re-creating statistics objects,
skip this check in case the user has since lost CREATE on the
schema.  The addition of a second parameter to CreateStatistics()
breaks ABI compatibility, but we are unaware of any impacted
third-party code.

Reported-by: Jelte Fennema-Nio <postgres@jeltef.nl>
Author: Jelte Fennema-Nio <postgres@jeltef.nl>
Co-authored-by: Nathan Bossart <nathandbossart@gmail.com>
Reviewed-by: Noah Misch <noah@leadboat.com>
Reviewed-by: Álvaro Herrera <alvherre@kurilemu.de>
Security: CVE-2025-12817
Backpatch-through: 13

Branch
------
REL_15_STABLE

Details
-------
https://git.postgresql.org/pg/commitdiff/2393d374ae9c0bc8327adc80fe4490edb05be167

Modified Files
--------------
src/backend/commands/statscmds.c        | 16 +++++++++++++++-
src/backend/commands/tablecmds.c        |  2 +-
src/backend/tcop/utility.c              |  2 +-
src/include/commands/defrem.h           |  2 +-
src/test/regress/expected/stats_ext.out | 19 +++++++++++++++++++
src/test/regress/sql/stats_ext.sql      | 19 +++++++++++++++++++
6 files changed, 56 insertions(+), 4 deletions(-)

pgsql-committers by date:

From: Jacob Champion
Date: 10 November, 17:24:49
Subject: pgsql: libpq: Prevent some overflows of int/size_t

From: Heikki Linnakangas
Date: 10 November, 20:22:01
Subject: pgsql: Bump PG_CONTROL_VERSION for commit 3e0ae46d90

pgsql: Check for CREATE privilege on the schema in CREATE STATISTICS. - Mailing list pgsql-committers

Previous

Next