Thread: pgsql: Further fix privileges on pg_statistic_ext[_data].
Further fix privileges on pg_statistic_ext[_data]. We don't need to restrict column privileges on pg_statistic_ext; all of that data is OK to read publicly. What we *do* need to do, which was overlooked by 6cbfb784c, is revoke public read access on pg_statistic_ext_data; otherwise we still have the same security hole we started with. Catversion bump to ensure that installations calling themselves beta2 will have this fix. Diagnosis/correction by Dean Rasheed and Tomas Vondra, but I'm going to go ahead and push this fix ASAP so we get more buildfarm cycles on it. Discussion: https://postgr.es/m/8833.1560647898@sss.pgh.pa.us Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/6973b058bc8d32e104bed99c134a4fab4b5dfe13 Modified Files -------------- src/backend/catalog/system_views.sql | 5 ++--- src/include/catalog/catversion.h | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-)
On Sun, Jun 16, 2019 at 03:00:27PM +0000, Tom Lane wrote: >Further fix privileges on pg_statistic_ext[_data]. > >We don't need to restrict column privileges on pg_statistic_ext; >all of that data is OK to read publicly. What we *do* need to do, >which was overlooked by 6cbfb784c, is revoke public read access on >pg_statistic_ext_data; otherwise we still have the same security >hole we started with. > >Catversion bump to ensure that installations calling themselves >beta2 will have this fix. > >Diagnosis/correction by Dean Rasheed and Tomas Vondra, but I'm >going to go ahead and push this fix ASAP so we get more buildfarm >cycles on it. Thanks! Appreciated. -- Tomas Vondra http://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services