Thread: pgsql: Further fix privileges on pg_statistic_ext[_data].

pgsql: Further fix privileges on pg_statistic_ext[_data].

From
Tom Lane
Date:
Further fix privileges on pg_statistic_ext[_data].

We don't need to restrict column privileges on pg_statistic_ext;
all of that data is OK to read publicly.  What we *do* need to do,
which was overlooked by 6cbfb784c, is revoke public read access on
pg_statistic_ext_data; otherwise we still have the same security
hole we started with.

Catversion bump to ensure that installations calling themselves
beta2 will have this fix.

Diagnosis/correction by Dean Rasheed and Tomas Vondra, but I'm
going to go ahead and push this fix ASAP so we get more buildfarm
cycles on it.

Discussion: https://postgr.es/m/8833.1560647898@sss.pgh.pa.us

Branch
------
master

Details
-------
https://git.postgresql.org/pg/commitdiff/6973b058bc8d32e104bed99c134a4fab4b5dfe13

Modified Files
--------------
src/backend/catalog/system_views.sql | 5 ++---
src/include/catalog/catversion.h     | 2 +-
2 files changed, 3 insertions(+), 4 deletions(-)


Re: pgsql: Further fix privileges on pg_statistic_ext[_data].

From
Tomas Vondra
Date:
On Sun, Jun 16, 2019 at 03:00:27PM +0000, Tom Lane wrote:
>Further fix privileges on pg_statistic_ext[_data].
>
>We don't need to restrict column privileges on pg_statistic_ext;
>all of that data is OK to read publicly.  What we *do* need to do,
>which was overlooked by 6cbfb784c, is revoke public read access on
>pg_statistic_ext_data; otherwise we still have the same security
>hole we started with.
>
>Catversion bump to ensure that installations calling themselves
>beta2 will have this fix.
>
>Diagnosis/correction by Dean Rasheed and Tomas Vondra, but I'm
>going to go ahead and push this fix ASAP so we get more buildfarm
>cycles on it.

Thanks! Appreciated.


-- 
Tomas Vondra                  http://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services