]> git.ipfire.org Git - thirdparty/postgresql.git/commit
projects / thirdparty / postgresql.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 36f9f60) | patch
Require update permission for the large object written by lo_put().
authorTom Lane <tgl@sss.pgh.pa.us>
Mon, 7 Aug 2017 14:19:01 +0000 (10:19 -0400)
committerTom Lane <tgl@sss.pgh.pa.us>
Mon, 7 Aug 2017 14:19:21 +0000 (10:19 -0400)
commit873741c6821d4fe8245b97e2adf1e8142c8b7531
tree09b8726acfd2065bcbcd2c7653bc0a900608f670tree
parent36f9f60958d471c62515494a0c7b0058e578c2ebcommit | diff
Require update permission for the large object written by lo_put().

lo_put() surely should require UPDATE permission, the same as lowrite(),
but it failed to check for that, as reported by Chapman Flack.  Oversight
in commit c50b7c09d; backpatch to 9.4 where that was introduced.

Tom Lane and Michael Paquier

Security: CVE-2017-7548
src/backend/libpq/be-fsstubs.c diff | blob | blame | history
src/test/regress/expected/privileges.out diff | blob | blame | history
src/test/regress/sql/privileges.sql diff | blob | blame | history
Mirror of https://git.postgresql.org/git/postgresql.git