Skip to content

Commit 20db959

Browse files
tglsfdctglsfdc
committed
Update release notes with security issues.
Security: CVE-2010-1169, CVE-2010-1170
1 parent 4b8c969 commit 20db959

File tree

6 files changed

+248
-8
lines changed

6 files changed

+248
-8
lines changed

doc/src/sgml/release-7.4.sgml

Lines changed: 41 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/release-7.4.sgml,v 1.6 2010/05/12 23:20:49 tgl Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/release-7.4.sgml,v 1.7 2010/05/13 21:26:59 tgl Exp $ -->
22
<!-- See header comment in release.sgml about typical markup -->
33

44
<sect1 id="release-7-4-29">
@@ -37,6 +37,46 @@
3737

3838
<itemizedlist>
3939

40+
<listitem>
41+
<para>
42+
Enforce restrictions in <literal>plperl</> using an opmask applied to
43+
the whole interpreter, instead of using <filename>Safe.pm</>
44+
(Tim Bunce, Andrew Dunstan)
45+
</para>
46+
47+
<para>
48+
Recent developments have convinced us that <filename>Safe.pm</> is too
49+
insecure to rely on for making <literal>plperl</> trustable. This
50+
change removes use of <filename>Safe.pm</> altogether, in favor of using
51+
a separate interpreter with an opcode mask that is always applied.
52+
Pleasant side effects of the change include that it is now possible to
53+
use Perl's <literal>strict</> pragma in a natural way in
54+
<literal>plperl</>, and that Perl's <literal>$a</> and <literal>$b</>
55+
variables work as expected in sort routines, and that function
56+
compilation is significantly faster. (CVE-2010-1169)
57+
</para>
58+
</listitem>
59+
60+
<listitem>
61+
<para>
62+
Prevent PL/Tcl from executing untrustworthy code from
63+
<structname>pltcl_modules</> (Tom)
64+
</para>
65+
66+
<para>
67+
PL/Tcl's feature for autoloading Tcl code from a database table
68+
could be exploited for trojan-horse attacks, because there was no
69+
restriction on who could create or insert into that table. This change
70+
disables the feature unless <structname>pltcl_modules</> is owned by a
71+
superuser. (However, the permissions on the table are not checked, so
72+
installations that really need a less-than-secure modules table can
73+
still grant suitable privileges to trusted non-superusers.) Also,
74+
prevent loading code into the unrestricted <quote>normal</> Tcl
75+
interpreter unless we are really going to execute a <literal>pltclu</>
76+
function. (CVE-2010-1170)
77+
</para>
78+
</listitem>
79+
4080
<listitem>
4181
<para>
4282
Do not allow an unprivileged user to reset superuser-only parameter

doc/src/sgml/release-8.0.sgml

Lines changed: 41 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.0.sgml,v 1.6 2010/05/12 23:20:49 tgl Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.0.sgml,v 1.7 2010/05/13 21:26:59 tgl Exp $ -->
22
<!-- See header comment in release.sgml about typical markup -->
33

44
<sect1 id="release-8-0-25">
@@ -37,6 +37,46 @@
3737

3838
<itemizedlist>
3939

40+
<listitem>
41+
<para>
42+
Enforce restrictions in <literal>plperl</> using an opmask applied to
43+
the whole interpreter, instead of using <filename>Safe.pm</>
44+
(Tim Bunce, Andrew Dunstan)
45+
</para>
46+
47+
<para>
48+
Recent developments have convinced us that <filename>Safe.pm</> is too
49+
insecure to rely on for making <literal>plperl</> trustable. This
50+
change removes use of <filename>Safe.pm</> altogether, in favor of using
51+
a separate interpreter with an opcode mask that is always applied.
52+
Pleasant side effects of the change include that it is now possible to
53+
use Perl's <literal>strict</> pragma in a natural way in
54+
<literal>plperl</>, and that Perl's <literal>$a</> and <literal>$b</>
55+
variables work as expected in sort routines, and that function
56+
compilation is significantly faster. (CVE-2010-1169)
57+
</para>
58+
</listitem>
59+
60+
<listitem>
61+
<para>
62+
Prevent PL/Tcl from executing untrustworthy code from
63+
<structname>pltcl_modules</> (Tom)
64+
</para>
65+
66+
<para>
67+
PL/Tcl's feature for autoloading Tcl code from a database table
68+
could be exploited for trojan-horse attacks, because there was no
69+
restriction on who could create or insert into that table. This change
70+
disables the feature unless <structname>pltcl_modules</> is owned by a
71+
superuser. (However, the permissions on the table are not checked, so
72+
installations that really need a less-than-secure modules table can
73+
still grant suitable privileges to trusted non-superusers.) Also,
74+
prevent loading code into the unrestricted <quote>normal</> Tcl
75+
interpreter unless we are really going to execute a <literal>pltclu</>
76+
function. (CVE-2010-1170)
77+
</para>
78+
</listitem>
79+
4080
<listitem>
4181
<para>
4282
Do not allow an unprivileged user to reset superuser-only parameter

doc/src/sgml/release-8.1.sgml

Lines changed: 41 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.1.sgml,v 1.6 2010/05/12 23:20:49 tgl Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.1.sgml,v 1.7 2010/05/13 21:26:59 tgl Exp $ -->
22
<!-- See header comment in release.sgml about typical markup -->
33

44
<sect1 id="release-8-1-21">
@@ -31,6 +31,46 @@
3131

3232
<itemizedlist>
3333

34+
<listitem>
35+
<para>
36+
Enforce restrictions in <literal>plperl</> using an opmask applied to
37+
the whole interpreter, instead of using <filename>Safe.pm</>
38+
(Tim Bunce, Andrew Dunstan)
39+
</para>
40+
41+
<para>
42+
Recent developments have convinced us that <filename>Safe.pm</> is too
43+
insecure to rely on for making <literal>plperl</> trustable. This
44+
change removes use of <filename>Safe.pm</> altogether, in favor of using
45+
a separate interpreter with an opcode mask that is always applied.
46+
Pleasant side effects of the change include that it is now possible to
47+
use Perl's <literal>strict</> pragma in a natural way in
48+
<literal>plperl</>, and that Perl's <literal>$a</> and <literal>$b</>
49+
variables work as expected in sort routines, and that function
50+
compilation is significantly faster. (CVE-2010-1169)
51+
</para>
52+
</listitem>
53+
54+
<listitem>
55+
<para>
56+
Prevent PL/Tcl from executing untrustworthy code from
57+
<structname>pltcl_modules</> (Tom)
58+
</para>
59+
60+
<para>
61+
PL/Tcl's feature for autoloading Tcl code from a database table
62+
could be exploited for trojan-horse attacks, because there was no
63+
restriction on who could create or insert into that table. This change
64+
disables the feature unless <structname>pltcl_modules</> is owned by a
65+
superuser. (However, the permissions on the table are not checked, so
66+
installations that really need a less-than-secure modules table can
67+
still grant suitable privileges to trusted non-superusers.) Also,
68+
prevent loading code into the unrestricted <quote>normal</> Tcl
69+
interpreter unless we are really going to execute a <literal>pltclu</>
70+
function. (CVE-2010-1170)
71+
</para>
72+
</listitem>
73+
3474
<listitem>
3575
<para>
3676
Do not allow an unprivileged user to reset superuser-only parameter

doc/src/sgml/release-8.2.sgml

Lines changed: 41 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.2.sgml,v 1.6 2010/05/12 23:20:49 tgl Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.2.sgml,v 1.7 2010/05/13 21:26:59 tgl Exp $ -->
22
<!-- See header comment in release.sgml about typical markup -->
33

44
<sect1 id="release-8-2-17">
@@ -31,6 +31,46 @@
3131

3232
<itemizedlist>
3333

34+
<listitem>
35+
<para>
36+
Enforce restrictions in <literal>plperl</> using an opmask applied to
37+
the whole interpreter, instead of using <filename>Safe.pm</>
38+
(Tim Bunce, Andrew Dunstan)
39+
</para>
40+
41+
<para>
42+
Recent developments have convinced us that <filename>Safe.pm</> is too
43+
insecure to rely on for making <literal>plperl</> trustable. This
44+
change removes use of <filename>Safe.pm</> altogether, in favor of using
45+
a separate interpreter with an opcode mask that is always applied.
46+
Pleasant side effects of the change include that it is now possible to
47+
use Perl's <literal>strict</> pragma in a natural way in
48+
<literal>plperl</>, and that Perl's <literal>$a</> and <literal>$b</>
49+
variables work as expected in sort routines, and that function
50+
compilation is significantly faster. (CVE-2010-1169)
51+
</para>
52+
</listitem>
53+
54+
<listitem>
55+
<para>
56+
Prevent PL/Tcl from executing untrustworthy code from
57+
<structname>pltcl_modules</> (Tom)
58+
</para>
59+
60+
<para>
61+
PL/Tcl's feature for autoloading Tcl code from a database table
62+
could be exploited for trojan-horse attacks, because there was no
63+
restriction on who could create or insert into that table. This change
64+
disables the feature unless <structname>pltcl_modules</> is owned by a
65+
superuser. (However, the permissions on the table are not checked, so
66+
installations that really need a less-than-secure modules table can
67+
still grant suitable privileges to trusted non-superusers.) Also,
68+
prevent loading code into the unrestricted <quote>normal</> Tcl
69+
interpreter unless we are really going to execute a <literal>pltclu</>
70+
function. (CVE-2010-1170)
71+
</para>
72+
</listitem>
73+
3474
<listitem>
3575
<para>
3676
Fix possible crash if a cache reset message is received during

doc/src/sgml/release-8.3.sgml

Lines changed: 41 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.3.sgml,v 1.6 2010/05/12 23:20:49 tgl Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.3.sgml,v 1.7 2010/05/13 21:26:59 tgl Exp $ -->
22
<!-- See header comment in release.sgml about typical markup -->
33

44
<sect1 id="release-8-3-11">
@@ -31,6 +31,46 @@
3131

3232
<itemizedlist>
3333

34+
<listitem>
35+
<para>
36+
Enforce restrictions in <literal>plperl</> using an opmask applied to
37+
the whole interpreter, instead of using <filename>Safe.pm</>
38+
(Tim Bunce, Andrew Dunstan)
39+
</para>
40+
41+
<para>
42+
Recent developments have convinced us that <filename>Safe.pm</> is too
43+
insecure to rely on for making <literal>plperl</> trustable. This
44+
change removes use of <filename>Safe.pm</> altogether, in favor of using
45+
a separate interpreter with an opcode mask that is always applied.
46+
Pleasant side effects of the change include that it is now possible to
47+
use Perl's <literal>strict</> pragma in a natural way in
48+
<literal>plperl</>, and that Perl's <literal>$a</> and <literal>$b</>
49+
variables work as expected in sort routines, and that function
50+
compilation is significantly faster. (CVE-2010-1169)
51+
</para>
52+
</listitem>
53+
54+
<listitem>
55+
<para>
56+
Prevent PL/Tcl from executing untrustworthy code from
57+
<structname>pltcl_modules</> (Tom)
58+
</para>
59+
60+
<para>
61+
PL/Tcl's feature for autoloading Tcl code from a database table
62+
could be exploited for trojan-horse attacks, because there was no
63+
restriction on who could create or insert into that table. This change
64+
disables the feature unless <structname>pltcl_modules</> is owned by a
65+
superuser. (However, the permissions on the table are not checked, so
66+
installations that really need a less-than-secure modules table can
67+
still grant suitable privileges to trusted non-superusers.) Also,
68+
prevent loading code into the unrestricted <quote>normal</> Tcl
69+
interpreter unless we are really going to execute a <literal>pltclu</>
70+
function. (CVE-2010-1170)
71+
</para>
72+
</listitem>
73+
3474
<listitem>
3575
<para>
3676
Fix possible crash if a cache reset message is received during

doc/src/sgml/release-8.4.sgml

Lines changed: 43 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.4.sgml,v 1.18 2010/05/12 23:20:49 tgl Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.4.sgml,v 1.19 2010/05/13 21:26:59 tgl Exp $ -->
22
<!-- See header comment in release.sgml about typical markup -->
33

44
<sect1 id="release-8-4-4">
@@ -33,8 +33,48 @@
3333

3434
<listitem>
3535
<para>
36-
Fix error during WAL replay of <literal>ALTER ... SET TABLESPACE</>
37-
(Tom)
36+
Enforce restrictions in <literal>plperl</> using an opmask applied to
37+
the whole interpreter, instead of using <filename>Safe.pm</>
38+
(Tim Bunce, Andrew Dunstan)
39+
</para>
40+
41+
<para>
42+
Recent developments have convinced us that <filename>Safe.pm</> is too
43+
insecure to rely on for making <literal>plperl</> trustable. This
44+
change removes use of <filename>Safe.pm</> altogether, in favor of using
45+
a separate interpreter with an opcode mask that is always applied.
46+
Pleasant side effects of the change include that it is now possible to
47+
use Perl's <literal>strict</> pragma in a natural way in
48+
<literal>plperl</>, and that Perl's <literal>$a</> and <literal>$b</>
49+
variables work as expected in sort routines, and that function
50+
compilation is significantly faster. (CVE-2010-1169)
51+
</para>
52+
</listitem>
53+
54+
<listitem>
55+
<para>
56+
Prevent PL/Tcl from executing untrustworthy code from
57+
<structname>pltcl_modules</> (Tom)
58+
</para>
59+
60+
<para>
61+
PL/Tcl's feature for autoloading Tcl code from a database table
62+
could be exploited for trojan-horse attacks, because there was no
63+
restriction on who could create or insert into that table. This change
64+
disables the feature unless <structname>pltcl_modules</> is owned by a
65+
superuser. (However, the permissions on the table are not checked, so
66+
installations that really need a less-than-secure modules table can
67+
still grant suitable privileges to trusted non-superusers.) Also,
68+
prevent loading code into the unrestricted <quote>normal</> Tcl
69+
interpreter unless we are really going to execute a <literal>pltclu</>
70+
function. (CVE-2010-1170)
71+
</para>
72+
</listitem>
73+
74+
<listitem>
75+
<para>
76+
Fix data corruption during WAL replay of
77+
<literal>ALTER ... SET TABLESPACE</> (Tom)
3878
</para>
3979

4080
<para>

0 commit comments

Comments
 (0)