Release date: 2015-02-05
This release contains a variety of fixes from 9.0.18. For information about new features in the 9.0 major release, see Section E.152.
A dump/restore is not required for those running 9.0.X.
However, if you are upgrading from a version earlier than 9.0.18, see Section E.134.
Fix buffer overruns in to_char()
(Bruce Momjian)
When to_char()
processes a numeric formatting template
calling for a large number of digits, PostgreSQL
would read past the end of a buffer. When processing a crafted
timestamp formatting template, PostgreSQL would write
past the end of a buffer. Either case could crash the server.
We have not ruled out the possibility of attacks that lead to
privilege escalation, though they seem unlikely.
(CVE-2015-0241)
Fix buffer overrun in replacement *printf()
functions
(Tom Lane)
PostgreSQL includes a replacement implementation
of printf
and related functions. This code will overrun
a stack buffer when formatting a floating point number (conversion
specifiers e
, E
, f
, F
,
g
or G
) with requested precision greater than
about 500. This will crash the server, and we have not ruled out the
possibility of attacks that lead to privilege escalation.
A database user can trigger such a buffer overrun through
the to_char()
SQL function. While that is the only
affected core PostgreSQL functionality, extension
modules that use printf-family functions may be at risk as well.
This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. (CVE-2015-0242)
Fix buffer overruns in contrib/pgcrypto
(Marko Tiikkaja, Noah Misch)
Errors in memory size tracking within the pgcrypto
module permitted stack buffer overruns and improper dependence on the
contents of uninitialized memory. The buffer overrun cases can
crash the server, and we have not ruled out the possibility of
attacks that lead to privilege escalation.
(CVE-2015-0243)
Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas)
If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. (CVE-2015-0244)
Fix information leak via constraint-violation error messages (Stephen Frost)
Some server error messages show the values of columns that violate
a constraint, such as a unique constraint. If the user does not have
SELECT
privilege on all columns of the table, this could
mean exposing values that the user should not be able to see. Adjust
the code so that values are displayed only when they came from the SQL
command or could be selected by the user.
(CVE-2014-8161)
Lock down regression testing's temporary installations on Windows (Noah Misch)
Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. (CVE-2014-0067)
Avoid possible data corruption if ALTER DATABASE SET
TABLESPACE
is used to move a database to a new tablespace and then
shortly later move it back to its original tablespace (Tom Lane)
Avoid corrupting tables when ANALYZE
inside a transaction
is rolled back (Andres Freund, Tom Lane, Michael Paquier)
If the failing transaction had earlier removed the last index, rule, or
trigger from the table, the table would be left in a corrupted state
with the relevant pg_class
flags not set though they
should be.
Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane)
In READ COMMITTED
mode, queries that lock or update
recently-updated rows could crash as a result of this bug.
Fix planning of SELECT FOR UPDATE
when using a partial
index on a child table (Kyotaro Horiguchi)
In READ COMMITTED
mode, SELECT FOR UPDATE
must
also recheck the partial index's WHERE
condition when
rechecking a recently-updated row to see if it still satisfies the
query's WHERE
condition. This requirement was missed if the
index belonged to an inheritance child table, so that it was possible
to incorrectly return rows that no longer satisfy the query condition.
Fix corner case wherein SELECT FOR UPDATE
could return a row
twice, and possibly miss returning other rows (Tom Lane)
In READ COMMITTED
mode, a SELECT FOR UPDATE
that is scanning an inheritance tree could incorrectly return a row
from a prior child table instead of the one it should return from a
later child table.
Reject duplicate column names in the referenced-columns list of
a FOREIGN KEY
declaration (David Rowley)
This restriction is per SQL standard. Previously we did not reject the case explicitly, but later on the code would fail with bizarre-looking errors.
Fix bugs in raising a numeric
value to a large integral power
(Tom Lane)
The previous code could get a wrong answer, or consume excessive amounts of time and memory before realizing that the answer must overflow.
In numeric_recv()
, truncate away any fractional digits
that would be hidden according to the value's dscale
field
(Tom Lane)
A numeric
value's display scale (dscale
) should
never be less than the number of nonzero fractional digits; but
apparently there's at least one broken client application that
transmits binary numeric
values in which that's true.
This leads to strange behavior since the extra digits are taken into
account by arithmetic operations even though they aren't printed.
The least risky fix seems to be to truncate away such “hidden”
digits on receipt, so that the value is indeed what it prints as.
Reject out-of-range numeric timezone specifications (Tom Lane)
Simple numeric timezone specifications exceeding +/- 168 hours (one week) would be accepted, but could then cause null-pointer dereference crashes in certain operations. There's no use-case for such large UTC offsets, so reject them.
Fix bugs in tsquery
@>
tsquery
operator (Heikki Linnakangas)
Two different terms would be considered to match if they had the same CRC. Also, if the second operand had more terms than the first, it would be assumed not to be contained in the first; which is wrong since it might contain duplicate terms.
Improve ispell dictionary's defenses against bad affix files (Tom Lane)
Allow more than 64K phrases in a thesaurus dictionary (David Boutin)
The previous coding could crash on an oversize dictionary, so this was deemed a back-patchable bug fix rather than a feature addition.
Fix namespace handling in xpath()
(Ali Akbar)
Previously, the xml
value resulting from
an xpath()
call would not have namespace declarations if
the namespace declarations were attached to an ancestor element in the
input xml
value, rather than to the specific element being
returned. Propagate the ancestral declaration so that the result is
correct when considered in isolation.
Fix planner problems with nested append relations, such as inherited
tables within UNION ALL
subqueries (Tom Lane)
Fail cleanly when a GiST index tuple doesn't fit on a page, rather than going into infinite recursion (Andrew Gierth)
Exempt tables that have per-table cost_limit
and/or cost_delay
settings from autovacuum's global cost
balancing rules (Álvaro Herrera)
The previous behavior resulted in basically ignoring these per-table settings, which was unintended. Now, a table having such settings will be vacuumed using those settings, independently of what is going on in other autovacuum workers. This may result in heavier total I/O load than before, so such settings should be re-examined for sanity.
Avoid wholesale autovacuuming when autovacuum is nominally off (Tom Lane)
Even when autovacuum is nominally off, we will still launch autovacuum worker processes to vacuum tables that are at risk of XID wraparound. However, such a worker process then proceeded to vacuum all tables in the target database, if they met the usual thresholds for autovacuuming. This is at best pretty unexpected; at worst it delays response to the wraparound threat. Fix it so that if autovacuum is turned off, workers only do anti-wraparound vacuums and not any other work.
Fix race condition between hot standby queries and replaying a full-page image (Heikki Linnakangas)
This mistake could result in transient errors in queries being executed in hot standby.
Fix several cases where recovery logic improperly ignored WAL records
for COMMIT/ABORT PREPARED
(Heikki Linnakangas)
The most notable oversight was
that recovery_target_xid
could not be used to stop at
a two-phase commit.
Avoid creating unnecessary .ready
marker files for
timeline history files (Fujii Masao)
Fix possible null pointer dereference when an empty prepared statement
is used and the log_statement
setting is mod
or ddl
(Fujii Masao)
Change “pgstat wait timeout” warning message to be LOG level, and rephrase it to be more understandable (Tom Lane)
This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads “using stale statistics instead of current ones because stats collector is not responding”.
Fix SPARC spinlock implementation to ensure correctness if the CPU is being run in a non-TSO coherency mode, as some non-Solaris kernels do (Andres Freund)
Warn if macOS's setlocale()
starts an unwanted extra
thread inside the postmaster (Noah Misch)
Fix processing of repeated dbname
parameters
in PQconnectdbParams()
(Alex Shulgin)
Unexpected behavior ensued if the first occurrence
of dbname
contained a connection string or URI to be
expanded.
Ensure that libpq reports a suitable error message on unexpected socket EOF (Marko Tiikkaja, Tom Lane)
Depending on kernel behavior, libpq might return an empty error string rather than something useful when the server unexpectedly closed the socket.
Clear any old error message during PQreset()
(Heikki Linnakangas)
If PQreset()
is called repeatedly, and the connection
cannot be re-established, error messages from the failed connection
attempts kept accumulating in the PGconn
's error
string.
Properly handle out-of-memory conditions while parsing connection options in libpq (Alex Shulgin, Heikki Linnakangas)
Fix array overrun in ecpg's version
of ParseDateTime()
(Michael Paquier)
In initdb, give a clearer error message if a password file is specified but is empty (Mats Erik Andersson)
Fix psql's \s
command to work nicely with
libedit, and add pager support (Stepan Rutz, Tom Lane)
When using libedit rather than readline, \s
printed the
command history in a fairly unreadable encoded format, and on recent
libedit versions might fail altogether. Fix that by printing the
history ourselves rather than having the library do it. A pleasant
side-effect is that the pager is used if appropriate.
This patch also fixes a bug that caused newline encoding to be applied inconsistently when saving the command history with libedit. Multiline history entries written by older psql versions will be read cleanly with this patch, but perhaps not vice versa, depending on the exact libedit versions involved.
Improve consistency of parsing of psql's special variables (Tom Lane)
Allow variant spellings of on
and off
(such
as 1
/0
) for ECHO_HIDDEN
and ON_ERROR_ROLLBACK
. Report a warning for unrecognized
values for COMP_KEYWORD_CASE
, ECHO
,
ECHO_HIDDEN
, HISTCONTROL
,
ON_ERROR_ROLLBACK
, and VERBOSITY
. Recognize
all values for all these variables case-insensitively; previously
there was a mishmash of case-sensitive and case-insensitive behaviors.
Fix psql's expanded-mode display to work
consistently when using border
= 3
and linestyle
= ascii
or unicode
(Stephen Frost)
Fix possible deadlock during parallel restore of a schema-only dump (Robert Haas, Tom Lane)
Fix core dump in pg_dump --binary-upgrade
on zero-column
composite type (Rushabh Lathia)
Fix block number checking
in contrib/pageinspect
's get_raw_page()
(Tom Lane)
The incorrect checking logic could prevent access to some pages in non-main relation forks.
Fix contrib/pgcrypto
's pgp_sym_decrypt()
to not fail on messages whose length is 6 less than a power of 2
(Marko Tiikkaja)
Handle unexpected query results, especially NULLs, safely in
contrib/tablefunc
's connectby()
(Michael Paquier)
connectby()
previously crashed if it encountered a NULL
key value. It now prints that row but doesn't recurse further.
Avoid a possible crash in contrib/xml2
's
xslt_process()
(Mark Simonetti)
libxslt seems to have an undocumented dependency on the order in which resources are freed; reorder our calls to avoid a crash.
Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier)
These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues.
Detect incompatible OpenLDAP versions during build (Noah Misch)
With OpenLDAP versions 2.4.24 through 2.4.31,
inclusive, PostgreSQL backends can crash at exit.
Raise a warning during configure based on the
compile-time OpenLDAP version number, and test the crashing scenario
in the contrib/dblink
regression test.
In non-MSVC Windows builds, ensure libpq.dll
is installed
with execute permissions (Noah Misch)
Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane)
This results in a very substantial reduction in disk space usage
during make check-world
, since that sequence involves
creation of numerous temporary installations.
Support time zone abbreviations that change UTC offset from time to time (Tom Lane)
Previously, PostgreSQL assumed that the UTC offset
associated with a time zone abbreviation (such as EST
)
never changes in the usage of any particular locale. However this
assumption fails in the real world, so introduce the ability for a
zone abbreviation to represent a UTC offset that sometimes changes.
Update the zone abbreviation definition files to make use of this
feature in timezone locales that have changed the UTC offset of their
abbreviations since 1970 (according to the IANA timezone database).
In such timezones, PostgreSQL will now associate the
correct UTC offset with the abbreviation depending on the given date.
Update time zone abbreviations lists (Tom Lane)
Add CST (China Standard Time) to our lists. Remove references to ADT as “Arabia Daylight Time”, an abbreviation that's been out of use since 2007; therefore, claiming there is a conflict with “Atlantic Daylight Time” doesn't seem especially helpful. Fix entirely incorrect GMT offsets for CKT (Cook Islands), FJT, and FJST (Fiji); we didn't even have them on the proper side of the date line.
Update time zone data files to tzdata release 2015a.
The IANA timezone database has adopted abbreviations of the form
A
/x
STA
for all Australian time zones, reflecting what they believe to be
current majority practice Down Under. These names do not conflict
with usage elsewhere (other than ACST for Acre Summer Time, which has
been in disuse since 1994). Accordingly, adopt these names into
our “Default” timezone abbreviation set.
The “Australia” abbreviation set now contains only CST, EAST,
EST, SAST, SAT, and WST, all of which are thought to be mostly
historical usage. Note that SAST has also been changed to be South
Africa Standard Time in the “Default” abbreviation set.
x
DT
Also, add zone abbreviations SRET (Asia/Srednekolymsk) and XJT (Asia/Urumqi), and use WSST/WSDT for western Samoa. Also, there were DST law changes in Chile, Mexico, the Turks & Caicos Islands (America/Grand_Turk), and Fiji. There is a new zone Pacific/Bougainville for portions of Papua New Guinea. Also, numerous corrections for historical (pre-1970) time zone data.