Release date: 2015-02-05
This release contains a variety of fixes from 9.4.0. For information about new features in the 9.4 major release, see Section E.53.
A dump/restore is not required for those running 9.4.X.
However, if you are a Windows user and are using the “Norwegian (Bokmål)” locale, manual action is needed after the upgrade to replace any “Norwegian (Bokmål)_Norway” or “norwegian-bokmal” locale names stored in PostgreSQL system catalogs with the plain-ASCII alias “Norwegian_Norway”. For details see http://wiki.postgresql.org/wiki/Changes_To_Norwegian_Locale
Fix buffer overruns in to_char()
(Bruce Momjian)
When to_char()
processes a numeric formatting template
calling for a large number of digits, PostgreSQL
would read past the end of a buffer. When processing a crafted
timestamp formatting template, PostgreSQL would write
past the end of a buffer. Either case could crash the server.
We have not ruled out the possibility of attacks that lead to
privilege escalation, though they seem unlikely.
(CVE-2015-0241)
Fix buffer overrun in replacement *printf()
functions
(Tom Lane)
PostgreSQL includes a replacement implementation
of printf
and related functions. This code will overrun
a stack buffer when formatting a floating point number (conversion
specifiers e
, E
, f
, F
,
g
or G
) with requested precision greater than
about 500. This will crash the server, and we have not ruled out the
possibility of attacks that lead to privilege escalation.
A database user can trigger such a buffer overrun through
the to_char()
SQL function. While that is the only
affected core PostgreSQL functionality, extension
modules that use printf-family functions may be at risk as well.
This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. (CVE-2015-0242)
Fix buffer overruns in contrib/pgcrypto
(Marko Tiikkaja, Noah Misch)
Errors in memory size tracking within the pgcrypto
module permitted stack buffer overruns and improper dependence on the
contents of uninitialized memory. The buffer overrun cases can
crash the server, and we have not ruled out the possibility of
attacks that lead to privilege escalation.
(CVE-2015-0243)
Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas)
If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. (CVE-2015-0244)
Fix information leak via constraint-violation error messages (Stephen Frost)
Some server error messages show the values of columns that violate
a constraint, such as a unique constraint. If the user does not have
SELECT
privilege on all columns of the table, this could
mean exposing values that the user should not be able to see. Adjust
the code so that values are displayed only when they came from the SQL
command or could be selected by the user.
(CVE-2014-8161)
Lock down regression testing's temporary installations on Windows (Noah Misch)
Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. (CVE-2014-0067)
Cope with the Windows locale named “Norwegian (Bokmål)” (Heikki Linnakangas)
Non-ASCII locale names are problematic since it's not clear what encoding they should be represented in. Map the troublesome locale name to a plain-ASCII alias, “Norwegian_Norway”.
9.4.0 mapped the troublesome name to “norwegian-bokmal”, but that turns out not to work on all Windows configurations. “Norwegian_Norway” is now recommended instead.
Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane)
In READ COMMITTED
mode, queries that lock or update
recently-updated rows could crash as a result of this bug.
Avoid possible deadlock while trying to acquire tuple locks in EvalPlanQual processing (Álvaro Herrera, Mark Kirkwood)
Fix failure to wait when a transaction tries to acquire a FOR
NO KEY EXCLUSIVE
tuple lock, while multiple other transactions
currently hold FOR SHARE
locks (Álvaro Herrera)
Improve performance of EXPLAIN
with large range tables
(Tom Lane)
Fix jsonb
Unicode escape processing, and in consequence
disallow \u0000
(Tom Lane)
Previously, the JSON Unicode escape \u0000
was accepted
and was stored as those six characters; but that is indistinguishable
from what is stored for the input \\u0000
, resulting in
ambiguity. Moreover, in cases where de-escaped textual output is
expected, such as the ->>
operator, the sequence was
printed as \u0000
, which does not meet the expectation
that JSON escaping would be removed. (Consistent behavior would
require emitting a zero byte, but PostgreSQL does not
support zero bytes embedded in text strings.) 9.4.0 included an
ill-advised attempt to improve this situation by adjusting JSON output
conversion rules; but of course that could not fix the fundamental
ambiguity, and it turned out to break other usages of Unicode escape
sequences. Revert that, and to avoid the core problem,
reject \u0000
in jsonb
input.
If a jsonb
column contains a \u0000
value stored
with 9.4.0, it will henceforth read out as though it
were \\u0000
, which is the other valid interpretation of
the data stored by 9.4.0 for this case.
The json
type did not have the storage-ambiguity problem, but
it did have the problem of inconsistent de-escaped textual output.
Therefore \u0000
will now also be rejected
in json
values when conversion to de-escaped form is
required. This change does not break the ability to
store \u0000
in json
columns so long as no
processing is done on the values. This is exactly parallel to the
cases in which non-ASCII Unicode escapes are allowed when the database
encoding is not UTF8.
Fix namespace handling in xpath()
(Ali Akbar)
Previously, the xml
value resulting from
an xpath()
call would not have namespace declarations if
the namespace declarations were attached to an ancestor element in the
input xml
value, rather than to the specific element being
returned. Propagate the ancestral declaration so that the result is
correct when considered in isolation.
Fix assorted oversights in range-operator selectivity estimation (Emre Hasegeli)
This patch fixes corner-case “unexpected operator NNNN” planner errors, and improves the selectivity estimates for some other cases.
Revert unintended reduction in maximum size of a GIN index item (Heikki Linnakangas)
9.4.0 could fail with “index row size exceeds maximum” errors for data that previous versions would accept.
Fix query-duration memory leak during repeated GIN index rescans (Heikki Linnakangas)
Fix possible crash when using
nonzero gin_fuzzy_search_limit
(Heikki Linnakangas)
Assorted fixes for logical decoding (Andres Freund)
Fix incorrect replay of WAL parameter change records that report
changes in the wal_log_hints
setting (Petr Jelinek)
Change “pgstat wait timeout” warning message to be LOG level, and rephrase it to be more understandable (Tom Lane)
This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads “using stale statistics instead of current ones because stats collector is not responding”.
Warn if macOS's setlocale()
starts an unwanted extra
thread inside the postmaster (Noah Misch)
Fix libpq's behavior when /etc/passwd
isn't readable (Tom Lane)
While doing PQsetdbLogin()
, libpq
attempts to ascertain the user's operating system name, which on most
Unix platforms involves reading /etc/passwd
. As of 9.4,
failure to do that was treated as a hard error. Restore the previous
behavior, which was to fail only if the application does not provide a
database role name to connect as. This supports operation in chroot
environments that lack an /etc/passwd
file.
Improve consistency of parsing of psql's special variables (Tom Lane)
Allow variant spellings of on
and off
(such
as 1
/0
) for ECHO_HIDDEN
and ON_ERROR_ROLLBACK
. Report a warning for unrecognized
values for COMP_KEYWORD_CASE
, ECHO
,
ECHO_HIDDEN
, HISTCONTROL
,
ON_ERROR_ROLLBACK
, and VERBOSITY
. Recognize
all values for all these variables case-insensitively; previously
there was a mishmash of case-sensitive and case-insensitive behaviors.
Fix pg_dump to handle comments on event triggers without failing (Tom Lane)
Allow parallel pg_dump to
use --serializable-deferrable
(Kevin Grittner)
Prevent WAL files created by pg_basebackup -x/-X
from
being archived again when the standby is promoted (Andres Freund)
Handle unexpected query results, especially NULLs, safely in
contrib/tablefunc
's connectby()
(Michael Paquier)
connectby()
previously crashed if it encountered a NULL
key value. It now prints that row but doesn't recurse further.
Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier)
These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues.
Allow CFLAGS
from configure's environment
to override automatically-supplied CFLAGS
(Tom Lane)
Previously, configure would add any switches that it
chose of its own accord to the end of the
user-specified CFLAGS
string. Since most compilers
process switches left-to-right, this meant that configure's choices
would override the user-specified flags in case of conflicts. That
should work the other way around, so adjust the logic to put the
user's string at the end not the beginning.
Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane)
This results in a very substantial reduction in disk space usage
during make check-world
, since that sequence involves
creation of numerous temporary installations.
Add CST (China Standard Time) to our lists of timezone abbreviations (Tom Lane)
Update time zone data files to tzdata release 2015a for DST law changes in Chile and Mexico, plus historical changes in Iceland.