What's new in this version:
Fix buffer overruns in to_char() (Bruce Momjian):
- When to_char() processes a numeric formatting template calling for a large number of digits, PostgreSQL would read past the end of a buffer. When processing a crafted timestamp formatting template, PostgreSQL would write past the end of a buffer. Either case could crash the server. We have not ruled out the possibility of attacks that lead to privilege escalation, though they seem unlikely. (CVE-2015-0241)
Fix buffer overrun in replacement *printf() functions (Tom Lane):
- PostgreSQL includes a replacement implementation of printf and related functions. This code will overrun a stack buffer when formatting a floating point number (conversion specifiers e, E, f, F, g or G) with requested precision greater than about 500. This will crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. A database user can trigger such a buffer overrun through the to_char() SQL function. While that is the only affected core PostgreSQL functionality, extension modules that use printf-family functions may be at risk as well. This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. (CVE-2015-0242)
Fix buffer overruns in contrib/pgcrypto (Marko Tiikkaja, Noah Misch):
- Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. (CVE-2015-0243)
Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas):
- If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. (CVE-2015-0244)
Fix information leak via constraint-violation error messages (Stephen Frost):
- Some server error messages show the values of columns that violate a constraint, such as a unique constraint. If the user does not have SELECT privilege on all columns of the table, this could mean exposing values that the user should not be able to see. Adjust the code so that values are displayed only when they came from the SQL command or could be selected by the user. (CVE-2014-8161)
Lock down regression testing's temporary installations on Windows (Noah Misch):
- Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. (CVE-2014-0067)
Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane):
- In READ COMMITTED mode, queries that lock or update recently-updated rows could crash as a result of this bug.
Fix jsonb Unicode escape processing, and in consequence disallow u0000 (Tom Lane):
- Previously, the JSON Unicode escape u0000 was accepted and was stored as those six characters; but that is indistinguishable from what is stored for the input \u0000, resulting in ambiguity. Moreover, in cases where de-escaped textual output is expected, such as the ->> operator, the sequence was printed as u0000, which does not meet the expectation that JSON escaping would be removed. (Consistent behavior would require emitting a zero byte, but PostgreSQL does not support zero bytes embedded in text strings.) 9.4.0 included an ill-advised attempt to improve this situation by adjusting JSON output conversion rules; but of course that could not fix the fundamental ambiguity, and it turned out to break other usages of Unicode escape sequences. Revert that, and to avoid the core problem, reject u0000 in jsonb input. If a jsonb column contains a u0000 value stored with 9.4.0, it will henceforth read out as though it were \u0000, which is the other valid interpretation of the data stored by 9.4.0 for this case. The json type did not have the storage-ambiguity problem, but it did have the problem of inconsistent de-escaped textual output. Therefore u0000 will now also be rejected in json values when conversion to de-escaped form is required. This change does not break the ability to store u0000 in json columns so long as no processing is done on the values. This is exactly parallel to the cases in which non-ASCII Unicode escapes are allowed when the database encoding is not UTF8.
Fix namespace handling in xpath() (Ali Akbar):
- Previously, the xml value resulting from an xpath() call would not have namespace declarations if the namespace declarations were attached to an ancestor element in the input xml value, rather than to the specific element being returned. Propagate the ancestral declaration so that the result is correct when considered in isolation.
Fix assorted oversights in range-operator selectivity estimation (Emre Hasegeli):
- This patch fixes corner-case "unexpected operator NNNN" planner errors, and improves the selectivity estimates for some other cases.
Revert unintended reduction in maximum size of a GIN index item (Heikki Linnakangas):
- 9.4.0 could fail with "index row size exceeds maximum" errors for data that previous versions would accept.
Change "pgstat wait timeout" warning message to be LOG level, and rephrase it to be more understandable (Tom Lane):
- This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads "using stale statistics instead of current ones because stats collector is not responding".
Fix libpq's behavior when /etc/passwd isn't readable (Tom Lane):
- While doing PQsetdbLogin(), libpq attempts to ascertain the user's operating system name, which on most Unix platforms involves reading /etc/passwd. As of 9.4, failure to do that was treated as a hard error. Restore the previous behavior, which was to fail only if the application does not provide a database role name to connect as. This supports operation in chroot environments that lack an /etc/passwd file.
- Improve consistency of parsing of psql's special variables (Tom Lane):
- Allow variant spellings of on and off (such as 1/0) for ECHO_HIDDEN and ON_ERROR_ROLLBACK. Report a warning for unrecognized values for COMP_KEYWORD_CASE, ECHO, ECHO_HIDDEN, HISTCONTROL, ON_ERROR_ROLLBACK, and VERBOSITY. Recognize all values for all these variables case-insensitively; previously there was a mishmash of case-sensitive and case-insensitive behaviors.
- Handle unexpected query results, especially NULLs, safely in contrib/tablefunc's connectby() (Michael Paquier): connectby() previously crashed if it encountered a NULL key value. It now prints that row but doesn't recurse further.
- Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier):
- These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues.
Allow CFLAGS from configure's environment to override automatically-supplied CFLAGS (Tom Lane):
- Previously, configure would add any switches that it chose of its own accord to the end of the user-specified CFLAGS string. Since most compilers process switches left-to-right, this meant that configure's choices would override the user-specified flags in case of conflicts. That should work the other way around, so adjust the logic to put the user's string at the end not the beginning.
Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane):
- This results in a very substantial reduction in disk space usage during make check-world, since that sequence involves creation of numerous temporary installations.
- Add CST (China Standard Time) to our lists of timezone abbreviations (Tom Lane)
- Update time zone data files to tzdata release 2015a for DST law changes in Chile and Mexico, plus historical changes in Iceland. Avoid possible deadlock while trying to acquire tuple locks in EvalPlanQual processing (Álvaro Herrera, Mark Kirkwood)
- Fix failure to wait when a transaction tries to acquire a FOR NO KEY EXCLUSIVE tuple lock, while multiple other transactions currently hold FOR SHARE locks (Álvaro Herrera)
- Improve performance of EXPLAIN with large range tables (Tom Lane)
- Fix query-duration memory leak during repeated GIN index rescans (Heikki Linnakangas)
- Fix possible crash when using nonzero gin_fuzzy_search_limit (Heikki Linnakangas)
- Assorted fixes for logical decoding (Andres Freund)
- Fix incorrect replay of WAL parameter change records that report changes in the wal_log_hints setting (Petr Jalinek)
- Warn if OS X's setlocale() starts an unwanted extra thread inside the postmaster (Noah Misch)
- Fix pg_dump to handle comments on event triggers without failing (Tom Lane)
- Allow parallel pg_dump to use --serializable-deferrable (Kevin Grittner)
- Prevent WAL files created by pg_basebackup -x/-X from being archived again when the standby is promoted (Andres Freund)