Skip to content

Commit 6c1cfcc

Browse files
tglsfdctglsfdc
committed
Last-minute updates for release notes.
Security: CVE-2021-32027, CVE-2021-32028, CVE-2021-32029
1 parent b7d1f32 commit 6c1cfcc

File tree

1 file changed

+64
-0
lines changed

1 file changed

+64
-0
lines changed

doc/src/sgml/release-11.sgml

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,69 @@
3636
<listitem>
3737
<!--
3838
Author: Tom Lane <tgl@sss.pgh.pa.us>
39+
Branch: master [f02b9085a] 2021-05-10 10:44:38 -0400
40+
Branch: REL_13_STABLE [467395bfd] 2021-05-10 10:44:38 -0400
41+
Branch: REL_12_STABLE [3b0f6a7ae] 2021-05-10 10:44:38 -0400
42+
Branch: REL_11_STABLE [06bfbe854] 2021-05-10 10:44:38 -0400
43+
Branch: REL_10_STABLE [2fb809d3e] 2021-05-10 10:44:38 -0400
44+
Branch: REL9_6_STABLE [0c1caa48d] 2021-05-10 10:44:38 -0400
45+
-->
46+
<para>
47+
Prevent integer overflows in array subscripting calculations
48+
(Tom Lane)
49+
</para>
50+
51+
<para>
52+
The array code previously did not complain about cases where an
53+
array's lower bound plus length overflows an integer. This resulted
54+
in later entries in the array becoming inaccessible (since their
55+
subscripts could not be written as integers), but more importantly
56+
it confused subsequent assignment operations. This could lead to
57+
memory overwrites, with ensuing crashes or unwanted data
58+
modifications.
59+
(CVE-2021-32027)
60+
</para>
61+
</listitem>
62+
63+
<listitem>
64+
<!--
65+
Author: Tom Lane <tgl@sss.pgh.pa.us>
66+
Branch: master [049e1e2ed] 2021-05-10 11:02:29 -0400
67+
Branch: REL_13_STABLE [4a8656a7e] 2021-05-10 11:02:29 -0400
68+
Branch: REL_12_STABLE [a5fa3e067] 2021-05-10 11:02:29 -0400
69+
Branch: REL_11_STABLE [b7d1f32ff] 2021-05-10 11:02:29 -0400
70+
Branch: REL_10_STABLE [52a441362] 2021-05-10 11:02:30 -0400
71+
Branch: REL9_6_STABLE [0fcb8e2e0] 2021-05-10 11:02:30 -0400
72+
-->
73+
<para>
74+
Fix mishandling of <quote>junk</quote> columns in <literal>INSERT
75+
... ON CONFLICT ... UPDATE</literal> target lists (Tom Lane)
76+
</para>
77+
78+
<para>
79+
If the <literal>UPDATE</literal> list contains any multi-column
80+
sub-selects (which give rise to junk columns in addition to the
81+
results proper), the <literal>UPDATE</literal> path would end up
82+
storing tuples that include the values of the extra junk columns.
83+
That's fairly harmless in the short run, but if new columns are
84+
added to the table then the values would become accessible, possibly
85+
leading to malfunctions if they don't match the datatypes of the
86+
added columns.
87+
</para>
88+
89+
<para>
90+
In addition, in versions supporting cross-partition updates,
91+
a cross-partition update triggered by such a case had the reverse
92+
problem: the junk columns were removed from the target list,
93+
typically causing an immediate crash due to malfunction of the
94+
multi-column sub-select mechanism.
95+
(CVE-2021-32028)
96+
</para>
97+
</listitem>
98+
99+
<listitem>
100+
<!--
101+
Author: Tom Lane <tgl@sss.pgh.pa.us>
39102
Branch: REL_13_STABLE [a71cfc56b] 2021-04-22 11:46:41 -0400
40103
Branch: REL_12_STABLE [3fb93103a] 2021-04-22 11:46:41 -0400
41104
Branch: REL_11_STABLE [27835b547] 2021-04-22 11:46:41 -0400
@@ -58,6 +121,7 @@ Branch: REL_12_STABLE [05ce4bf8b] 2021-04-22 17:30:42 -0400
58121
could produce errors or wrong answers. No error is observed unless
59122
the <command>UPDATE</command> involves other tables being joined to
60123
the target table.
124+
(CVE-2021-32029)
61125
</para>
62126
</listitem>
63127

0 commit comments

Comments
 (0)