1. 18 May, 2015 10 commits
    • Noah Misch's avatar
      Check return values of sensitive system library calls. · fd97bd41
      Noah Misch authored
      PostgreSQL already checked the vast majority of these, missing this
      handful that nearly cannot fail.  If putenv() failed with ENOMEM in
      pg_GSS_recvauth(), authentication would proceed with the wrong keytab
      file.  If strftime() returned zero in cache_locale_time(), using the
      unspecified buffer contents could lead to information exposure or a
      crash.  Back-patch to 9.0 (all supported versions).
      
      Other unchecked calls to these functions, especially those in frontend
      code, pose negligible security concern.  This patch does not address
      them.  Nonetheless, it is always better to check return values whose
      specification provides for indicating an error.
      
      In passing, fix an off-by-one error in strftime_win32()'s invocation of
      WideCharToMultiByte().  Upon retrieving a value of exactly MAX_L10N_DATA
      bytes, strftime_win32() would overrun the caller's buffer by one byte.
      MAX_L10N_DATA is chosen to exceed the length of every possible value, so
      the vulnerable scenario probably does not arise.
      
      Security: CVE-2015-3166
      fd97bd41
    • Noah Misch's avatar
      Add error-throwing wrappers for the printf family of functions. · 16304a01
      Noah Misch authored
      All known standard library implementations of these functions can fail
      with ENOMEM.  A caller neglecting to check for failure would experience
      missing output, information exposure, or a crash.  Check return values
      within wrappers and code, currently just snprintf.c, that bypasses the
      wrappers.  The wrappers do not return after an error, so their callers
      need not check.  Back-patch to 9.0 (all supported versions).
      
      Popular free software standard library implementations do take pains to
      bypass malloc() in simple cases, but they risk ENOMEM for floating point
      numbers, positional arguments, large field widths, and large precisions.
      No specification demands such caution, so this commit regards every call
      to a printf family function as a potential threat.
      
      Injecting the wrappers implicitly is a compromise between patch scope
      and design goals.  I would prefer to edit each call site to name a
      wrapper explicitly.  libpq and the ECPG libraries would, ideally, convey
      errors to the caller rather than abort().  All that would be painfully
      invasive for a back-patched security fix, hence this compromise.
      
      Security: CVE-2015-3166
      16304a01
    • Noah Misch's avatar
      Permit use of vsprintf() in PostgreSQL code. · cac18a76
      Noah Misch authored
      The next commit needs it.  Back-patch to 9.0 (all supported versions).
      cac18a76
    • Noah Misch's avatar
      Prevent a double free by not reentering be_tls_close(). · b0ce3850
      Noah Misch authored
      Reentering this function with the right timing caused a double free,
      typically crashing the backend.  By synchronizing a disconnection with
      the authentication timeout, an unauthenticated attacker could achieve
      this somewhat consistently.  Call be_tls_close() solely from within
      proc_exit_prepare().  Back-patch to 9.0 (all supported versions).
      
      Benkocs Norbert Attila
      
      Security: CVE-2015-3165
      b0ce3850
    • Heikki Linnakangas's avatar
      Fix typo in comment. · 8cc7a4c5
      Heikki Linnakangas authored
      Jim Nasby
      8cc7a4c5
    • Heikki Linnakangas's avatar
      Put back stats-collector restarting code, removed accidentally. · 4df13289
      Heikki Linnakangas authored
      Removed that code snippet accidentally in the archive_mode='always' patch.
      
      Also, use varname-tags for archive_command in the docs.
      
      Fujii Masao
      4df13289
    • Fujii Masao's avatar
      Don't classify REINDEX command as DDL in the pg_audit doc. · d773b557
      Fujii Masao authored
      The commit a936743b changed the class of REINDEX but forgot to update the doc.
      d773b557
    • Peter Eisentraut's avatar
      Add new files to nls.mk · 382b479a
      Peter Eisentraut authored
      382b479a
    • Tom Lane's avatar
      Fix failure to copy IndexScan.indexorderbyops in copyfuncs.c. · 42466191
      Tom Lane authored
      This oversight results in a crash at executor startup if the plan has
      been copied.  outfuncs.c was missed as well.
      
      While we could probably have taught both those files to cope with the
      originally chosen representation of an Oid array, it would have been
      painful, not least because there'd be no easy way to verify the array
      length.  An Oid List is far easier to work with.  And AFAICS, there is
      no particular notational benefit to using an array rather than a list
      in the existing parts of the patch either.  So just change it to a list.
      
      Error in commit 35fcb1b3, which is new,
      so no need for back-patch.
      42466191
    • Tom Lane's avatar
      Use += not = to set makefile variables after including base makefiles. · b14cf229
      Tom Lane authored
      The previous coding in hstore_plpython and ltree_plpython wiped out any
      values set by the base makefiles.  This at least had the effect of running
      the tests in "regression" not "contrib_regression" as expected.  These
      being pretty new modules, there might be other bad effects we'd not
      noticed yet.
      b14cf229
  2. 17 May, 2015 7 commits
  3. 16 May, 2015 10 commits
    • Tom Lane's avatar
      First-draft release notes for 9.4.2 et al. · 0563b4c0
      Tom Lane authored
      As usual, the release notes for older branches will be made by cutting
      these down, but put them up for community review first.
      0563b4c0
    • Bruce Momjian's avatar
      pg_upgrade: no need to check for matching float8_pass_by_value · 750ccaef
      Bruce Momjian authored
      Report by Noah Misch
      750ccaef
    • Tom Lane's avatar
      Fix docs typo · c65aa7a8
      Tom Lane authored
      I don't think "respectfully" is what was meant here ...
      c65aa7a8
    • Tom Lane's avatar
      More portability fixing for bipartite_match.c. · 26058bf0
      Tom Lane authored
      <float.h> is required for isinf() on some platforms.  Per buildfarm.
      26058bf0
    • Bruce Momjian's avatar
      pg_upgrade: force timeline 1 in the new cluster · 4c5e0600
      Bruce Momjian authored
      Previously, this prevented promoted standby servers from being upgraded
      because of a missing WAL history file.  (Timeline 1 doesn't need a
      history file, and we don't copy WAL files anyway.)
      
      Report by Christian Echerer(?), Alexey Klyukin
      
      Backpatch through 9.0
      4c5e0600
    • Bruce Momjian's avatar
      pg_upgrade: only allow template0 to be non-connectable · fb694d95
      Bruce Momjian authored
      This patch causes pg_upgrade to error out during its check phase if:
      
      (1) template0 is marked connectable
      or
      (2) any other database is marked non-connectable
      
      This is done because, in the first case, pg_upgrade would fail because
      the pg_dumpall --globals restore would fail, and in the second case, the
      database would not be restored, leading to data loss.
      
      Report by Matt Landry (1), Stephen Frost (2)
      
      Backpatch through 9.0
      fb694d95
    • Tom Lane's avatar
      Avoid direct use of INFINITY. · 12cc299c
      Tom Lane authored
      It's not very portable.  Per buildfarm.
      12cc299c
    • Simon Riggs's avatar
      Add docs for tablesample system_time() · f941d033
      Simon Riggs authored
      f941d033
    • Andres Freund's avatar
      Support GROUPING SETS, CUBE and ROLLUP. · f3d31185
      Andres Freund authored
      This SQL standard functionality allows to aggregate data by different
      GROUP BY clauses at once. Each grouping set returns rows with columns
      grouped by in other sets set to NULL.
      
      This could previously be achieved by doing each grouping as a separate
      query, conjoined by UNION ALLs. Besides being considerably more concise,
      grouping sets will in many cases be faster, requiring only one scan over
      the underlying data.
      
      The current implementation of grouping sets only supports using sorting
      for input. Individual sets that share a sort order are computed in one
      pass. If there are sets that don't share a sort order, additional sort &
      aggregation steps are performed. These additional passes are sourced by
      the previous sort step; thus avoiding repeated scans of the source data.
      
      The code is structured in a way that adding support for purely using
      hash aggregation or a mix of hashing and sorting is possible. Sorting
      was chosen to be supported first, as it is the most generic method of
      implementation.
      
      Instead of, as in an earlier versions of the patch, representing the
      chain of sort and aggregation steps as full blown planner and executor
      nodes, all but the first sort are performed inside the aggregation node
      itself. This avoids the need to do some unusual gymnastics to handle
      having to return aggregated and non-aggregated tuples from underlying
      nodes, as well as having to shut down underlying nodes early to limit
      memory usage.  The optimizer still builds Sort/Agg node to describe each
      phase, but they're not part of the plan tree, but instead additional
      data for the aggregation node. They're a convenient and preexisting way
      to describe aggregation and sorting.  The first (and possibly only) sort
      step is still performed as a separate execution step. That retains
      similarity with existing group by plans, makes rescans fairly simple,
      avoids very deep plans (leading to slow explains) and easily allows to
      avoid the sorting step if the underlying data is sorted by other means.
      
      A somewhat ugly side of this patch is having to deal with a grammar
      ambiguity between the new CUBE keyword and the cube extension/functions
      named cube (and rollup). To avoid breaking existing deployments of the
      cube extension it has not been renamed, neither has cube been made a
      reserved keyword. Instead precedence hacking is used to make GROUP BY
      cube(..) refer to the CUBE grouping sets feature, and not the function
      cube(). To actually group by a function cube(), unlikely as that might
      be, the function name has to be quoted.
      
      Needs a catversion bump because stored rules may change.
      
      Author: Andrew Gierth and Atri Sharma, with contributions from Andres Freund
      Reviewed-By: Andres Freund, Noah Misch, Tom Lane, Svenne Krap, Tomas
          Vondra, Erik Rijkers, Marti Raudsepp, Pavel Stehule
      Discussion: CAOeZVidmVRe2jU6aMk_5qkxnB7dfmPROzM7Ur8JPW5j8Y5X-Lw@mail.gmail.com
      f3d31185
    • Simon Riggs's avatar
      Add docs for tablesample system_rows() · 6e4415c6
      Simon Riggs authored
      6e4415c6
  4. 15 May, 2015 13 commits
    • Tom Lane's avatar
      Update time zone data files to tzdata release 2015d. · 9d366c1f
      Tom Lane authored
      DST law changes in Egypt, Mongolia, Palestine.
      Historical corrections for Canada and Chile.
      Revised zone abbreviation for America/Adak (HST/HDT not HAST/HADT).
      9d366c1f
    • Alvaro Herrera's avatar
      Add BRIN infrastructure for "inclusion" opclasses · b0b7be61
      Alvaro Herrera authored
      This lets BRIN be used with R-Tree-like indexing strategies.
      
      Also provided are operator classes for range types, box and inet/cidr.
      The infrastructure provided here should be sufficient to create operator
      classes for similar datatypes; for instance, opclasses for PostGIS
      geometries should be doable, though we didn't try to implement one.
      
      (A box/point opclass was also submitted, but we ripped it out before
      commit because the handling of floating point comparisons in existing
      code is inconsistent and would generate corrupt indexes.)
      
      Author: Emre Hasegeli.  Cosmetic changes by me
      Review: Andreas Karlsson
      b0b7be61
    • Tom Lane's avatar
      Improve test for CONVERT() with GB18030 <-> UTF8. · 199f5973
      Tom Lane authored
      Add a bit of coverage of high code points.
      
      Arjen Nienhuis
      199f5973
    • Alvaro Herrera's avatar
      Move strategy numbers to include/access/stratnum.h · 26df7066
      Alvaro Herrera authored
      For upcoming BRIN opclasses, it's convenient to have strategy numbers
      defined in a single place.  Since there's nothing appropriate, create
      it.  The StrategyNumber typedef now lives there, as well as existing
      strategy numbers for B-trees (from skey.h) and R-tree-and-friends (from
      gist.h).  skey.h is forced to include stratnum.h because of the
      StrategyNumber typedef, but gist.h is not; extensions that currently
      rely on gist.h for rtree strategy numbers might need to add a new
      
      A few .c files can stop including skey.h and/or gist.h, which is a nice
      side benefit.
      
      Per discussion:
      https://www.postgresql.org/message-id/20150514232132.GZ2523@alvh.no-ip.org
      
      Authored by Emre Hasegeli and Álvaro.
      
      (It's not clear to me why bootscanner.l has any #include lines at all.)
      26df7066
    • Simon Riggs's avatar
      1e98fa0b
    • Tom Lane's avatar
      Fix uninitialized variable. · 66493dd7
      Tom Lane authored
      Per compiler warnings.
      66493dd7
    • Simon Riggs's avatar
      Tablesample method API docs · 910baf0a
      Simon Riggs authored
      Petr Jelinek
      910baf0a
    • Simon Riggs's avatar
      Add to contrib/Makefile · df259759
      Simon Riggs authored
      df259759
    • Simon Riggs's avatar
      contrib/tsm_system_time · 56e121a5
      Simon Riggs authored
      56e121a5
    • Simon Riggs's avatar
      contrib/tsm_system_rows · 4d40494b
      Simon Riggs authored
      4d40494b
    • Simon Riggs's avatar
      TABLESAMPLE system_time(limit) · 149f6f15
      Simon Riggs authored
      Contrib module implementing a tablesample method
      that allows you to limit the sample by a hard time
      limit.
      
      Petr Jelinek
      
      Reviewed by Michael Paquier, Amit Kapila and
      Simon Riggs
      149f6f15
    • Simon Riggs's avatar
      TABLESAMPLE system_rows(limit) · 9689290f
      Simon Riggs authored
      Contrib module implementing a tablesample method
      that allows you to limit the sample by a hard row
      limit.
      
      Petr Jelinek
      
      Reviewed by Michael Paquier, Amit Kapila and
      Simon Riggs
      9689290f
    • Tom Lane's avatar
      Extend GB18030 encoding conversion to cover full Unicode range. · 8d3e0906
      Tom Lane authored
      Our previous code for GB18030 <-> UTF8 conversion only covered Unicode code
      points up to U+FFFF, but the actual spec defines conversions for all code
      points up to U+10FFFF.  That would be rather impractical as a lookup table,
      but fortunately there is a simple algorithmic conversion between the
      additional code points and the equivalent GB18030 byte patterns.  Make use
      of the just-added callback facility in LocalToUtf/UtfToLocal to perform the
      additional conversions.
      
      Having created the infrastructure to do that, we can use the same code to
      map certain linearly-related subranges of the Unicode space below U+FFFF,
      allowing removal of the corresponding lookup table entries.  This more
      than halves the lookup table size, which is a substantial savings;
      utf8_and_gb18030.so drops from nearly a megabyte to about half that.
      
      In support of doing that, replace ISO10646-GB18030.TXT with the data file
      gb-18030-2000.xml (retrieved from
      http://source.icu-project.org/repos/icu/data/trunk/charset/data/xml/ )
      in which these subranges have been deleted from the simple lookup entries.
      
      Per bug #12845 from Arjen Nienhuis.  The conversion code added here is
      based on his proposed patch, though I whacked it around rather heavily.
      8d3e0906