Skip to content

Commit 0089dd3

Browse files
nmischnmisch
committed
Force certain "pljava" custom GUCs to be PGC_SUSET.
Future PL/Java versions will close CVE-2016-0766 by making these GUCs PGC_SUSET. This PostgreSQL change independently mitigates that PL/Java vulnerability, helping sites that update PostgreSQL more frequently than PL/Java. Back-patch to 9.1 (all supported versions).
1 parent 37e6946 commit 0089dd3

File tree

1 file changed

+11
-0
lines changed
  • src/backend/utils/misc

1 file changed

+11
-0
lines changed

src/backend/utils/misc/guc.c

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7224,6 +7224,17 @@ init_custom_variable(const char *name,
72247224
!process_shared_preload_libraries_in_progress)
72257225
elog(FATAL, "cannot create PGC_POSTMASTER variables after startup");
72267226

7227+
/*
7228+
* Before pljava commit 398f3b876ed402bdaec8bc804f29e2be95c75139
7229+
* (2015-12-15), two of that module's PGC_USERSET variables facilitated
7230+
* trivial escalation to superuser privileges. Restrict the variables to
7231+
* protect sites that have yet to upgrade pljava.
7232+
*/
7233+
if (context == PGC_USERSET &&
7234+
(strcmp(name, "pljava.classpath") == 0 ||
7235+
strcmp(name, "pljava.vmoptions") == 0))
7236+
context = PGC_SUSET;
7237+
72277238
gen = (struct config_generic *) guc_malloc(ERROR, sz);
72287239
memset(gen, 0, sz);
72297240

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy