Skip to content

Commit ed6deeb

Browse files
nmischnmisch
committed
Force certain "pljava" custom GUCs to be PGC_SUSET.
Future PL/Java versions will close CVE-2016-0766 by making these GUCs PGC_SUSET. This PostgreSQL change independently mitigates that PL/Java vulnerability, helping sites that update PostgreSQL more frequently than PL/Java. Back-patch to 9.1 (all supported versions).
1 parent 31b792f commit ed6deeb

File tree

1 file changed

+11
-0
lines changed
  • src/backend/utils/misc

1 file changed

+11
-0
lines changed

src/backend/utils/misc/guc.c

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7076,6 +7076,17 @@ init_custom_variable(const char *name,
70767076
!process_shared_preload_libraries_in_progress)
70777077
elog(FATAL, "cannot create PGC_POSTMASTER variables after startup");
70787078

7079+
/*
7080+
* Before pljava commit 398f3b876ed402bdaec8bc804f29e2be95c75139
7081+
* (2015-12-15), two of that module's PGC_USERSET variables facilitated
7082+
* trivial escalation to superuser privileges. Restrict the variables to
7083+
* protect sites that have yet to upgrade pljava.
7084+
*/
7085+
if (context == PGC_USERSET &&
7086+
(strcmp(name, "pljava.classpath") == 0 ||
7087+
strcmp(name, "pljava.vmoptions") == 0))
7088+
context = PGC_SUSET;
7089+
70797090
gen = (struct config_generic *) guc_malloc(ERROR, sz);
70807091
memset(gen, 0, sz);
70817092

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy