PostgreSQL:
pg_upgrade normally restricts its temporary files to be readable and writable only by the calling user. But the temporary file containing pg_dumpall -g output would be group- or world-readable, or even writable, if the user's umask setting allows. In typical usage on multi-user machines, the umask and/or the working directory's permissions would be tight enough to prevent problems; but there may be people using pg_upgrade in scenarios where this oversight would permit disclosure of database passwords to unfriendly eyes.
2018-03-01
pg_upgrade normally restricts its temporary files to be readable and writable only by the calling user. But the temporary file containing pg_dumpall -g output would be group- or world-readable, or even writable, if the user's umask setting allows. In typical usage on multi-user machines, the umask and/or the working directory's permissions would be tight enough to prevent problems; but there may be people using pg_upgrade in scenarios where this oversight would permit disclosure of database passwords to unfriendly eyes.
CVE-2018-1053postgresql-client-9.6.7.tgz
postgresql-docs-9.6.7.tgz
postgresql-contrib-9.6.7.tgz
postgresql-server-9.6.7.tgz
postgresql-plpython-9.6.7.tgz
postgresql-pg_upgrade-9.6.7.tgz
© M:Tier Ltd. 2013 – 2024
-
- ·
-
