From 20db9591b241281b0bcc5871418befffca4095a6 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Thu, 13 May 2010 21:26:59 +0000
Subject: [PATCH] Update release notes with security issues.

Security: CVE-2010-1169, CVE-2010-1170
---
 doc/src/sgml/release-7.4.sgml | 42 +++++++++++++++++++++++++++++++-
 doc/src/sgml/release-8.0.sgml | 42 +++++++++++++++++++++++++++++++-
 doc/src/sgml/release-8.1.sgml | 42 +++++++++++++++++++++++++++++++-
 doc/src/sgml/release-8.2.sgml | 42 +++++++++++++++++++++++++++++++-
 doc/src/sgml/release-8.3.sgml | 42 +++++++++++++++++++++++++++++++-
 doc/src/sgml/release-8.4.sgml | 46 ++++++++++++++++++++++++++++++++---
 6 files changed, 248 insertions(+), 8 deletions(-)

diff --git a/doc/src/sgml/release-7.4.sgml b/doc/src/sgml/release-7.4.sgml
index f6ae8e79ba..edc184b219 100644
--- a/doc/src/sgml/release-7.4.sgml
+++ b/doc/src/sgml/release-7.4.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/release-7.4.sgml,v 1.6 2010/05/12 23:20:49 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/release-7.4.sgml,v 1.7 2010/05/13 21:26:59 tgl Exp $ -->
 <!-- See header comment in release.sgml about typical markup -->
 
  <sect1 id="release-7-4-29">
@@ -37,6 +37,46 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Enforce restrictions in <literal>plperl</> using an opmask applied to
+      the whole interpreter, instead of using <filename>Safe.pm</>
+      (Tim Bunce, Andrew Dunstan)
+     </para>
+
+     <para>
+      Recent developments have convinced us that <filename>Safe.pm</> is too
+      insecure to rely on for making <literal>plperl</> trustable.  This
+      change removes use of <filename>Safe.pm</> altogether, in favor of using
+      a separate interpreter with an opcode mask that is always applied.
+      Pleasant side effects of the change include that it is now possible to
+      use Perl's <literal>strict</> pragma in a natural way in
+      <literal>plperl</>, and that Perl's <literal>$a</> and <literal>$b</>
+      variables work as expected in sort routines, and that function
+      compilation is significantly faster.  (CVE-2010-1169)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Prevent PL/Tcl from executing untrustworthy code from
+      <structname>pltcl_modules</> (Tom)
+     </para>
+
+     <para>
+      PL/Tcl's feature for autoloading Tcl code from a database table
+      could be exploited for trojan-horse attacks, because there was no
+      restriction on who could create or insert into that table.  This change
+      disables the feature unless <structname>pltcl_modules</> is owned by a
+      superuser.  (However, the permissions on the table are not checked, so
+      installations that really need a less-than-secure modules table can
+      still grant suitable privileges to trusted non-superusers.)  Also,
+      prevent loading code into the unrestricted <quote>normal</> Tcl
+      interpreter unless we are really going to execute a <literal>pltclu</>
+      function.  (CVE-2010-1170)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Do not allow an unprivileged user to reset superuser-only parameter
diff --git a/doc/src/sgml/release-8.0.sgml b/doc/src/sgml/release-8.0.sgml
index ed2aa5ca76..b1aeba0d6a 100644
--- a/doc/src/sgml/release-8.0.sgml
+++ b/doc/src/sgml/release-8.0.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.0.sgml,v 1.6 2010/05/12 23:20:49 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.0.sgml,v 1.7 2010/05/13 21:26:59 tgl Exp $ -->
 <!-- See header comment in release.sgml about typical markup -->
 
  <sect1 id="release-8-0-25">
@@ -37,6 +37,46 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Enforce restrictions in <literal>plperl</> using an opmask applied to
+      the whole interpreter, instead of using <filename>Safe.pm</>
+      (Tim Bunce, Andrew Dunstan)
+     </para>
+
+     <para>
+      Recent developments have convinced us that <filename>Safe.pm</> is too
+      insecure to rely on for making <literal>plperl</> trustable.  This
+      change removes use of <filename>Safe.pm</> altogether, in favor of using
+      a separate interpreter with an opcode mask that is always applied.
+      Pleasant side effects of the change include that it is now possible to
+      use Perl's <literal>strict</> pragma in a natural way in
+      <literal>plperl</>, and that Perl's <literal>$a</> and <literal>$b</>
+      variables work as expected in sort routines, and that function
+      compilation is significantly faster.  (CVE-2010-1169)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Prevent PL/Tcl from executing untrustworthy code from
+      <structname>pltcl_modules</> (Tom)
+     </para>
+
+     <para>
+      PL/Tcl's feature for autoloading Tcl code from a database table
+      could be exploited for trojan-horse attacks, because there was no
+      restriction on who could create or insert into that table.  This change
+      disables the feature unless <structname>pltcl_modules</> is owned by a
+      superuser.  (However, the permissions on the table are not checked, so
+      installations that really need a less-than-secure modules table can
+      still grant suitable privileges to trusted non-superusers.)  Also,
+      prevent loading code into the unrestricted <quote>normal</> Tcl
+      interpreter unless we are really going to execute a <literal>pltclu</>
+      function.  (CVE-2010-1170)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Do not allow an unprivileged user to reset superuser-only parameter
diff --git a/doc/src/sgml/release-8.1.sgml b/doc/src/sgml/release-8.1.sgml
index 187dfcd763..114cb82d9c 100644
--- a/doc/src/sgml/release-8.1.sgml
+++ b/doc/src/sgml/release-8.1.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.1.sgml,v 1.6 2010/05/12 23:20:49 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.1.sgml,v 1.7 2010/05/13 21:26:59 tgl Exp $ -->
 <!-- See header comment in release.sgml about typical markup -->
 
  <sect1 id="release-8-1-21">
@@ -31,6 +31,46 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Enforce restrictions in <literal>plperl</> using an opmask applied to
+      the whole interpreter, instead of using <filename>Safe.pm</>
+      (Tim Bunce, Andrew Dunstan)
+     </para>
+
+     <para>
+      Recent developments have convinced us that <filename>Safe.pm</> is too
+      insecure to rely on for making <literal>plperl</> trustable.  This
+      change removes use of <filename>Safe.pm</> altogether, in favor of using
+      a separate interpreter with an opcode mask that is always applied.
+      Pleasant side effects of the change include that it is now possible to
+      use Perl's <literal>strict</> pragma in a natural way in
+      <literal>plperl</>, and that Perl's <literal>$a</> and <literal>$b</>
+      variables work as expected in sort routines, and that function
+      compilation is significantly faster.  (CVE-2010-1169)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Prevent PL/Tcl from executing untrustworthy code from
+      <structname>pltcl_modules</> (Tom)
+     </para>
+
+     <para>
+      PL/Tcl's feature for autoloading Tcl code from a database table
+      could be exploited for trojan-horse attacks, because there was no
+      restriction on who could create or insert into that table.  This change
+      disables the feature unless <structname>pltcl_modules</> is owned by a
+      superuser.  (However, the permissions on the table are not checked, so
+      installations that really need a less-than-secure modules table can
+      still grant suitable privileges to trusted non-superusers.)  Also,
+      prevent loading code into the unrestricted <quote>normal</> Tcl
+      interpreter unless we are really going to execute a <literal>pltclu</>
+      function.  (CVE-2010-1170)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Do not allow an unprivileged user to reset superuser-only parameter
diff --git a/doc/src/sgml/release-8.2.sgml b/doc/src/sgml/release-8.2.sgml
index ac5c2c2550..5fdc8362e0 100644
--- a/doc/src/sgml/release-8.2.sgml
+++ b/doc/src/sgml/release-8.2.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.2.sgml,v 1.6 2010/05/12 23:20:49 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.2.sgml,v 1.7 2010/05/13 21:26:59 tgl Exp $ -->
 <!-- See header comment in release.sgml about typical markup -->
 
  <sect1 id="release-8-2-17">
@@ -31,6 +31,46 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Enforce restrictions in <literal>plperl</> using an opmask applied to
+      the whole interpreter, instead of using <filename>Safe.pm</>
+      (Tim Bunce, Andrew Dunstan)
+     </para>
+
+     <para>
+      Recent developments have convinced us that <filename>Safe.pm</> is too
+      insecure to rely on for making <literal>plperl</> trustable.  This
+      change removes use of <filename>Safe.pm</> altogether, in favor of using
+      a separate interpreter with an opcode mask that is always applied.
+      Pleasant side effects of the change include that it is now possible to
+      use Perl's <literal>strict</> pragma in a natural way in
+      <literal>plperl</>, and that Perl's <literal>$a</> and <literal>$b</>
+      variables work as expected in sort routines, and that function
+      compilation is significantly faster.  (CVE-2010-1169)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Prevent PL/Tcl from executing untrustworthy code from
+      <structname>pltcl_modules</> (Tom)
+     </para>
+
+     <para>
+      PL/Tcl's feature for autoloading Tcl code from a database table
+      could be exploited for trojan-horse attacks, because there was no
+      restriction on who could create or insert into that table.  This change
+      disables the feature unless <structname>pltcl_modules</> is owned by a
+      superuser.  (However, the permissions on the table are not checked, so
+      installations that really need a less-than-secure modules table can
+      still grant suitable privileges to trusted non-superusers.)  Also,
+      prevent loading code into the unrestricted <quote>normal</> Tcl
+      interpreter unless we are really going to execute a <literal>pltclu</>
+      function.  (CVE-2010-1170)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Fix possible crash if a cache reset message is received during
diff --git a/doc/src/sgml/release-8.3.sgml b/doc/src/sgml/release-8.3.sgml
index cac48eebc5..82d35b2e63 100644
--- a/doc/src/sgml/release-8.3.sgml
+++ b/doc/src/sgml/release-8.3.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.3.sgml,v 1.6 2010/05/12 23:20:49 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.3.sgml,v 1.7 2010/05/13 21:26:59 tgl Exp $ -->
 <!-- See header comment in release.sgml about typical markup -->
 
  <sect1 id="release-8-3-11">
@@ -31,6 +31,46 @@
 
    <itemizedlist>
 
+    <listitem>
+     <para>
+      Enforce restrictions in <literal>plperl</> using an opmask applied to
+      the whole interpreter, instead of using <filename>Safe.pm</>
+      (Tim Bunce, Andrew Dunstan)
+     </para>
+
+     <para>
+      Recent developments have convinced us that <filename>Safe.pm</> is too
+      insecure to rely on for making <literal>plperl</> trustable.  This
+      change removes use of <filename>Safe.pm</> altogether, in favor of using
+      a separate interpreter with an opcode mask that is always applied.
+      Pleasant side effects of the change include that it is now possible to
+      use Perl's <literal>strict</> pragma in a natural way in
+      <literal>plperl</>, and that Perl's <literal>$a</> and <literal>$b</>
+      variables work as expected in sort routines, and that function
+      compilation is significantly faster.  (CVE-2010-1169)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Prevent PL/Tcl from executing untrustworthy code from
+      <structname>pltcl_modules</> (Tom)
+     </para>
+
+     <para>
+      PL/Tcl's feature for autoloading Tcl code from a database table
+      could be exploited for trojan-horse attacks, because there was no
+      restriction on who could create or insert into that table.  This change
+      disables the feature unless <structname>pltcl_modules</> is owned by a
+      superuser.  (However, the permissions on the table are not checked, so
+      installations that really need a less-than-secure modules table can
+      still grant suitable privileges to trusted non-superusers.)  Also,
+      prevent loading code into the unrestricted <quote>normal</> Tcl
+      interpreter unless we are really going to execute a <literal>pltclu</>
+      function.  (CVE-2010-1170)
+     </para>
+    </listitem>
+
     <listitem>
      <para>
       Fix possible crash if a cache reset message is received during
diff --git a/doc/src/sgml/release-8.4.sgml b/doc/src/sgml/release-8.4.sgml
index b3b7267e05..94571b7289 100644
--- a/doc/src/sgml/release-8.4.sgml
+++ b/doc/src/sgml/release-8.4.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.4.sgml,v 1.18 2010/05/12 23:20:49 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/release-8.4.sgml,v 1.19 2010/05/13 21:26:59 tgl Exp $ -->
 <!-- See header comment in release.sgml about typical markup -->
 
  <sect1 id="release-8-4-4">
@@ -33,8 +33,48 @@
 
     <listitem>
      <para>
-      Fix error during WAL replay of <literal>ALTER ... SET TABLESPACE</>
-      (Tom)
+      Enforce restrictions in <literal>plperl</> using an opmask applied to
+      the whole interpreter, instead of using <filename>Safe.pm</>
+      (Tim Bunce, Andrew Dunstan)
+     </para>
+
+     <para>
+      Recent developments have convinced us that <filename>Safe.pm</> is too
+      insecure to rely on for making <literal>plperl</> trustable.  This
+      change removes use of <filename>Safe.pm</> altogether, in favor of using
+      a separate interpreter with an opcode mask that is always applied.
+      Pleasant side effects of the change include that it is now possible to
+      use Perl's <literal>strict</> pragma in a natural way in
+      <literal>plperl</>, and that Perl's <literal>$a</> and <literal>$b</>
+      variables work as expected in sort routines, and that function
+      compilation is significantly faster.  (CVE-2010-1169)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Prevent PL/Tcl from executing untrustworthy code from
+      <structname>pltcl_modules</> (Tom)
+     </para>
+
+     <para>
+      PL/Tcl's feature for autoloading Tcl code from a database table
+      could be exploited for trojan-horse attacks, because there was no
+      restriction on who could create or insert into that table.  This change
+      disables the feature unless <structname>pltcl_modules</> is owned by a
+      superuser.  (However, the permissions on the table are not checked, so
+      installations that really need a less-than-secure modules table can
+      still grant suitable privileges to trusted non-superusers.)  Also,
+      prevent loading code into the unrestricted <quote>normal</> Tcl
+      interpreter unless we are really going to execute a <literal>pltclu</>
+      function.  (CVE-2010-1170)
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      Fix data corruption during WAL replay of
+      <literal>ALTER ... SET TABLESPACE</> (Tom)
      </para>
 
      <para>