Release date: 2023-11-09
This release contains a variety of fixes from 12.16. For information about new features in major release 12, see Section E.21.
A dump/restore is not required for those running 12.X.
However, if you use GiST indexes, it may be advisable to reindex them; see the fourth changelog entry below.
Also, if you are upgrading from a version earlier than 12.16, see Section E.5.
Fix handling of unknown-type arguments
in DISTINCT
"any"
aggregate
functions (Tom Lane)
This error led to a text
-type value being interpreted
as an unknown
-type value (that is, a zero-terminated
string) at runtime. This could result in disclosure of server
memory following the text
value.
The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. (CVE-2023-5868)
Detect integer overflow while computing new array dimensions (Tom Lane)
When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory.
The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. (CVE-2023-5869)
Prevent the pg_signal_backend
role from
signalling background workers and autovacuum processes
(Noah Misch, Jelte Fennema-Nio)
The documentation says that pg_signal_backend
cannot issue signals to superuser-owned processes. It was able to
signal these background processes, though, because they advertise a
role OID of zero. Treat that as indicating superuser ownership.
The security implications of cancelling one of these process types
are fairly small so far as the core code goes (we'll just start
another one), but extensions might add background workers that are
more vulnerable.
Also ensure that the is_superuser
parameter is
set correctly in such processes. No specific security consequences
are known for that oversight, but it might be significant for some
extensions.
The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem. (CVE-2023-5870)
Fix misbehavior during recursive page split in GiST index build (Heikki Linnakangas)
Fix a case where the location of a page downlink was incorrectly tracked, and introduce some logic to allow recovering from such situations rather than silently doing the wrong thing. This error could result in incorrect answers from subsequent index searches. It may be advisable to reindex all GiST indexes after installing this update.
Fix partition step generation and runtime partition pruning for hash-partitioned tables with multiple partition keys (David Rowley)
Some cases involving an IS NULL
condition on one
of the partition keys could result in a crash.
Fix edge case in btree mark/restore processing of ScalarArrayOpExpr clauses (Peter Geoghegan)
When restoring an indexscan to a previously marked position, the
code could miss required setup steps if the scan had advanced
exactly to the end of the matches for a ScalarArrayOpExpr (that is,
an indexcol = ANY(ARRAY[])
) clause. This could
result in missing some rows that should have been fetched.
Fix intra-query memory leak when a set-returning function repeatedly returns zero rows (Tom Lane)
Don't crash if cursor_to_xmlschema()
is applied
to a non-data-returning Portal (Boyu Yang)
Throw the intended error if pgrowlocks()
is
applied to a partitioned table (David Rowley)
Previously, a not-on-point complaint “only heap AM is supported” would be raised.
Handle invalid indexes more cleanly in assorted SQL functions (Noah Misch)
Report an error if pgstatindex()
,
pgstatginindex()
,
pgstathashindex()
,
or pgstattuple()
is applied to an invalid
index. If brin_desummarize_range()
,
brin_summarize_new_values()
,
brin_summarize_range()
,
or gin_clean_pending_list()
is applied to an
invalid index, do nothing except to report a debug-level message.
Formerly these functions attempted to process the index, and might
fail in strange ways depending on what the failed CREATE
INDEX
had left behind.
Avoid premature memory allocation failure with long inputs
to to_tsvector()
(Tom Lane)
Fix over-allocation of the constructed tsvector
in tsvectorrecv()
(Denis Erokhin)
If the incoming vector includes position data, the binary receive
function left wasted space (roughly equal to the size of the
position data) in the finished tsvector
. In extreme
cases this could lead to “maximum total lexeme length
exceeded” failures for vectors that were under the length
limit when emitted. In any case it could lead to wasted space
on-disk.
Fix incorrect coding in gtsvector_picksplit()
(Alexander Lakhin)
This could lead to poor page-split decisions in GiST indexes
on tsvector
columns.
Fix COMMIT AND CHAIN
/ROLLBACK AND
CHAIN
to work properly when there is an unreleased
savepoint (Liu Xiang, Tom Lane)
Instead of propagating the current transaction's properties to the new transaction, they propagated some previous transaction's properties.
Avoid crash in EXPLAIN
if a parameter marked to
be displayed by EXPLAIN
has a NULL boot-time
value (Xing Guo, Aleksander Alekseev, Tom Lane)
No built-in parameter fits this description, but an extension could define such a parameter.
Ensure we have a snapshot while dropping ON COMMIT
DROP
temp tables (Tom Lane)
This prevents possible misbehavior if any catalog entries for the
temp tables have fields wide enough to require toasting (such as a
very complex CHECK
condition).
Avoid improper response to shutdown signals in child processes
just forked by system()
(Nathan Bossart)
This fix avoids a race condition in which a child process that has
been forked off by system()
, but hasn't yet
exec'd the intended child program, might receive and act on a signal
intended for the parent server process. That would lead to
duplicate cleanup actions being performed, which will not end well.
Cope with torn reads of pg_control
in frontend
programs (Thomas Munro)
On some file systems, reading pg_control
may
not be an atomic action when the server concurrently writes that
file. This is detectable via a bad CRC. Retry a few times to see
if the file becomes valid before we report error.
Avoid torn reads of pg_control
in relevant SQL
functions (Thomas Munro)
Acquire the appropriate lock before
reading pg_control
, to ensure we get a
consistent view of that file.
Avoid integer overflow when computing size of backend activity string array (Jakub Wartak)
On 64-bit machines we will allow values
of track_activity_query_size
large enough to
cause 32-bit overflow when multiplied by the allowed number of
connections. The code actually allocating the per-backend local
array was careless about this though, and allocated the array
incorrectly.
Track the dependencies of cached CALL
statements,
and re-plan them when needed (Tom Lane)
DDL commands, such as replacement of a function that has been
inlined into a CALL
argument, can create the need
to re-plan a CALL
that has been cached by
PL/pgSQL. That was not happening, leading to misbehavior or strange
errors such as “cache lookup failed”.
Track nesting depth correctly when
inspecting RECORD
-type Vars from outer query levels
(Richard Guo)
This oversight could lead to assertion failures, core dumps, or “bogus varno” errors.
Avoid “record type has not been registered” failure when deparsing a view that contains references to fields of composite constants (Tom Lane)
Allow extracting fields from
a RECORD
-type ROW()
expression
(Tom Lane)
SQL code that knows that we name such
fields f1
, f2
, etc can use
those names to extract fields from the expression. This change was
originally made in version 13, and is now being back-patched into
older branches to support tests for a related bug.
Fix error-handling bug in RECORD
type cache management
(Thomas Munro)
An out-of-memory error occurring at just the wrong point could leave behind inconsistent state that would lead to an infinite loop.
Fix assertion failure when logical decoding is retried in the same session after an error (Hou Zhijie)
Treat out-of-memory failures as fatal while reading WAL (Michael Paquier)
Previously this would be treated as a bogus-data condition, leading to the conclusion that we'd reached the end of WAL, which is incorrect and could lead to inconsistent WAL replay.
Fix possible recovery failure due to trying to allocate memory based on a bogus WAL record length field (Thomas Munro, Michael Paquier)
Ensure that standby-mode WAL recovery reports an error when an invalid page header is found (Yugo Nagata, Kyotaro Horiguchi)
Avoid doing plan cache revalidation of utility statements that do not receive interesting processing during parse analysis (Tom Lane)
Aside from saving a few cycles, this prevents failure after a cache
invalidation for statements that must not set a snapshot, such
as SET TRANSACTION ISOLATION LEVEL
.
Keep by-reference attmissingval
values in
a long-lived context while they are being used (Andrew Dunstan)
This avoids possible use of dangling pointers when a tuple slot outlives the tuple descriptor with which its value was constructed.
Recalculate the effective value of search_path
after ALTER ROLE
(Jeff Davis)
This ensures that after renaming a role, the meaning of the special
string $user
is re-determined.
Fix order of operations in GenericXLogFinish
(Jeff Davis)
This code violated the conditions required for crash safety by
writing WAL before marking changed buffers dirty. No core code uses
this function, but extensions do (contrib/bloom
does, for example).
Remove incorrect assertion in PL/Python exception handling (Alexander Lakhin)
Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables (Euler Taveira, Tom Lane)
Formerly, only the table-level ACL would get restored if both types were present.
Add logic to pg_upgrade to check for use
of abstime
, reltime
,
and tinterval
data types (Álvaro Herrera)
These obsolete data types were removed in PostgreSQL version 12, so check to make sure they aren't present in an older database before claiming it can be upgraded.
Avoid generating invalid temporary slot names in pg_basebackup (Jelte Fennema)
This has only been seen to occur when the server connection runs through pgbouncer.
Avoid false “too many client connections” errors in pgbench on Windows (Noah Misch)
In contrib/amcheck
, do not report interrupted
page deletion as corruption (Noah Misch)
This fix prevents false-positive reports of “the first child
of leftmost target page is not leftmost of its
level”, “block NNNN is not leftmost”
or “left link/right link pair in index XXXX not in
agreement”. They appeared
if amcheck ran after an unfinished btree
index page deletion and before VACUUM
had cleaned
things up.
Fix failure of contrib/btree_gin
indexes
on interval
columns,
when an indexscan using the <
or <=
operator is performed (Dean Rasheed)
Such an indexscan failed to return all the entries it should.
Add support for LLVM 16 and 17 (Thomas Munro, Dmitry Dolgov)
Suppress assorted build-time warnings on recent macOS (Tom Lane)
Xcode 15 (released
with macOS Sonoma) changed the linker's
behavior in a way that causes many duplicate-library warnings while
building PostgreSQL. These were
harmless, but they're annoying so avoid citing the same libraries
twice. Also remove use of the -multiply_defined
suppress
linker switch, which apparently has been a no-op
for a long time, and is now actively complained of.
Remove PHOT
(Phoenix Islands Time) from the
default timezone abbreviations list (Tom Lane)
Presence of this abbreviation in the default list can cause failures on recent Debian and Ubuntu releases, as they no longer install the underlying tzdb entry by default. Since this is a made-up abbreviation for a zone with a total human population of about two dozen, it seems unlikely that anyone will miss it. If someone does, they can put it back via a custom abbreviations file.