On Wed, Jul 20, 2022 at 07:31:47PM -0700, Gurjeet Singh wrote:
> Moving the report from security to -hackers on Noah's advice. Since
> the function(s) involved in the crash are not present in any of the
> released versions, it is not considered a security issue.
>
> I can confirm that this is reproducible on the latest commit on
> master, 3c0bcdbc66. Below is the original analysis, followed by Noah's
> analysis.
>
> To be able to reproduce it, please note that perl support is required;
> hence `./configure --with-perl`.
>
> The note about 'security concerns around on_plperl_init parameter',
> below, refers to now-fixed issue, at commit 13d8388151.
This ACL lookup still happens when pre-loading libraries at session
startup with custom GUCs, as this checks if the GUC can be changed by
the user connecting or not. I am adding an open item to track that.
--
Michael