VDB
GCVE-110-MAGEIA-2017-428
GCVE-110-MAGEIA-2017-428
Advisory Published
The startup log file for the postmaster (in newer releases, "postgres")
process was opened while the process was still owned by root. With this
setup, the database owner could specify a file that they did not have
access to and cause the file to be corrupted with logged data
(CVE-2017-12172).
Crash due to rowtype mismatch in json{b}_populate_recordset(). These
functions used the result rowtype specified in the FROM ... AS clause
without checking that it matched the actual rowtype of the supplied
tuple value. If it didn't, that would usually result in a crash, though
disclosure of server memory contents seems possible as well
(CVE-2017-15098).
The "INSERT ... ON CONFLICT DO UPDATE" would not check to see if the
executing user had permission to perform a "SELECT" on the index
performing the conflicting check. Additionally, in a table with
row-level security enabled, the "INSERT ... ON CONFLICT DO UPDATE" would
not check the SELECT policies for that table before performing the
update (CVE-2017-15099).
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Mageia | postgresql9.4 | 0 (affected), 9.4.15-1.mga6 (unaffected) | — |
| Mageia | postgresql9.3 | 0 (affected), 9.3.20-1.mga5 (unaffected) | — |
| Mageia | postgresql9.6 | 0 (affected), 9.6.6-1.mga6 (unaffected) | — |
| Mageia | postgresql9.4 | 9.4.15-1.mga5 (unaffected), 0 (affected) | — |
References
Browse GCVE Records
72,409 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.