Motivation

PostgreSQL has just detected to a really bad information disclosure bug, CVE-2017-7547.

Unfortunately upgrading to a fixed version (for Debian see their security-tracker on CVE-2017-7547) is not enough, existing installations need manual work, as described in PostgreSQL's own news article 1772 describes. That howto is not only less then optimal (first half of step 4 should happen before step 3 for easier scripting) there does not seem to be a script yet.

Therefore I decided to create the following scripts ...

Scripted Solution

pg_fix_usermappings.sql code

For manual here is what our full script (see below) puts in /tmp/pg_fix_user_mappings.sql:

SET search_path = pg_catalog;

CREATE OR REPLACE VIEW pg_user_mappings AS
  SELECT
    U.oid       AS umid,
    S.oid       AS srvid,
    S.srvname   AS srvname,
    U.umuser    AS umuser,
    CASE WHEN U.umuser = 0 THEN
      'public'
    ELSE
      A.rolname
    END AS usename,
    CASE WHEN 
      (U.umuser <> 0 AND A.rolname = current_user AND (pg_has_role(S.srvowner, 'USAGE')
        OR has_server_privilege(S.oid, 'USAGE')))
      OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
      OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
    THEN U.umoptions
    ELSE NULL END AS umoptions
  FROM pg_user_mapping U
  LEFT JOIN pg_authid A ON (A.oid = U.umuser) 
  JOIN pg_foreign_server S ON (U.umserver = S.oid);

pg_fix_usermappings.sh code & download

# TBC

If you are trustworthy, simply download it and execute it as psql, i.e. with {{sudo -u psql pg_fix_usermappings.sh}}.