commit 9c59e48a22aa150c4d63017955328d87bea1cd29
Author: Tom Lane <tgl@sss.pgh.pa.us>
Date:   Mon Feb 5 10:58:27 2018 -0500

    Ensure that all temp files made during pg_upgrade are non-world-readable.
    
    pg_upgrade has always attempted to ensure that the transient dump files
    it creates are inaccessible except to the owner.  However, refactoring
    in commit 76a7650c4 broke that for the file containing "pg_dumpall -g"
    output; since then, that file was protected according to the process's
    default umask.  Since that file may contain role passwords (hopefully
    encrypted, but passwords nonetheless), this is a particularly unfortunate
    oversight.  Prudent users of pg_upgrade on multiuser systems would
    probably run it under a umask tight enough that the issue is moot, but
    perhaps some users are depending only on pg_upgrade's umask changes to
    protect their data.
    
    To fix this in a future-proof way, let's just tighten the umask at
    process start.  There are no files pg_upgrade needs to write at a
    weaker security level; and if there were, transiently relaxing the
    umask around where they're created would be a safer approach.
    
    Report and patch by Tom Lane; the idea for the fix is due to Noah Misch.
    Back-patch to all supported branches.
    
    Security: CVE-2018-1053

--- a/contrib/pg_upgrade/pg_upgrade.c
+++ b/contrib/pg_upgrade/pg_upgrade.c
@@ -73,6 +73,9 @@ main(int argc, char **argv)
 	char	   *deletion_script_file_name = NULL;
 	bool		live_check = false;
 
+	/* Ensure that all files created by pg_upgrade are non-world-readable */
+	umask(S_IRWXG | S_IRWXO);
+
 	parseCommandLine(argc, argv);
 
 	get_restricted_token(os_info.progname);
