From 4aeca7b2b321dc09ce4d5c8e6566add487b152ff Mon Sep 17 00:00:00 2001 From: Robert Joslyn Date: Sun, 20 Aug 2023 19:12:57 -0700 Subject: postgresql: Update to 14.9 This is a minor release to address CVEs and other bug fixes without new features. Remove patches that are fixed in this release. Release notes are available at: https://www.postgresql.org/docs/release/14.6/ https://www.postgresql.org/docs/release/14.7/ https://www.postgresql.org/docs/release/14.8/ https://www.postgresql.org/docs/release/14.9/ License-Update: Copyright year updated Signed-off-by: Robert Joslyn [Fixup patch fuzzy] Signed-off-by: Armin Kuster --- .../files/0001-Add-support-for-RISC-V.patch | 10 +- .../files/0001-Improve-reproducibility.patch | 6 +- ...LL-terminate-GSS-receive-buffer-on-error-.patch | 50 ----- .../0001-config_info.c-not-expose-build-info.patch | 18 +- ...ure.ac-bypass-autoconf-2.69-version-check.patch | 6 +- ...-postgresql-fix-ptest-failure-of-sysviews.patch | 11 +- .../postgresql/files/CVE-2023-2454.patch | 235 --------------------- .../postgresql/files/CVE-2023-2455.patch | 118 ----------- .../postgresql/files/not-check-libperl.patch | 10 +- .../postgresql/files/remove_duplicate.patch | 38 ---- meta-oe/recipes-dbs/postgresql/postgresql_14.5.bb | 22 -- meta-oe/recipes-dbs/postgresql/postgresql_14.9.bb | 18 ++ 12 files changed, 47 insertions(+), 495 deletions(-) delete mode 100644 meta-oe/recipes-dbs/postgresql/files/0001-Properly-NULL-terminate-GSS-receive-buffer-on-error-.patch delete mode 100644 meta-oe/recipes-dbs/postgresql/files/CVE-2023-2454.patch delete mode 100644 meta-oe/recipes-dbs/postgresql/files/CVE-2023-2455.patch delete mode 100644 meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch delete mode 100644 meta-oe/recipes-dbs/postgresql/postgresql_14.5.bb create mode 100644 meta-oe/recipes-dbs/postgresql/postgresql_14.9.bb diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch index 90b7419495..46343674fc 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch @@ -1,16 +1,17 @@ -From 780fd27ea6f7f2c446c46a7a5e26d94106c67efd Mon Sep 17 00:00:00 2001 +From 0801befde991250b4502954fdec61bec8c33da3b Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Sun, 20 Nov 2016 15:04:52 +0000 Subject: [PATCH] Add support for RISC-V. The architecture is sufficiently similar to aarch64 that simply extending the existing aarch64 macro works. + --- src/include/storage/s_lock.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/include/storage/s_lock.h b/src/include/storage/s_lock.h -index dccbd29..ad60429 100644 +index 95049f0..e08c963 100644 --- a/src/include/storage/s_lock.h +++ b/src/include/storage/s_lock.h @@ -317,11 +317,12 @@ tas(volatile slock_t *lock) @@ -35,7 +36,4 @@ index dccbd29..ad60429 100644 +#endif /* __arm__ || __arm || __aarch64__ || __aarch64 || __riscv */ - /* --- -2.34.1 - + /* S/390 and S/390x Linux (32- and 64-bit zSeries) */ diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch index 02f4c9e513..eeffe6bcb1 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-Improve-reproducibility.patch @@ -1,4 +1,4 @@ -From bbba8a5261a99e79c9cd4693ef56021014a9856b Mon Sep 17 00:00:00 2001 +From e167d58d6be1b1ee4d49571650444700ab97ed7c Mon Sep 17 00:00:00 2001 From: Changqing Li Date: Mon, 28 Dec 2020 16:38:21 +0800 Subject: [PATCH] Improve reproducibility, @@ -18,6 +18,7 @@ Signed-off-by: Hongxu Jia update patch for v13.1 Signed-off-by: Changqing Li + --- src/common/Makefile | 3 --- 1 file changed, 3 deletions(-) @@ -36,6 +37,3 @@ index 880722f..7a9b9d4 100644 override CPPFLAGS += -DVAL_CFLAGS_SL="\"$(CFLAGS_SL)\"" override CPPFLAGS += -DVAL_LDFLAGS="\"$(STD_LDFLAGS)\"" override CPPFLAGS += -DVAL_LDFLAGS_EX="\"$(LDFLAGS_EX)\"" --- -2.34.1 - diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Properly-NULL-terminate-GSS-receive-buffer-on-error-.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Properly-NULL-terminate-GSS-receive-buffer-on-error-.patch deleted file mode 100644 index 2d11b18883..0000000000 --- a/meta-oe/recipes-dbs/postgresql/files/0001-Properly-NULL-terminate-GSS-receive-buffer-on-error-.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 586b074026d703c29057b04b1318e984701fe195 Mon Sep 17 00:00:00 2001 -From: Changqing Li -Date: Thu, 2 Mar 2023 19:10:47 +0800 -Subject: [PATCH] Properly NULL-terminate GSS receive buffer on error packet - reception - -pqsecure_open_gss() includes a code path handling error messages with -v2-style protocol messages coming from the server. The client-side -buffer holding the error message does not force a NULL-termination, with -the data of the server getting copied to the errorMessage of the -connection. Hence, it would be possible for a server to send an -unterminated string and copy arbitrary bytes in the buffer receiving the -error message in the client, opening the door to a crash or even data -exposure. - -As at this stage of the authentication process the exchange has not been -completed yet, this could be abused by an attacker without Kerberos -credentials. Clients that have a valid kerberos cache are vulnerable as -libpq opportunistically requests for it except if gssencmode is -disabled. - -Author: Jacob Champion -Backpatch-through: 12 -Security: CVE-2022-41862 - -Upstream-Status: Backport [https://github.com/postgres/postgres/commit/71c37797d7bd78266146a5829ab62b3687c47295] -CVE: CVE-2022-41862 - -Signed-off-by: Changqing Li ---- - src/interfaces/libpq/fe-secure-gssapi.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c -index c783a53..a42ebc0 100644 ---- a/src/interfaces/libpq/fe-secure-gssapi.c -+++ b/src/interfaces/libpq/fe-secure-gssapi.c -@@ -577,7 +577,8 @@ pqsecure_open_gss(PGconn *conn) - return result; - - PqGSSRecvLength += ret; -- -+ Assert(PqGSSRecvLength < PQ_GSS_RECV_BUFFER_SIZE); -+ PqGSSRecvBuffer[PqGSSRecvLength] = '\0'; - appendPQExpBuffer(&conn->errorMessage, "%s\n", PqGSSRecvBuffer + 1); - - return PGRES_POLLING_FAILED; --- -2.25.1 - diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-config_info.c-not-expose-build-info.patch b/meta-oe/recipes-dbs/postgresql/files/0001-config_info.c-not-expose-build-info.patch index 52ca276da6..eff69140f7 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-config_info.c-not-expose-build-info.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-config_info.c-not-expose-build-info.patch @@ -1,4 +1,4 @@ -From b92eebe8b0760fee7bd55c6c22318620c2c07579 Mon Sep 17 00:00:00 2001 +From 805f03529c7fc33685979651562112bab524e5a5 Mon Sep 17 00:00:00 2001 From: Mingli Yu Date: Mon, 1 Aug 2022 15:44:38 +0800 Subject: [PATCH] config_info.c: not expose build info @@ -8,13 +8,14 @@ Don't collect the build information to fix the buildpaths issue. Upstream-Status: Inappropriate [oe specific] Signed-off-by: Mingli Yu + --- configure.ac | 2 +- - src/common/config_info.c | 68 ---------------------------------------- - 2 files changed, 1 insertion(+), 69 deletions(-) + src/common/config_info.c | 70 +--------------------------------------- + 2 files changed, 2 insertions(+), 70 deletions(-) diff --git a/configure.ac b/configure.ac -index 0eb595b..508487b 100644 +index 54a539e..c6edc0a 100644 --- a/configure.ac +++ b/configure.ac @@ -23,7 +23,7 @@ AC_COPYRIGHT([Copyright (c) 1996-2021, PostgreSQL Global Development Group]) @@ -27,10 +28,10 @@ index 0eb595b..508487b 100644 [PG_MAJORVERSION=`expr "$PACKAGE_VERSION" : '\([0-9][0-9]*\)'`] [PG_MINORVERSION=`expr "$PACKAGE_VERSION" : '.*\.\([0-9][0-9]*\)'`] diff --git a/src/common/config_info.c b/src/common/config_info.c -index e72e729..b482c20 100644 +index e72e729..a020236 100644 --- a/src/common/config_info.c +++ b/src/common/config_info.c -@@ -38,7 +38,7 @@ +@@ -38,7 +38,7 @@ get_configdata(const char *my_exec_path, size_t *configdata_len) int i = 0; /* Adjust this to match the number of items filled below */ @@ -39,7 +40,7 @@ index e72e729..b482c20 100644 configdata = (ConfigData *) palloc(*configdata_len * sizeof(ConfigData)); configdata[i].name = pstrdup("BINDIR"); -@@ -123,74 +123,6 @@ +@@ -123,74 +123,6 @@ get_configdata(const char *my_exec_path, size_t *configdata_len) configdata[i].setting = pstrdup(path); i++; @@ -114,6 +115,3 @@ index e72e729..b482c20 100644 configdata[i].name = pstrdup("VERSION"); configdata[i].setting = pstrdup("PostgreSQL " PG_VERSION); i++; --- -2.25.1 - diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch b/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch index 4a576d7172..8ffefbe341 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-configure.ac-bypass-autoconf-2.69-version-check.patch @@ -1,4 +1,4 @@ -From 258c6bd2ad96f2c42f1cb5f4c84e4ca5865059f0 Mon Sep 17 00:00:00 2001 +From 2d3ac7b2eab1bba53c1729e8edb9f8a86700b60f Mon Sep 17 00:00:00 2001 From: Yi Fan Yu Date: Fri, 5 Feb 2021 17:15:42 -0500 Subject: [PATCH] configure.ac: bypass autoconf 2.69 version check @@ -14,12 +14,12 @@ Signed-off-by: Yi Fan Yu 1 file changed, 4 deletions(-) diff --git a/configure.ac b/configure.ac -index ffe878e..c39799b 100644 +index d0f0b14..54a539e 100644 --- a/configure.ac +++ b/configure.ac @@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch undefined macros - AC_INIT([PostgreSQL], [14.5], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) + AC_INIT([PostgreSQL], [14.9], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) -m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required. -Untested combinations of 'autoconf' and PostgreSQL versions are not diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-postgresql-fix-ptest-failure-of-sysviews.patch b/meta-oe/recipes-dbs/postgresql/files/0001-postgresql-fix-ptest-failure-of-sysviews.patch index 4db36d26fd..555fd7f1fc 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-postgresql-fix-ptest-failure-of-sysviews.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-postgresql-fix-ptest-failure-of-sysviews.patch @@ -1,4 +1,4 @@ -From 9f81377dddfe32d950844d7053020a36b40fce08 Mon Sep 17 00:00:00 2001 +From 5a17b7b88776cbbe5b37838baff71726b8a6e7dd Mon Sep 17 00:00:00 2001 From: Manoj Saun Date: Wed, 22 Mar 2023 08:07:26 +0000 Subject: [PATCH] postgresql: fix ptest failure of sysviews @@ -13,14 +13,17 @@ to make the test output shown as pass. Upstream-Status: Inappropriate [oe specific] Signed-off-by: Manoj Saun + --- src/test/regress/expected/sysviews.out | 2 +- src/test/regress/sql/sysviews.sql | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) +diff --git a/src/test/regress/expected/sysviews.out b/src/test/regress/expected/sysviews.out +index 2088857..96a15cc 100644 --- a/src/test/regress/expected/sysviews.out +++ b/src/test/regress/expected/sysviews.out -@@ -29,7 +29,7 @@ select name, ident, parent, level, total +@@ -29,7 +29,7 @@ select name, ident, parent, level, total_bytes >= free_bytes (1 row) -- At introduction, pg_config had 23 entries; it may grow @@ -29,9 +32,11 @@ Signed-off-by: Manoj Saun ok ---- t +diff --git a/src/test/regress/sql/sysviews.sql b/src/test/regress/sql/sysviews.sql +index b24816e..72ff887 100644 --- a/src/test/regress/sql/sysviews.sql +++ b/src/test/regress/sql/sysviews.sql -@@ -18,7 +18,7 @@ select name, ident, parent, level, total +@@ -18,7 +18,7 @@ select name, ident, parent, level, total_bytes >= free_bytes from pg_backend_memory_contexts where level = 0; -- At introduction, pg_config had 23 entries; it may grow diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2454.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2454.patch deleted file mode 100644 index a2f6927e30..0000000000 --- a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2454.patch +++ /dev/null @@ -1,235 +0,0 @@ -From 23cb8eaeb97df350273cb8902e55842a955339c8 Mon Sep 17 00:00:00 2001 -From: Noah Misch -Date: Mon, 8 May 2023 06:14:07 -0700 -Subject: [PATCH] Replace last PushOverrideSearchPath() call with - set_config_option(). - -The two methods don't cooperate, so set_config_option("search_path", -...) has been ineffective under non-empty overrideStack. This defect -enabled an attacker having database-level CREATE privilege to execute -arbitrary code as the bootstrap superuser. While that particular attack -requires v13+ for the trusted extension attribute, other attacks are -feasible in all supported versions. - -Standardize on the combination of NewGUCNestLevel() and -set_config_option("search_path", ...). It is newer than -PushOverrideSearchPath(), more-prevalent, and has no known -disadvantages. The "override" mechanism remains for now, for -compatibility with out-of-tree code. Users should update such code, -which likely suffers from the same sort of vulnerability closed here. -Back-patch to v11 (all supported versions). - -Alexander Lakhin. Reported by Alexander Lakhin. - -Security: CVE-2023-2454 - -Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=23cb8eaeb97df350273cb8902e55842a955339c8] -CVE: CVE-2023-2454 -Signed-off-by: Vivek Kumbhar ---- - src/backend/catalog/namespace.c | 4 +++ - src/backend/commands/schemacmds.c | 37 ++++++++++++++------ - src/test/regress/expected/namespace.out | 45 +++++++++++++++++++++++++ - src/test/regress/sql/namespace.sql | 24 +++++++++++++ - 4 files changed, 100 insertions(+), 10 deletions(-) - -diff --git a/src/backend/catalog/namespace.c b/src/backend/catalog/namespace.c -index 81b6472..0175a91 100644 ---- a/src/backend/catalog/namespace.c -+++ b/src/backend/catalog/namespace.c -@@ -3518,6 +3518,10 @@ OverrideSearchPathMatchesCurrent(OverrideSearchPath *path) - /* - * PushOverrideSearchPath - temporarily override the search path - * -+ * Do not use this function; almost any usage introduces a security -+ * vulnerability. It exists for the benefit of legacy code running in -+ * non-security-sensitive environments. -+ * - * We allow nested overrides, hence the push/pop terminology. The GUC - * search_path variable is ignored while an override is active. - * -diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c -index 66306d1..ecd0cbb 100644 ---- a/src/backend/commands/schemacmds.c -+++ b/src/backend/commands/schemacmds.c -@@ -29,6 +29,7 @@ - #include "commands/schemacmds.h" - #include "miscadmin.h" - #include "parser/parse_utilcmd.h" -+#include "parser/scansup.h" - #include "tcop/utility.h" - #include "utils/acl.h" - #include "utils/builtins.h" -@@ -52,14 +53,16 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString, - { - const char *schemaName = stmt->schemaname; - Oid namespaceId; -- OverrideSearchPath *overridePath; - List *parsetree_list; - ListCell *parsetree_item; - Oid owner_uid; - Oid saved_uid; - int save_sec_context; -+ int save_nestlevel; -+ char *nsp = namespace_search_path; - AclResult aclresult; - ObjectAddress address; -+ StringInfoData pathbuf; - - GetUserIdAndSecContext(&saved_uid, &save_sec_context); - -@@ -152,14 +155,26 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString, - CommandCounterIncrement(); - - /* -- * Temporarily make the new namespace be the front of the search path, as -- * well as the default creation target namespace. This will be undone at -- * the end of this routine, or upon error. -+ * Prepend the new schema to the current search path. -+ * -+ * We use the equivalent of a function SET option to allow the setting to -+ * persist for exactly the duration of the schema creation. guc.c also -+ * takes care of undoing the setting on error. - */ -- overridePath = GetOverrideSearchPath(CurrentMemoryContext); -- overridePath->schemas = lcons_oid(namespaceId, overridePath->schemas); -- /* XXX should we clear overridePath->useTemp? */ -- PushOverrideSearchPath(overridePath); -+ save_nestlevel = NewGUCNestLevel(); -+ -+ initStringInfo(&pathbuf); -+ appendStringInfoString(&pathbuf, quote_identifier(schemaName)); -+ -+ while (scanner_isspace(*nsp)) -+ nsp++; -+ -+ if (*nsp != '\0') -+ appendStringInfo(&pathbuf, ", %s", nsp); -+ -+ (void) set_config_option("search_path", pathbuf.data, -+ PGC_USERSET, PGC_S_SESSION, -+ GUC_ACTION_SAVE, true, 0, false); - - /* - * Report the new schema to possibly interested event triggers. Note we -@@ -213,8 +228,10 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString, - CommandCounterIncrement(); - } - -- /* Reset search path to normal state */ -- PopOverrideSearchPath(); -+ /* -+ * Restore the GUC variable search_path we set above. -+ */ -+ AtEOXact_GUC(true, save_nestlevel); - - /* Reset current user and security context */ - SetUserIdAndSecContext(saved_uid, save_sec_context); -diff --git a/src/test/regress/expected/namespace.out b/src/test/regress/expected/namespace.out -index 2564d1b..a62fd8d 100644 ---- a/src/test/regress/expected/namespace.out -+++ b/src/test/regress/expected/namespace.out -@@ -1,6 +1,14 @@ - -- - -- Regression tests for schemas (namespaces) - -- -+-- set the whitespace-only search_path to test that the -+-- GUC list syntax is preserved during a schema creation -+SELECT pg_catalog.set_config('search_path', ' ', false); -+ set_config -+------------ -+ -+(1 row) -+ - CREATE SCHEMA test_ns_schema_1 - CREATE UNIQUE INDEX abc_a_idx ON abc (a) - CREATE VIEW abc_view AS -@@ -9,6 +17,43 @@ CREATE SCHEMA test_ns_schema_1 - a serial, - b int UNIQUE - ); -+-- verify that the correct search_path restored on abort -+SET search_path to public; -+BEGIN; -+SET search_path to public, test_ns_schema_1; -+CREATE SCHEMA test_ns_schema_2 -+ CREATE VIEW abc_view AS SELECT c FROM abc; -+ERROR: column "c" does not exist -+LINE 2: CREATE VIEW abc_view AS SELECT c FROM abc; -+ ^ -+COMMIT; -+SHOW search_path; -+ search_path -+------------- -+ public -+(1 row) -+ -+-- verify that the correct search_path preserved -+-- after creating the schema and on commit -+BEGIN; -+SET search_path to public, test_ns_schema_1; -+CREATE SCHEMA test_ns_schema_2 -+ CREATE VIEW abc_view AS SELECT a FROM abc; -+SHOW search_path; -+ search_path -+-------------------------- -+ public, test_ns_schema_1 -+(1 row) -+ -+COMMIT; -+SHOW search_path; -+ search_path -+-------------------------- -+ public, test_ns_schema_1 -+(1 row) -+ -+DROP SCHEMA test_ns_schema_2 CASCADE; -+NOTICE: drop cascades to view test_ns_schema_2.abc_view - -- verify that the objects were created - SELECT COUNT(*) FROM pg_class WHERE relnamespace = - (SELECT oid FROM pg_namespace WHERE nspname = 'test_ns_schema_1'); -diff --git a/src/test/regress/sql/namespace.sql b/src/test/regress/sql/namespace.sql -index 6b12c96..3474f5e 100644 ---- a/src/test/regress/sql/namespace.sql -+++ b/src/test/regress/sql/namespace.sql -@@ -2,6 +2,10 @@ - -- Regression tests for schemas (namespaces) - -- - -+-- set the whitespace-only search_path to test that the -+-- GUC list syntax is preserved during a schema creation -+SELECT pg_catalog.set_config('search_path', ' ', false); -+ - CREATE SCHEMA test_ns_schema_1 - CREATE UNIQUE INDEX abc_a_idx ON abc (a) - -@@ -13,6 +17,26 @@ CREATE SCHEMA test_ns_schema_1 - b int UNIQUE - ); - -+-- verify that the correct search_path restored on abort -+SET search_path to public; -+BEGIN; -+SET search_path to public, test_ns_schema_1; -+CREATE SCHEMA test_ns_schema_2 -+ CREATE VIEW abc_view AS SELECT c FROM abc; -+COMMIT; -+SHOW search_path; -+ -+-- verify that the correct search_path preserved -+-- after creating the schema and on commit -+BEGIN; -+SET search_path to public, test_ns_schema_1; -+CREATE SCHEMA test_ns_schema_2 -+ CREATE VIEW abc_view AS SELECT a FROM abc; -+SHOW search_path; -+COMMIT; -+SHOW search_path; -+DROP SCHEMA test_ns_schema_2 CASCADE; -+ - -- verify that the objects were created - SELECT COUNT(*) FROM pg_class WHERE relnamespace = - (SELECT oid FROM pg_namespace WHERE nspname = 'test_ns_schema_1'); --- -2.25.1 - diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2455.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2455.patch deleted file mode 100644 index a94c65cc0c..0000000000 --- a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-2455.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 473626cf00babd829eb15c36b51dfb358d32bc95 Mon Sep 17 00:00:00 2001 -From: Tom Lane -Date: Mon, 8 May 2023 10:12:45 -0400 -Subject: [PATCH] Handle RLS dependencies in inlined set-returning functions - properly. - -If an SRF in the FROM clause references a table having row-level -security policies, and we inline that SRF into the calling query, -we neglected to mark the plan as potentially dependent on which -role is executing it. This could lead to later executions in the -same session returning or hiding rows that should have been hidden -or returned instead. - -Our thanks to Wolfgang Walther for reporting this problem. - -Stephen Frost and Tom Lane - -Security: CVE-2023-2455 - -Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=473626cf00babd829eb15c36b51dfb358d32bc95] -CVE: CVE-2023-2455 -Signed-off-by: Vivek Kumbhar ---- - src/backend/optimizer/util/clauses.c | 7 ++++++ - src/test/regress/expected/rowsecurity.out | 27 +++++++++++++++++++++++ - src/test/regress/sql/rowsecurity.sql | 20 +++++++++++++++++ - 3 files changed, 54 insertions(+) - -diff --git a/src/backend/optimizer/util/clauses.c b/src/backend/optimizer/util/clauses.c -index 9d7aa8b..da50bef 100644 ---- a/src/backend/optimizer/util/clauses.c -+++ b/src/backend/optimizer/util/clauses.c -@@ -5095,6 +5095,13 @@ inline_set_returning_function(PlannerInfo *root, RangeTblEntry *rte) - */ - record_plan_function_dependency(root, func_oid); - -+ /* -+ * We must also notice if the inserted query adds a dependency on the -+ * calling role due to RLS quals. -+ */ -+ if (querytree->hasRowSecurity) -+ root->glob->dependsOnRole = true; -+ - return querytree; - - /* Here if func is not inlinable: release temp memory and return NULL */ -diff --git a/src/test/regress/expected/rowsecurity.out b/src/test/regress/expected/rowsecurity.out -index 89397e4..379f988 100644 ---- a/src/test/regress/expected/rowsecurity.out -+++ b/src/test/regress/expected/rowsecurity.out -@@ -3982,6 +3982,33 @@ SELECT * FROM rls_tbl; - - DROP TABLE rls_tbl; - RESET SESSION AUTHORIZATION; -+-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency -+create table rls_t (c text); -+insert into rls_t values ('invisible to bob'); -+alter table rls_t enable row level security; -+grant select on rls_t to regress_rls_alice, regress_rls_bob; -+create policy p1 on rls_t for select to regress_rls_alice using (true); -+create policy p2 on rls_t for select to regress_rls_bob using (false); -+create function rls_f () returns setof rls_t -+ stable language sql -+ as $$ select * from rls_t $$; -+prepare q as select current_user, * from rls_f(); -+set role regress_rls_alice; -+execute q; -+ current_user | c -+-------------------+------------------ -+ regress_rls_alice | invisible to bob -+(1 row) -+ -+set role regress_rls_bob; -+execute q; -+ current_user | c -+--------------+--- -+(0 rows) -+ -+RESET ROLE; -+DROP FUNCTION rls_f(); -+DROP TABLE rls_t; - -- - -- Clean up objects - -- -diff --git a/src/test/regress/sql/rowsecurity.sql b/src/test/regress/sql/rowsecurity.sql -index 44deb42..3015d89 100644 ---- a/src/test/regress/sql/rowsecurity.sql -+++ b/src/test/regress/sql/rowsecurity.sql -@@ -1839,6 +1839,26 @@ SELECT * FROM rls_tbl; - DROP TABLE rls_tbl; - RESET SESSION AUTHORIZATION; - -+-- CVE-2023-2455: inlining an SRF may introduce an RLS dependency -+create table rls_t (c text); -+insert into rls_t values ('invisible to bob'); -+alter table rls_t enable row level security; -+grant select on rls_t to regress_rls_alice, regress_rls_bob; -+create policy p1 on rls_t for select to regress_rls_alice using (true); -+create policy p2 on rls_t for select to regress_rls_bob using (false); -+create function rls_f () returns setof rls_t -+ stable language sql -+ as $$ select * from rls_t $$; -+prepare q as select current_user, * from rls_f(); -+set role regress_rls_alice; -+execute q; -+set role regress_rls_bob; -+execute q; -+ -+RESET ROLE; -+DROP FUNCTION rls_f(); -+DROP TABLE rls_t; -+ - -- - -- Clean up objects - -- --- -2.25.1 - diff --git a/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch b/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch index fa46912eef..b742bd53bd 100644 --- a/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch +++ b/meta-oe/recipes-dbs/postgresql/files/not-check-libperl.patch @@ -1,4 +1,4 @@ -From 56b830edecff1cac5f8a8a956e7a7eeef2aa7c17 Mon Sep 17 00:00:00 2001 +From 09fad1883f3312965a8d066f8477166eaa4db2c7 Mon Sep 17 00:00:00 2001 From: Changqing Li Date: Tue, 27 Nov 2018 13:25:15 +0800 Subject: [PATCH] not check libperl under cross compiling @@ -15,15 +15,16 @@ Signed-off-by: Roy Li update patch to version 11.1 Signed-off-by: Changqing Li + --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac -index fba79ee..7170f26 100644 +index 159f2a2..d0f0b14 100644 --- a/configure.ac +++ b/configure.ac -@@ -2261,7 +2261,7 @@ Use --without-tcl to disable building PL/Tcl.]) +@@ -2332,7 +2332,7 @@ Use --without-tcl to disable building PL/Tcl.]) fi # check for @@ -32,6 +33,3 @@ index fba79ee..7170f26 100644 ac_save_CPPFLAGS=$CPPFLAGS CPPFLAGS="$CPPFLAGS $perl_includespec" AC_CHECK_HEADER(perl.h, [], [AC_MSG_ERROR([header file is required for Perl])], --- -2.34.1 - diff --git a/meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch b/meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch deleted file mode 100644 index 92a3dcc710..0000000000 --- a/meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch +++ /dev/null @@ -1,38 +0,0 @@ -Remove duplicate code for riscv - -Upstream-Status: Pending -Signed-off-by: Khem Raj - ---- a/src/include/storage/s_lock.h -+++ b/src/include/storage/s_lock.h -@@ -341,30 +341,6 @@ tas(volatile slock_t *lock) - #endif /* HAVE_GCC__SYNC_INT32_TAS */ - #endif /* __arm__ || __arm || __aarch64__ || __aarch64 || __riscv */ - -- --/* -- * RISC-V likewise uses __sync_lock_test_and_set(int *, int) if available. -- */ --#if defined(__riscv) --#ifdef HAVE_GCC__SYNC_INT32_TAS --#define HAS_TEST_AND_SET -- --#define TAS(lock) tas(lock) -- --typedef int slock_t; -- --static __inline__ int --tas(volatile slock_t *lock) --{ -- return __sync_lock_test_and_set(lock, 1); --} -- --#define S_UNLOCK(lock) __sync_lock_release(lock) -- --#endif /* HAVE_GCC__SYNC_INT32_TAS */ --#endif /* __riscv */ -- -- - /* S/390 and S/390x Linux (32- and 64-bit zSeries) */ - #if defined(__s390__) || defined(__s390x__) - #define HAS_TEST_AND_SET diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_14.5.bb b/meta-oe/recipes-dbs/postgresql/postgresql_14.5.bb deleted file mode 100644 index 315f6db565..0000000000 --- a/meta-oe/recipes-dbs/postgresql/postgresql_14.5.bb +++ /dev/null @@ -1,22 +0,0 @@ -require postgresql.inc - -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=75af6e3eeec4a06cdd2e578673236fc3" - -SRC_URI += "\ - file://not-check-libperl.patch \ - file://0001-Add-support-for-RISC-V.patch \ - file://0001-Improve-reproducibility.patch \ - file://0001-configure.ac-bypass-autoconf-2.69-version-check.patch \ - file://remove_duplicate.patch \ - file://0001-config_info.c-not-expose-build-info.patch \ - file://0001-Properly-NULL-terminate-GSS-receive-buffer-on-error-.patch \ - file://0001-postgresql-fix-ptest-failure-of-sysviews.patch \ - file://CVE-2023-2454.patch \ - file://CVE-2023-2455.patch \ -" - -SRC_URI[sha256sum] = "d4f72cb5fb857c9a9f75ec8cf091a1771272802f2178f0b2e65b7b6ff64f4a30" - -CVE_CHECK_IGNORE += "\ - CVE-2017-8806 \ -" diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_14.9.bb b/meta-oe/recipes-dbs/postgresql/postgresql_14.9.bb new file mode 100644 index 0000000000..f779ea7abd --- /dev/null +++ b/meta-oe/recipes-dbs/postgresql/postgresql_14.9.bb @@ -0,0 +1,18 @@ +require postgresql.inc + +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=c31f662bb2bfb3b4187fe9a53e0ffe7c" + +SRC_URI += "\ + file://not-check-libperl.patch \ + file://0001-Add-support-for-RISC-V.patch \ + file://0001-Improve-reproducibility.patch \ + file://0001-configure.ac-bypass-autoconf-2.69-version-check.patch \ + file://0001-config_info.c-not-expose-build-info.patch \ + file://0001-postgresql-fix-ptest-failure-of-sysviews.patch \ +" + +SRC_URI[sha256sum] = "b1fe3ba9b1a7f3a9637dd1656dfdad2889016073fd4d35f13b50143cbbb6a8ef" + +CVE_CHECK_IGNORE += "\ + CVE-2017-8806 \ +" -- cgit 1.2.3-korg