diff options
5 files changed, 14 insertions, 273 deletions
diff --git a/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch b/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch deleted file mode 100644 index df89eb0a14..0000000000 --- a/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch +++ /dev/null @@ -1,35 +0,0 @@ -From f4aa3a18a20d51575562520754aa376b3b08b2d0 Mon Sep 17 00:00:00 2001 -From: Noah Misch <noah@leadboat.com> -Date: Fri, 5 Feb 2016 20:22:51 -0500 -Subject: [PATCH] Force certain "pljava" custom GUCs to be PGC_SUSET. - -Future PL/Java versions will close CVE-2016-0766 by making these GUCs -PGC_SUSET. This PostgreSQL change independently mitigates that PL/Java -vulnerability, helping sites that update PostgreSQL more frequently than -PL/Java. Back-patch to 9.1 (all supported versions). - -Upstream-Status: Backport - -Signed-off-by: Noah Misch <noah@leadboat.com> -Index: postgresql-9.4.4/src/backend/utils/misc/guc.c -=================================================================== ---- postgresql-9.4.4.orig/src/backend/utils/misc/guc.c 2015-06-10 03:29:38.000000000 +0800 -+++ postgresql-9.4.4/src/backend/utils/misc/guc.c 2016-03-04 15:58:26.459266951 +0800 -@@ -7072,6 +7072,17 @@ - !process_shared_preload_libraries_in_progress) - elog(FATAL, "cannot create PGC_POSTMASTER variables after startup"); - -+ /* -+ * Before pljava commit 398f3b876ed402bdaec8bc804f29e2be95c75139 -+ * (2015-12-15), two of that module's PGC_USERSET variables facilitated -+ * trivial escalation to superuser privileges. Restrict the variables to -+ * protect sites that have yet to upgrade pljava. -+ */ -+ if (context == PGC_USERSET && -+ (strcmp(name, "pljava.classpath") == 0 || -+ strcmp(name, "pljava.vmoptions") == 0)) -+ context = PGC_SUSET; -+ - gen = (struct config_generic *) guc_malloc(ERROR, sz); - memset(gen, 0, sz); - diff --git a/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0773.patch b/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0773.patch deleted file mode 100644 index 0fc9082397..0000000000 --- a/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0773.patch +++ /dev/null @@ -1,222 +0,0 @@ -From 3bb3f42f3749d40b8d4de65871e8d828b18d4a45 Mon Sep 17 00:00:00 2001 -From: Tom Lane <tgl@sss.pgh.pa.us> -Date: Mon, 8 Feb 2016 10:25:40 -0500 -Subject: [PATCH] Fix some regex issues with out-of-range characters and large - char ranges. - -Previously, our regex code defined CHR_MAX as 0xfffffffe, which is a -bad choice because it is outside the range of type "celt" (int32). -Characters approaching that limit could lead to infinite loops in logic -such as "for (c = a; c <= b; c++)" where c is of type celt but the -range bounds are chr. Such loops will work safely only if CHR_MAX+1 -is representable in celt, since c must advance to beyond b before the -loop will exit. - -Fortunately, there seems no reason not to restrict CHR_MAX to 0x7ffffffe. -It's highly unlikely that Unicode will ever assign codes that high, and -none of our other backend encodings need characters beyond that either. - -In addition to modifying the macro, we have to explicitly enforce character -range restrictions on the values of \u, \U, and \x escape sequences, else -the limit is trivially bypassed. - -Also, the code for expanding case-independent character ranges in bracket -expressions had a potential integer overflow in its calculation of the -number of characters it could generate, which could lead to allocating too -small a character vector and then overwriting memory. An attacker with the -ability to supply arbitrary regex patterns could easily cause transient DOS -via server crashes, and the possibility for privilege escalation has not -been ruled out. - -Quite aside from the integer-overflow problem, the range expansion code was -unnecessarily inefficient in that it always produced a result consisting of -individual characters, abandoning the knowledge that we had a range to -start with. If the input range is large, this requires excessive memory. -Change it so that the original range is reported as-is, and then we add on -any case-equivalent characters that are outside that range. With this -approach, we can bound the number of individual characters allowed without -sacrificing much. This patch allows at most 100000 individual characters, -which I believe to be more than the number of case pairs existing in -Unicode, so that the restriction will never be hit in practice. - -It's still possible for range() to take awhile given a large character code -range, so also add statement-cancel detection to its loop. The downstream -function dovec() also lacked cancel detection, and could take a long time -given a large output from range(). - -Per fuzz testing by Greg Stark. Back-patch to all supported branches. - -Security: CVE-2016-0773 - -Upstream-Status: Backport - -Signed-off-by: Tom Lane <tgl@sss.pgh.pa.us> -Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> - -Index: postgresql-9.4.5/src/backend/regex/regc_lex.c -=================================================================== ---- postgresql-9.4.5.orig/src/backend/regex/regc_lex.c 2015-10-06 03:12:06.000000000 +0800 -+++ postgresql-9.4.5/src/backend/regex/regc_lex.c 2016-03-10 10:29:57.045784317 +0800 -@@ -792,13 +792,13 @@ - break; - case CHR('u'): - c = lexdigits(v, 16, 4, 4); -- if (ISERR()) -+ if (ISERR() || c < CHR_MIN || c > CHR_MAX) - FAILW(REG_EESCAPE); - RETV(PLAIN, c); - break; - case CHR('U'): - c = lexdigits(v, 16, 8, 8); -- if (ISERR()) -+ if (ISERR() || c < CHR_MIN || c > CHR_MAX) - FAILW(REG_EESCAPE); - RETV(PLAIN, c); - break; -@@ -816,7 +816,7 @@ - case CHR('x'): - NOTE(REG_UUNPORT); - c = lexdigits(v, 16, 1, 255); /* REs >255 long outside spec */ -- if (ISERR()) -+ if (ISERR() || c < CHR_MIN || c > CHR_MAX) - FAILW(REG_EESCAPE); - RETV(PLAIN, c); - break; -@@ -872,6 +872,9 @@ - - /* - * lexdigits - slurp up digits and return chr value -+ * -+ * This does not account for overflow; callers should range-check the result -+ * if maxlen is large enough to make that possible. - */ - static chr /* chr value; errors signalled via ERR */ - lexdigits(struct vars * v, -Index: postgresql-9.4.5/src/backend/regex/regc_locale.c -=================================================================== ---- postgresql-9.4.5.orig/src/backend/regex/regc_locale.c 2015-10-06 03:12:06.000000000 +0800 -+++ postgresql-9.4.5/src/backend/regex/regc_locale.c 2016-03-10 10:34:28.757781726 +0800 -@@ -408,8 +408,7 @@ - int nchrs; - struct cvec *cv; - celt c, -- lc, -- uc; -+ cc; - - if (a != b && !before(a, b)) - { -@@ -427,24 +426,48 @@ - - /* - * When case-independent, it's hard to decide when cvec ranges are usable, -- * so for now at least, we won't try. We allocate enough space for two -- * case variants plus a little extra for the two title case variants. -+ * so for now at least, we won't try. We use a range for the originally -+ * specified chrs and then add on any case-equivalents that are outside -+ * that range as individual chrs. -+ * -+ * To ensure sane behavior if someone specifies a very large range, limit -+ * the allocation size to 100000 chrs (arbitrary) and check for overrun -+ * inside the loop below. - */ - -- nchrs = (b - a + 1) * 2 + 4; -- -- cv = getcvec(v, nchrs, 0); -+ cv = getcvec(v, nchrs, 1); - NOERRN(); -+ addrange(cv, a, b); - - for (c = a; c <= b; c++) - { -- addchr(cv, c); -- lc = pg_wc_tolower((chr) c); -- if (c != lc) -- addchr(cv, lc); -- uc = pg_wc_toupper((chr) c); -- if (c != uc) -- addchr(cv, uc); -+ cc = pg_wc_tolower((chr) c); -+ if (cc != c && -+ (before(cc, a) || before(b, cc))) -+ { -+ if (cv->nchrs >= cv->chrspace) -+ { -+ ERR(REG_ETOOBIG); -+ return NULL; -+ } -+ addchr(cv, cc); -+ } -+ cc = pg_wc_toupper((chr) c); -+ if (cc != c && -+ (before(cc, a) || before(b, cc))) -+ { -+ if (cv->nchrs >= cv->chrspace) -+ { -+ ERR(REG_ETOOBIG); -+ return NULL; -+ } -+ addchr(cv, cc); -+ } -+ if (CANCEL_REQUESTED(v->re)) -+ { -+ ERR(REG_CANCEL); -+ return NULL; -+ } - } - - return cv; -Index: postgresql-9.4.5/src/backend/regex/regcomp.c -=================================================================== ---- postgresql-9.4.5.orig/src/backend/regex/regcomp.c 2015-10-06 03:12:06.000000000 +0800 -+++ postgresql-9.4.5/src/backend/regex/regcomp.c 2016-03-10 10:35:25.397781185 +0800 -@@ -1569,6 +1569,7 @@ - { - ch = *p; - newarc(v->nfa, PLAIN, subcolor(v->cm, ch), lp, rp); -+ NOERR(); - } - - /* and the ranges */ -@@ -1578,6 +1579,7 @@ - to = *(p + 1); - if (from <= to) - subrange(v, from, to, lp, rp); -+ NOERR(); - } - } - -Index: postgresql-9.4.5/src/include/regex/regcustom.h -=================================================================== ---- postgresql-9.4.5.orig/src/include/regex/regcustom.h 2015-10-06 03:12:06.000000000 +0800 -+++ postgresql-9.4.5/src/include/regex/regcustom.h 2016-03-10 10:37:09.989780188 +0800 -@@ -65,7 +65,8 @@ - #define DIGITVAL(c) ((c)-'0') /* turn chr digit into its value */ - #define CHRBITS 32 /* bits in a chr; must not use sizeof */ - #define CHR_MIN 0x00000000 /* smallest and largest chr; the value */ --#define CHR_MAX 0xfffffffe /* CHR_MAX-CHR_MIN+1 should fit in uchr */ -+#define CHR_MAX 0x7ffffffe /* CHR_MAX-CHR_MIN+1 must fit in an int, and -+ * CHR_MAX+1 must fit in both chr and celt */ - - /* functions operating on chr */ - #define iscalnum(x) pg_wc_isalnum(x) -Index: postgresql-9.4.5/src/test/regress/expected/regex.out -=================================================================== ---- postgresql-9.4.5.orig/src/test/regress/expected/regex.out 2015-10-06 03:12:06.000000000 +0800 -+++ postgresql-9.4.5/src/test/regress/expected/regex.out 2016-03-10 10:38:28.821779436 +0800 -@@ -222,3 +222,5 @@ - t - (1 row) - -+select 'a' ~ '\x7fffffff'; -- invalid chr code -+ERROR: invalid regular expression: invalid escape \ sequence -Index: postgresql-9.4.5/src/test/regress/sql/regex.sql -=================================================================== ---- postgresql-9.4.5.orig/src/test/regress/sql/regex.sql 2015-10-06 03:12:06.000000000 +0800 -+++ postgresql-9.4.5/src/test/regress/sql/regex.sql 2016-03-10 10:38:57.845779159 +0800 -@@ -57,3 +57,4 @@ - select 'a' ~ '.. ()|\1'; - select 'a' ~ '()*\1'; - select 'a' ~ '()+\1'; -+select 'a' ~ '\x7fffffff'; -- invalid chr code diff --git a/meta-oe/recipes-support/postgresql/postgresql.inc b/meta-oe/recipes-support/postgresql/postgresql.inc index 32ffe190b6..e473f58e7b 100644 --- a/meta-oe/recipes-support/postgresql/postgresql.inc +++ b/meta-oe/recipes-support/postgresql/postgresql.inc @@ -31,8 +31,6 @@ SRC_URI = "http://ftp.postgresql.org/pub/source/v${PV}/${BP}.tar.bz2 \ file://postgresql-setup \ file://postgresql.service \ file://0001-Use-pkg-config-for-libxml2-detection.patch \ - file://postgresql-CVE-2016-0766.patch \ - file://postgresql-CVE-2016-0773.patch \ " LEAD_SONAME = "libpq.so" diff --git a/meta-oe/recipes-support/postgresql/postgresql_9.4.5.bb b/meta-oe/recipes-support/postgresql/postgresql_9.4.5.bb deleted file mode 100644 index 54b660e129..0000000000 --- a/meta-oe/recipes-support/postgresql/postgresql_9.4.5.bb +++ /dev/null @@ -1,14 +0,0 @@ -require postgresql.inc - -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=7d847a9b446ddfe187acfac664189672" - -PR = "${INC_PR}.0" - -SRC_URI += "\ - file://remove.autoconf.version.check.patch \ - file://not-check-libperl.patch \ -" - -SRC_URI[md5sum] = "8b2e3472a8dc786649b4d02d02e039a0" -SRC_URI[sha256sum] = "b87c50c66b6ea42a9712b5f6284794fabad0616e6ae420cf0f10523be6d94a39" - diff --git a/meta-oe/recipes-support/postgresql/postgresql_9.4.8.bb b/meta-oe/recipes-support/postgresql/postgresql_9.4.8.bb new file mode 100644 index 0000000000..7dba92cbf7 --- /dev/null +++ b/meta-oe/recipes-support/postgresql/postgresql_9.4.8.bb @@ -0,0 +1,14 @@ +require postgresql.inc + +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=3a9c1120056a102a8c8c4013cd828dce" + +PR = "${INC_PR}.0" + +SRC_URI += "\ + file://remove.autoconf.version.check.patch \ + file://not-check-libperl.patch \ +" + +SRC_URI[md5sum] = "a1a2e8014b2b4c49fc58fe2e2fe83681" +SRC_URI[sha256sum] = "4a10640e180e0d9adb587bc25a82dcce6bf507b033637e7fb9d4eeffa33a6b4c" + |