postgresql-jdbc/postgresql-jdbc-CVE-2022-41946.patch

From 9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Mon Sep 17 00:00:00 2001
From: Dave Cramer <davecramer@gmail.com>
Date: Wed, 23 Nov 2022 09:25:08 -0500
Subject: [PATCH] Merge pull request from GHSA-562r-vg33-8x8h

* Fix: createTempFile vulnerability on unix like systems where temporary files can be read by other users on the system

---
 .../org/postgresql/util/StreamWrapper.java    |  3 +-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/src/main/java/org/postgresql/util/StreamWrapper.java b/src/main/java/org/postgresql/util/StreamWrapper.java
index e4d48f7b..7ff49bc4 100644
--- a/src/main/java/org/postgresql/util/StreamWrapper.java
+++ b/src/main/java/org/postgresql/util/StreamWrapper.java
@@ -17,6 +17,7 @@ import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.nio.file.Files;
 
 /**
  * Wrapper around a length-limited InputStream.
@@ -51,7 +52,7 @@ public class StreamWrapper {
 
       if (memoryLength == -1) {
         final int diskLength;
-        final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null);
+        final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX, null).toFile();
         FileOutputStream diskOutputStream = new FileOutputStream(tempFile);
         diskOutputStream.write(rawData);
         try {
-- 
2.38.1
Auto sync2gitlab import of postgresql-jdbc-42.2.14-2.el8.src.rpm 2023-01-12 08:12:26 +00:00			`From 9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Mon Sep 17 00:00:00 2001`
			`From: Dave Cramer <davecramer@gmail.com>`
			`Date: Wed, 23 Nov 2022 09:25:08 -0500`
			`Subject: [PATCH] Merge pull request from GHSA-562r-vg33-8x8h`

			`* Fix: createTempFile vulnerability on unix like systems where temporary files can be read by other users on the system`

			`---`
			`.../org/postgresql/util/StreamWrapper.java \| 3 +-`
			`1 files changed, 2 insertions(+), 1 deletions(-)`

			`diff --git a/src/main/java/org/postgresql/util/StreamWrapper.java b/src/main/java/org/postgresql/util/StreamWrapper.java`
			`index e4d48f7b..7ff49bc4 100644`
			`--- a/src/main/java/org/postgresql/util/StreamWrapper.java`
			`+++ b/src/main/java/org/postgresql/util/StreamWrapper.java`
			`@@ -17,6 +17,7 @@ import java.io.FileOutputStream;`
			`import java.io.IOException;`
			`import java.io.InputStream;`
			`import java.io.OutputStream;`
			`+import java.nio.file.Files;`

			`/**`
			`* Wrapper around a length-limited InputStream.`
			`@@ -51,7 +52,7 @@ public class StreamWrapper {`

			`if (memoryLength == -1) {`
			`final int diskLength;`
			`- final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null);`
			`+ final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX, null).toFile();`
			`FileOutputStream diskOutputStream = new FileOutputStream(tempFile);`
			`diskOutputStream.write(rawData);`
			`try {`
			`--`
			`2.38.1`