import postgresql-jdbc-42.2.14-2.el8
This commit is contained in:
parent
9e0844e95e
commit
15538bfa9b
35
SOURCES/postgresql-jdbc-CVE-2022-41946.patch
Normal file
35
SOURCES/postgresql-jdbc-CVE-2022-41946.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Cramer <davecramer@gmail.com>
|
||||
Date: Wed, 23 Nov 2022 09:25:08 -0500
|
||||
Subject: [PATCH] Merge pull request from GHSA-562r-vg33-8x8h
|
||||
|
||||
* Fix: createTempFile vulnerability on unix like systems where temporary files can be read by other users on the system
|
||||
|
||||
---
|
||||
.../org/postgresql/util/StreamWrapper.java | 3 +-
|
||||
1 files changed, 2 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/src/main/java/org/postgresql/util/StreamWrapper.java b/src/main/java/org/postgresql/util/StreamWrapper.java
|
||||
index e4d48f7b..7ff49bc4 100644
|
||||
--- a/src/main/java/org/postgresql/util/StreamWrapper.java
|
||||
+++ b/src/main/java/org/postgresql/util/StreamWrapper.java
|
||||
@@ -17,6 +17,7 @@ import java.io.FileOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.OutputStream;
|
||||
+import java.nio.file.Files;
|
||||
|
||||
/**
|
||||
* Wrapper around a length-limited InputStream.
|
||||
@@ -51,7 +52,7 @@ public class StreamWrapper {
|
||||
|
||||
if (memoryLength == -1) {
|
||||
final int diskLength;
|
||||
- final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null);
|
||||
+ final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX, null).toFile();
|
||||
FileOutputStream diskOutputStream = new FileOutputStream(tempFile);
|
||||
diskOutputStream.write(rawData);
|
||||
try {
|
||||
--
|
||||
2.38.1
|
||||
|
@ -31,11 +31,12 @@
|
||||
Summary: JDBC driver for PostgreSQL
|
||||
Name: postgresql-jdbc
|
||||
Version: 42.2.14
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: BSD
|
||||
URL: http://jdbc.postgresql.org/
|
||||
|
||||
Source0: https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-src.tar.gz
|
||||
Patch0: postgresql-jdbc-CVE-2022-41946.patch
|
||||
Provides: pgjdbc = %version-%release
|
||||
|
||||
BuildArch: noarch
|
||||
@ -65,6 +66,7 @@ This package contains the API Documentation for %{name}.
|
||||
|
||||
%prep
|
||||
%setup -c -q
|
||||
%patch0 -p1
|
||||
|
||||
# remove any binary libs
|
||||
find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f
|
||||
@ -103,6 +105,9 @@ find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Jan 09 2023 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.14-2
|
||||
- Fix CVE-2022-41946
|
||||
|
||||
* Tue Dec 14 2021 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.14-1
|
||||
- Rebase on 42.2.14
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user