From 15538bfa9b1bf46b535efc400539daf9127019fa Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 28 Mar 2023 12:37:45 +0000
Subject: [PATCH] import postgresql-jdbc-42.2.14-2.el8

---
 SOURCES/postgresql-jdbc-CVE-2022-41946.patch | 35 ++++++++++++++++++++
 SPECS/postgresql-jdbc.spec                   |  7 +++-
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/postgresql-jdbc-CVE-2022-41946.patch

diff --git a/SOURCES/postgresql-jdbc-CVE-2022-41946.patch b/SOURCES/postgresql-jdbc-CVE-2022-41946.patch
new file mode 100644
index 0000000..5f38744
--- /dev/null
+++ b/SOURCES/postgresql-jdbc-CVE-2022-41946.patch
@@ -0,0 +1,35 @@
+From 9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Mon Sep 17 00:00:00 2001
+From: Dave Cramer <davecramer@gmail.com>
+Date: Wed, 23 Nov 2022 09:25:08 -0500
+Subject: [PATCH] Merge pull request from GHSA-562r-vg33-8x8h
+
+* Fix: createTempFile vulnerability on unix like systems where temporary files can be read by other users on the system
+
+---
+ .../org/postgresql/util/StreamWrapper.java    |  3 +-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/src/main/java/org/postgresql/util/StreamWrapper.java b/src/main/java/org/postgresql/util/StreamWrapper.java
+index e4d48f7b..7ff49bc4 100644
+--- a/src/main/java/org/postgresql/util/StreamWrapper.java
++++ b/src/main/java/org/postgresql/util/StreamWrapper.java
+@@ -17,6 +17,7 @@ import java.io.FileOutputStream;
+ import java.io.IOException;
+ import java.io.InputStream;
+ import java.io.OutputStream;
++import java.nio.file.Files;
+ 
+ /**
+  * Wrapper around a length-limited InputStream.
+@@ -51,7 +52,7 @@ public class StreamWrapper {
+ 
+       if (memoryLength == -1) {
+         final int diskLength;
+-        final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null);
++        final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX, null).toFile();
+         FileOutputStream diskOutputStream = new FileOutputStream(tempFile);
+         diskOutputStream.write(rawData);
+         try {
+-- 
+2.38.1
+
diff --git a/SPECS/postgresql-jdbc.spec b/SPECS/postgresql-jdbc.spec
index 01f0146..ce9ca8c 100644
--- a/SPECS/postgresql-jdbc.spec
+++ b/SPECS/postgresql-jdbc.spec
@@ -31,11 +31,12 @@
 Summary:	JDBC driver for PostgreSQL
 Name:		postgresql-jdbc
 Version:	42.2.14
-Release:	1%{?dist}
+Release:	2%{?dist}
 License:	BSD
 URL:		http://jdbc.postgresql.org/
 
 Source0:	https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-src.tar.gz
+Patch0:	postgresql-jdbc-CVE-2022-41946.patch
 Provides:	pgjdbc = %version-%release
 
 BuildArch:	noarch
@@ -65,6 +66,7 @@ This package contains the API Documentation for %{name}.
 
 %prep
 %setup -c -q
+%patch0 -p1
 
 # remove any binary libs
 find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f
@@ -103,6 +105,9 @@ find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f
 
 
 %changelog
+* Mon Jan 09 2023 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.14-2
+- Fix CVE-2022-41946
+
 * Tue Dec 14 2021 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.14-1
 - Rebase on 42.2.14