diff --git a/postgresql-jdbc-CVE-2022-41946.patch b/postgresql-jdbc-CVE-2022-41946.patch new file mode 100644 index 0000000..5f38744 --- /dev/null +++ b/postgresql-jdbc-CVE-2022-41946.patch @@ -0,0 +1,35 @@ +From 9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Mon Sep 17 00:00:00 2001 +From: Dave Cramer +Date: Wed, 23 Nov 2022 09:25:08 -0500 +Subject: [PATCH] Merge pull request from GHSA-562r-vg33-8x8h + +* Fix: createTempFile vulnerability on unix like systems where temporary files can be read by other users on the system + +--- + .../org/postgresql/util/StreamWrapper.java | 3 +- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/src/main/java/org/postgresql/util/StreamWrapper.java b/src/main/java/org/postgresql/util/StreamWrapper.java +index e4d48f7b..7ff49bc4 100644 +--- a/src/main/java/org/postgresql/util/StreamWrapper.java ++++ b/src/main/java/org/postgresql/util/StreamWrapper.java +@@ -17,6 +17,7 @@ import java.io.FileOutputStream; + import java.io.IOException; + import java.io.InputStream; + import java.io.OutputStream; ++import java.nio.file.Files; + + /** + * Wrapper around a length-limited InputStream. +@@ -51,7 +52,7 @@ public class StreamWrapper { + + if (memoryLength == -1) { + final int diskLength; +- final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null); ++ final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX, null).toFile(); + FileOutputStream diskOutputStream = new FileOutputStream(tempFile); + diskOutputStream.write(rawData); + try { +-- +2.38.1 + diff --git a/postgresql-jdbc.spec b/postgresql-jdbc.spec index 01f0146..ce9ca8c 100644 --- a/postgresql-jdbc.spec +++ b/postgresql-jdbc.spec @@ -31,11 +31,12 @@ Summary: JDBC driver for PostgreSQL Name: postgresql-jdbc Version: 42.2.14 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD URL: http://jdbc.postgresql.org/ Source0: https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-src.tar.gz +Patch0: postgresql-jdbc-CVE-2022-41946.patch Provides: pgjdbc = %version-%release BuildArch: noarch @@ -65,6 +66,7 @@ This package contains the API Documentation for %{name}. %prep %setup -c -q +%patch0 -p1 # remove any binary libs find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f @@ -103,6 +105,9 @@ find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f %changelog +* Mon Jan 09 2023 Zuzana Miklankova - 42.2.14-2 +- Fix CVE-2022-41946 + * Tue Dec 14 2021 Zuzana Miklankova - 42.2.14-1 - Rebase on 42.2.14