rpms/postgresql-jdbc
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Auto sync2gitlab import of postgresql-jdbc-42.2.14-2.el8.src.rpm

Browse Source
This commit is contained in:
CentOS Sources 2023-01-12 08:12:26 +00:00
parent a5444101db
commit 16a187ba63
2 changed files with 41 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
postgresql-jdbc-CVE-2022-41946.patch Normal file
View File

@ -0,0 +1,35 @@
From 9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Mon Sep 17 00:00:00 2001
From: Dave Cramer <davecramer@gmail.com>
Date: Wed, 23 Nov 2022 09:25:08 -0500
Subject: [PATCH] Merge pull request from GHSA-562r-vg33-8x8h
* Fix: createTempFile vulnerability on unix like systems where temporary files can be read by other users on the system
---
.../org/postgresql/util/StreamWrapper.java | 3 +-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/src/main/java/org/postgresql/util/StreamWrapper.java b/src/main/java/org/postgresql/util/StreamWrapper.java
index e4d48f7b..7ff49bc4 100644
--- a/src/main/java/org/postgresql/util/StreamWrapper.java
+++ b/src/main/java/org/postgresql/util/StreamWrapper.java
@@ -17,6 +17,7 @@ import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
+import java.nio.file.Files;
/**
* Wrapper around a length-limited InputStream.
@@ -51,7 +52,7 @@ public class StreamWrapper {
if (memoryLength == -1) {
final int diskLength;
- final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null);
+ final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX, null).toFile();
FileOutputStream diskOutputStream = new FileOutputStream(tempFile);
diskOutputStream.write(rawData);
try {
--
2.38.1

7
postgresql-jdbc.spec
View File

@ -31,11 +31,12 @@
Summary: JDBC driver for PostgreSQL Summary: JDBC driver for PostgreSQL
Name: postgresql-jdbc Name: postgresql-jdbc
Version: 42.2.14 Version: 42.2.14
Release: 1%{?dist} Release: 2%{?dist}
License: BSD License: BSD
URL: http://jdbc.postgresql.org/ URL: http://jdbc.postgresql.org/
Source0: https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-src.tar.gz Source0: https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-src.tar.gz
Patch0: postgresql-jdbc-CVE-2022-41946.patch
Provides: pgjdbc = %version-%release Provides: pgjdbc = %version-%release
BuildArch: noarch BuildArch: noarch
@ -65,6 +66,7 @@ This package contains the API Documentation for %{name}.
%prep %prep
%setup -c -q %setup -c -q
%patch0 -p1
# remove any binary libs # remove any binary libs
find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f
@ -103,6 +105,9 @@ find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f
%changelog %changelog
* Mon Jan 09 2023 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.14-2
- Fix CVE-2022-41946
* Tue Dec 14 2021 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.14-1 * Tue Dec 14 2021 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.14-1
- Rebase on 42.2.14 - Rebase on 42.2.14