import postgresql-jdbc-42.2.14-2.el8

2023-05-16 06:10:29 +00:00 · 2023-05-16 06:10:29 +00:00 · 7a6da37dd4
commit 7a6da37dd4
parent 5af61c14d7
2 changed files with 41 additions and 1 deletions
--- a/SOURCES/postgresql-jdbc-CVE-2022-41946.patch
+++ b/SOURCES/postgresql-jdbc-CVE-2022-41946.patch
@ -0,0 +1,35 @@
+From 9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Mon Sep 17 00:00:00 2001
+From: Dave Cramer <davecramer@gmail.com>
+Date: Wed, 23 Nov 2022 09:25:08 -0500
+Subject: [PATCH] Merge pull request from GHSA-562r-vg33-8x8h
+
+* Fix: createTempFile vulnerability on unix like systems where temporary files can be read by other users on the system
+
+---
+ .../org/postgresql/util/StreamWrapper.java    |  3 +-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/src/main/java/org/postgresql/util/StreamWrapper.java b/src/main/java/org/postgresql/util/StreamWrapper.java
+index e4d48f7b..7ff49bc4 100644
+--- a/src/main/java/org/postgresql/util/StreamWrapper.java
+++ b/src/main/java/org/postgresql/util/StreamWrapper.java
+@@ -17,6 +17,7 @@ import java.io.FileOutputStream;
+ import java.io.IOException;
+ import java.io.InputStream;
+ import java.io.OutputStream;
+import java.nio.file.Files;
+ 
+ /**
+  * Wrapper around a length-limited InputStream.
+@@ -51,7 +52,7 @@ public class StreamWrapper {
+ 
+       if (memoryLength == -1) {
+         final int diskLength;
+-        final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null);
+        final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX, null).toFile();
+         FileOutputStream diskOutputStream = new FileOutputStream(tempFile);
+         diskOutputStream.write(rawData);
+         try {
+-- 
+2.38.1
+
--- a/SPECS/postgresql-jdbc.spec
+++ b/SPECS/postgresql-jdbc.spec
@ -31,11 +31,12 @@
 Summary:	JDBC driver for PostgreSQL
 Name:		postgresql-jdbc
 Version:	42.2.14
-Release:	1%{?dist}
+Release:	2%{?dist}
 License:	BSD
 URL:		http://jdbc.postgresql.org/

 Source0:	https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-src.tar.gz
+Patch0:	postgresql-jdbc-CVE-2022-41946.patch
 Provides:	pgjdbc = %version-%release

 BuildArch:	noarch
@ -65,6 +66,7 @@ This package contains the API Documentation for %{name}.

 %prep
 %setup -c -q
+%patch0 -p1

 # remove any binary libs
 find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f
@ -103,6 +105,9 @@ find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f


 %changelog
+* Mon Jan 09 2023 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.14-2
+- Fix CVE-2022-41946
+
 * Tue Dec 14 2021 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.14-1
 - Rebase on 42.2.14