From 99a414ac29c3b9a5862708e0d74e5e7854b81486 Mon Sep 17 00:00:00 2001 From: Zuzana Miklankova Date: Tue, 3 Jan 2023 14:45:38 +0100 Subject: [PATCH] Rebase to 42.2.27 Resolves: CVE-2022-41946 --- .gitignore | 1 + postgresql-jdbc-CVE-2022-31197.patch | 92 ---------------------------- postgresql-jdbc.spec | 11 ++-- sources | 2 +- 4 files changed, 8 insertions(+), 98 deletions(-) delete mode 100644 postgresql-jdbc-CVE-2022-31197.patch diff --git a/.gitignore b/.gitignore index 6256606..59e9a75 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /postgresql-42.2.15-jdbc-src.tar.gz /postgresql-42.2.16-jdbc-src.tar.gz /postgresql-42.2.18-jdbc-src.tar.gz +/postgresql-42.2.27-jdbc-src.tar.gz diff --git a/postgresql-jdbc-CVE-2022-31197.patch b/postgresql-jdbc-CVE-2022-31197.patch deleted file mode 100644 index efa1b4f..0000000 --- a/postgresql-jdbc-CVE-2022-31197.patch +++ /dev/null @@ -1,92 +0,0 @@ -Fix CVE-2022-31197 - -Source of this commit and more information about it is here: -https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637 - -diff --git a/src/main/java/org/postgresql/jdbc/PgResultSet.java b/src/main/java/org/postgresql/jdbc/PgResultSet.java -index 42c6dda6..81a5ef1d 100644 ---- a/src/main/java/org/postgresql/jdbc/PgResultSet.java -+++ b/src/main/java/org/postgresql/jdbc/PgResultSet.java -@@ -1323,7 +1323,7 @@ public class PgResultSet implements ResultSet, org.postgresql.PGRefCursorResultS - if (i > 1) { - selectSQL.append(", "); - } -- selectSQL.append(pgmd.getBaseColumnName(i)); -+ Utils.escapeIdentifier(selectSQL, pgmd.getBaseColumnName(i)); - } - selectSQL.append(" from ").append(onlyTable).append(tableName).append(" where "); - -@@ -1333,7 +1333,8 @@ public class PgResultSet implements ResultSet, org.postgresql.PGRefCursorResultS - for (int i = 0; i < numKeys; i++) { - - PrimaryKey primaryKey = primaryKeys.get(i); -- selectSQL.append(primaryKey.name).append("= ?"); -+ Utils.escapeIdentifier(selectSQL, primaryKey.name); -+ selectSQL.append(" = ?"); - - if (i < numKeys - 1) { - selectSQL.append(" and "); - -diff --git a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java -new file mode 100644 -index 00000000..3a4a7e51 ---- /dev/null -+++ b/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java -@@ -0,0 +1,57 @@ -+/* -+ * Copyright (c) 2022, PostgreSQL Global Development Group -+ * See the LICENSE file in the project root for more information. -+ */ -+ -+package org.postgresql.test.jdbc2; -+ -+import static org.junit.Assert.assertTrue; -+ -+import org.postgresql.test.TestUtil; -+ -+import org.junit.Test; -+ -+import java.sql.ResultSet; -+import java.sql.SQLException; -+import java.sql.Statement; -+import java.sql.Connection; -+ -+public class ResultSetRefreshTest extends BaseTest4 { -+ @Test -+ public void testWithDataColumnThatRequiresEscaping() throws Exception { -+ Connection conn = con; -+ TestUtil.dropTable(conn, "refresh_row_bad_ident"); -+ TestUtil.execute("CREATE TABLE refresh_row_bad_ident (id int PRIMARY KEY, \"1 FROM refresh_row_bad_ident; SELECT 2; SELECT *\" int)",conn); -+ TestUtil.execute("INSERT INTO refresh_row_bad_ident (id) VALUES (1), (2), (3)",conn); -+ -+ Statement stmt = conn.createStatement(ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_UPDATABLE); -+ ResultSet rs = stmt.executeQuery("SELECT * FROM refresh_row_bad_ident"); -+ assertTrue(rs.next()); -+ try { -+ rs.refreshRow(); -+ } catch (SQLException ex) { -+ throw new RuntimeException("ResultSet.refreshRow() did not handle escaping data column identifiers", ex); -+ } -+ rs.close(); -+ stmt.close(); -+ } -+ -+ @Test -+ public void testWithKeyColumnThatRequiresEscaping() throws Exception { -+ Connection conn = con; -+ TestUtil.dropTable(conn, "refresh_row_bad_ident"); -+ TestUtil.execute("CREATE TABLE refresh_row_bad_ident (\"my key\" int PRIMARY KEY)",conn); -+ TestUtil.execute("INSERT INTO refresh_row_bad_ident VALUES (1), (2), (3)",conn); -+ -+ Statement stmt = conn.createStatement(ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_UPDATABLE); -+ ResultSet rs = stmt.executeQuery("SELECT * FROM refresh_row_bad_ident"); -+ assertTrue(rs.next()); -+ try { -+ rs.refreshRow(); -+ } catch (SQLException ex) { -+ throw new RuntimeException("ResultSet.refreshRow() did not handle escaping key column identifiers", ex); -+ } -+ rs.close(); -+ stmt.close(); -+ } -+} diff --git a/postgresql-jdbc.spec b/postgresql-jdbc.spec index 6eaffe7..70eafd9 100644 --- a/postgresql-jdbc.spec +++ b/postgresql-jdbc.spec @@ -48,13 +48,12 @@ Summary: JDBC driver for PostgreSQL Name: postgresql-jdbc -Version: 42.2.18 -Release: 6%{?dist} +Version: 42.2.27 +Release: 1%{?dist} License: BSD URL: http://jdbc.postgresql.org/ Source0: https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-jdbc-src.tar.gz -Patch0: postgresql-jdbc-CVE-2022-31197.patch Provides: pgjdbc = %version-%release @@ -100,8 +99,6 @@ This package contains the API Documentation for %{name}. mv postgresql-%{version}-jdbc-src/* . -%patch0 -p1 - # remove any binary libs find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f @@ -168,6 +165,10 @@ opts="-f" %changelog +* Tue Jan 03 2023 Zuzana Miklankova - 42.2.27-1 +- rebase to 42.2.27 +- fix for CVE-2022-41946 + * Tue Oct 11 2022 Zuzana Miklankova - 42.2.18-6 - fix for CVE-2022-31197 diff --git a/sources b/sources index 59f962f..64e1168 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (postgresql-42.2.18-jdbc-src.tar.gz) = 694458f9b58a1470f0fd2c77870bf73f21818a5112d446ddabb819730616be7e2f038ed132c970ba4285fb4c956c4e8a888b664270eb6493510d1e14d30a4961 +SHA512 (postgresql-42.2.27-jdbc-src.tar.gz) = bfcd53e95b8170830526e22c8bbed60f5175826380efd8052e880540dda579fa05c75544b213993868dfdeceb04f4dfa811c846829133699a9dfb0980b0e2e20