rpms/postgresql-jdbc
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to 42.2.27

Browse Source 
Resolves: CVE-2022-41946
This commit is contained in:
Zuzana Miklankova 2023-01-03 14:45:38 +01:00
parent da056622a0
commit 99a414ac29
No known key found for this signature in database
GPG Key ID: 46A18EF4D17103A0
4 changed files with 8 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -4,3 +4,4 @@
/postgresql-42.2.15-jdbc-src.tar.gz /postgresql-42.2.15-jdbc-src.tar.gz
/postgresql-42.2.16-jdbc-src.tar.gz /postgresql-42.2.16-jdbc-src.tar.gz
/postgresql-42.2.18-jdbc-src.tar.gz /postgresql-42.2.18-jdbc-src.tar.gz
/postgresql-42.2.27-jdbc-src.tar.gz

92
postgresql-jdbc-CVE-2022-31197.patch
View File

@ -1,92 +0,0 @@
Fix CVE-2022-31197
Source of this commit and more information about it is here:
https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637
diff --git a/src/main/java/org/postgresql/jdbc/PgResultSet.java b/src/main/java/org/postgresql/jdbc/PgResultSet.java
index 42c6dda6..81a5ef1d 100644
--- a/src/main/java/org/postgresql/jdbc/PgResultSet.java
+++ b/src/main/java/org/postgresql/jdbc/PgResultSet.java
@@ -1323,7 +1323,7 @@ public class PgResultSet implements ResultSet, org.postgresql.PGRefCursorResultS
if (i > 1) {
selectSQL.append(", ");
}
- selectSQL.append(pgmd.getBaseColumnName(i));
+ Utils.escapeIdentifier(selectSQL, pgmd.getBaseColumnName(i));
}
selectSQL.append(" from ").append(onlyTable).append(tableName).append(" where ");
@@ -1333,7 +1333,8 @@ public class PgResultSet implements ResultSet, org.postgresql.PGRefCursorResultS
for (int i = 0; i < numKeys; i++) {
PrimaryKey primaryKey = primaryKeys.get(i);
- selectSQL.append(primaryKey.name).append("= ?");
+ Utils.escapeIdentifier(selectSQL, primaryKey.name);
+ selectSQL.append(" = ?");
if (i < numKeys - 1) {
selectSQL.append(" and ");
diff --git a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java
new file mode 100644
index 00000000..3a4a7e51
--- /dev/null
+++ b/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2022, PostgreSQL Global Development Group
+ * See the LICENSE file in the project root for more information.
+ */
+
+package org.postgresql.test.jdbc2;
+
+import static org.junit.Assert.assertTrue;
+
+import org.postgresql.test.TestUtil;
+
+import org.junit.Test;
+
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.sql.Connection;
+
+public class ResultSetRefreshTest extends BaseTest4 {
+ @Test
+ public void testWithDataColumnThatRequiresEscaping() throws Exception {
+ Connection conn = con;
+ TestUtil.dropTable(conn, "refresh_row_bad_ident");
+ TestUtil.execute("CREATE TABLE refresh_row_bad_ident (id int PRIMARY KEY, \"1 FROM refresh_row_bad_ident; SELECT 2; SELECT *\" int)",conn);
+ TestUtil.execute("INSERT INTO refresh_row_bad_ident (id) VALUES (1), (2), (3)",conn);
+
+ Statement stmt = conn.createStatement(ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_UPDATABLE);
+ ResultSet rs = stmt.executeQuery("SELECT * FROM refresh_row_bad_ident");
+ assertTrue(rs.next());
+ try {
+ rs.refreshRow();
+ } catch (SQLException ex) {
+ throw new RuntimeException("ResultSet.refreshRow() did not handle escaping data column identifiers", ex);
+ }
+ rs.close();
+ stmt.close();
+ }
+
+ @Test
+ public void testWithKeyColumnThatRequiresEscaping() throws Exception {
+ Connection conn = con;
+ TestUtil.dropTable(conn, "refresh_row_bad_ident");
+ TestUtil.execute("CREATE TABLE refresh_row_bad_ident (\"my key\" int PRIMARY KEY)",conn);
+ TestUtil.execute("INSERT INTO refresh_row_bad_ident VALUES (1), (2), (3)",conn);
+
+ Statement stmt = conn.createStatement(ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_UPDATABLE);
+ ResultSet rs = stmt.executeQuery("SELECT * FROM refresh_row_bad_ident");
+ assertTrue(rs.next());
+ try {
+ rs.refreshRow();
+ } catch (SQLException ex) {
+ throw new RuntimeException("ResultSet.refreshRow() did not handle escaping key column identifiers", ex);
+ }
+ rs.close();
+ stmt.close();
+ }
+}

11
postgresql-jdbc.spec
View File

@ -48,13 +48,12 @@
Summary: JDBC driver for PostgreSQL Summary: JDBC driver for PostgreSQL
Name: postgresql-jdbc Name: postgresql-jdbc
Version: 42.2.18 Version: 42.2.27
Release: 6%{?dist} Release: 1%{?dist}
License: BSD License: BSD
URL: http://jdbc.postgresql.org/ URL: http://jdbc.postgresql.org/
Source0: https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-jdbc-src.tar.gz Source0: https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-jdbc-src.tar.gz
Patch0: postgresql-jdbc-CVE-2022-31197.patch
Provides: pgjdbc = %version-%release Provides: pgjdbc = %version-%release
@ -100,8 +99,6 @@ This package contains the API Documentation for %{name}.
mv postgresql-%{version}-jdbc-src/* . mv postgresql-%{version}-jdbc-src/* .
%patch0 -p1
# remove any binary libs # remove any binary libs
find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f
@ -168,6 +165,10 @@ opts="-f"
%changelog %changelog
* Tue Jan 03 2023 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.27-1
- rebase to 42.2.27
- fix for CVE-2022-41946
* Tue Oct 11 2022 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.18-6 * Tue Oct 11 2022 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.18-6
- fix for CVE-2022-31197 - fix for CVE-2022-31197

2
sources
View File

@ -1 +1 @@
SHA512 (postgresql-42.2.18-jdbc-src.tar.gz) = 694458f9b58a1470f0fd2c77870bf73f21818a5112d446ddabb819730616be7e2f038ed132c970ba4285fb4c956c4e8a888b664270eb6493510d1e14d30a4961 SHA512 (postgresql-42.2.27-jdbc-src.tar.gz) = bfcd53e95b8170830526e22c8bbed60f5175826380efd8052e880540dda579fa05c75544b213993868dfdeceb04f4dfa811c846829133699a9dfb0980b0e2e20