rpms/postgresql-jdbc
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import postgresql-jdbc-42.2.18-6.el9_1

Browse Source
This commit is contained in:
CentOS Sources 2023-01-23 09:32:33 -05:00 committed by Stepan Oksanichenko
parent 8db9d08952
commit a1f5091898
2 changed files with 100 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
SOURCES/postgresql-jdbc-CVE-2022-31197.patch Normal file
View File

@ -0,0 +1,92 @@
Fix CVE-2022-31197
Source of this commit and more information about it is here:
https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637
diff --git a/src/main/java/org/postgresql/jdbc/PgResultSet.java b/src/main/java/org/postgresql/jdbc/PgResultSet.java
index 42c6dda6..81a5ef1d 100644
--- a/src/main/java/org/postgresql/jdbc/PgResultSet.java
+++ b/src/main/java/org/postgresql/jdbc/PgResultSet.java
@@ -1323,7 +1323,7 @@ public class PgResultSet implements ResultSet, org.postgresql.PGRefCursorResultS
if (i > 1) {
selectSQL.append(", ");
}
- selectSQL.append(pgmd.getBaseColumnName(i));
+ Utils.escapeIdentifier(selectSQL, pgmd.getBaseColumnName(i));
}
selectSQL.append(" from ").append(onlyTable).append(tableName).append(" where ");
@@ -1333,7 +1333,8 @@ public class PgResultSet implements ResultSet, org.postgresql.PGRefCursorResultS
for (int i = 0; i < numKeys; i++) {
PrimaryKey primaryKey = primaryKeys.get(i);
- selectSQL.append(primaryKey.name).append("= ?");
+ Utils.escapeIdentifier(selectSQL, primaryKey.name);
+ selectSQL.append(" = ?");
if (i < numKeys - 1) {
selectSQL.append(" and ");
diff --git a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java
new file mode 100644
index 00000000..3a4a7e51
--- /dev/null
+++ b/src/test/java/org/postgresql/test/jdbc2/ResultSetRefreshTest.java
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2022, PostgreSQL Global Development Group
+ * See the LICENSE file in the project root for more information.
+ */
+
+package org.postgresql.test.jdbc2;
+
+import static org.junit.Assert.assertTrue;
+
+import org.postgresql.test.TestUtil;
+
+import org.junit.Test;
+
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.sql.Connection;
+
+public class ResultSetRefreshTest extends BaseTest4 {
+ @Test
+ public void testWithDataColumnThatRequiresEscaping() throws Exception {
+ Connection conn = con;
+ TestUtil.dropTable(conn, "refresh_row_bad_ident");
+ TestUtil.execute("CREATE TABLE refresh_row_bad_ident (id int PRIMARY KEY, \"1 FROM refresh_row_bad_ident; SELECT 2; SELECT *\" int)",conn);
+ TestUtil.execute("INSERT INTO refresh_row_bad_ident (id) VALUES (1), (2), (3)",conn);
+
+ Statement stmt = conn.createStatement(ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_UPDATABLE);
+ ResultSet rs = stmt.executeQuery("SELECT * FROM refresh_row_bad_ident");
+ assertTrue(rs.next());
+ try {
+ rs.refreshRow();
+ } catch (SQLException ex) {
+ throw new RuntimeException("ResultSet.refreshRow() did not handle escaping data column identifiers", ex);
+ }
+ rs.close();
+ stmt.close();
+ }
+
+ @Test
+ public void testWithKeyColumnThatRequiresEscaping() throws Exception {
+ Connection conn = con;
+ TestUtil.dropTable(conn, "refresh_row_bad_ident");
+ TestUtil.execute("CREATE TABLE refresh_row_bad_ident (\"my key\" int PRIMARY KEY)",conn);
+ TestUtil.execute("INSERT INTO refresh_row_bad_ident VALUES (1), (2), (3)",conn);
+
+ Statement stmt = conn.createStatement(ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_UPDATABLE);
+ ResultSet rs = stmt.executeQuery("SELECT * FROM refresh_row_bad_ident");
+ assertTrue(rs.next());
+ try {
+ rs.refreshRow();
+ } catch (SQLException ex) {
+ throw new RuntimeException("ResultSet.refreshRow() did not handle escaping key column identifiers", ex);
+ }
+ rs.close();
+ stmt.close();
+ }
+}

9
SPECS/postgresql-jdbc.spec
View File

@ -49,11 +49,13 @@
Summary: JDBC driver for PostgreSQL Summary: JDBC driver for PostgreSQL
Name: postgresql-jdbc Name: postgresql-jdbc
Version: 42.2.18 Version: 42.2.18
Release: 5%{?dist} Release: 6%{?dist}
License: BSD License: BSD
URL: http://jdbc.postgresql.org/ URL: http://jdbc.postgresql.org/
Source0: https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-jdbc-src.tar.gz Source0: https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-jdbc-src.tar.gz
Patch0: postgresql-jdbc-CVE-2022-31197.patch
Provides: pgjdbc = %version-%release Provides: pgjdbc = %version-%release
BuildArch: noarch BuildArch: noarch
@ -98,6 +100,8 @@ This package contains the API Documentation for %{name}.
mv postgresql-%{version}-jdbc-src/* . mv postgresql-%{version}-jdbc-src/* .
%patch0 -p1
# remove any binary libs # remove any binary libs
find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f
@ -164,6 +168,9 @@ opts="-f"
%changelog %changelog
* Tue Oct 11 2022 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.18-6
- fix for CVE-2022-31197
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com>
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688 Related: rhbz#1991688