5 changed files with 157 additions and 284 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/postgresql-42.2.14-src.tar.gz
+SOURCES/postgresql-42.2.28-jdbc-src.tar.gz
--- a/.postgresql-jdbc.metadata
+++ b/.postgresql-jdbc.metadata
@ -1 +1 @@
-ad31bb1acc9d87a02e4ac72e0501c7accb144d7a SOURCES/postgresql-42.2.14-src.tar.gz
+276aecec8e0a384e7cc6329289cf6d97a8e6e05f SOURCES/postgresql-42.2.28-jdbc-src.tar.gz
--- a/SOURCES/postgresql-jdbc-CVE-2022-41946.patch
+++ b/SOURCES/postgresql-jdbc-CVE-2022-41946.patch
@ -1,35 +0,0 @@
-From 9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Mon Sep 17 00:00:00 2001
-From: Dave Cramer <davecramer@gmail.com>
-Date: Wed, 23 Nov 2022 09:25:08 -0500
-Subject: [PATCH] Merge pull request from GHSA-562r-vg33-8x8h
-
-* Fix: createTempFile vulnerability on unix like systems where temporary files can be read by other users on the system
-
---
- .../org/postgresql/util/StreamWrapper.java    |  3 +-
- 1 files changed, 2 insertions(+), 1 deletions(-)
-
-diff --git a/src/main/java/org/postgresql/util/StreamWrapper.java b/src/main/java/org/postgresql/util/StreamWrapper.java
-index e4d48f7b..7ff49bc4 100644
--- a/src/main/java/org/postgresql/util/StreamWrapper.java
-+++ b/src/main/java/org/postgresql/util/StreamWrapper.java
-@@ -17,6 +17,7 @@ import java.io.FileOutputStream;
- import java.io.IOException;
- import java.io.InputStream;
- import java.io.OutputStream;
-+import java.nio.file.Files;
- 
- /**
-  * Wrapper around a length-limited InputStream.
-@@ -51,7 +52,7 @@ public class StreamWrapper {
- 
-       if (memoryLength == -1) {
-         final int diskLength;
-        final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null);
-+        final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX, null).toFile();
-         FileOutputStream diskOutputStream = new FileOutputStream(tempFile);
-         diskOutputStream.write(rawData);
-         try {
-- 
-2.38.1
-
--- a/SOURCES/postgresql-jdbc-CVE-2024-1597.patch
+++ b/SOURCES/postgresql-jdbc-CVE-2024-1597.patch
@ -1,217 +0,0 @@
-Sources of this patch:
-https://github.com/pgjdbc/pgjdbc/commit/b9b3777671c8a5cc580e1985f61337d39d47c730
-https://github.com/pgjdbc/pgjdbc/commit/990d63f6be401ab40de5eb303a75924c9e71903c
-
-
-diff --git a/pgjdbc/src/main/java/org/postgresql/core/v3/SimpleParameterList.java b/pgjdbc/src/main/java/org/postgresql/core/v3/SimpleParameterList.java
-index 1ce49996..b1bbb41a 100644
--- a/pgjdbc/src/main/java/org/postgresql/core/v3/SimpleParameterList.java
-+++ b/pgjdbc/src/main/java/org/postgresql/core/v3/SimpleParameterList.java
-@@ -168,99 +170,163 @@ class SimpleParameterList implements V3ParameterList {
-     bind(index, NULL_OBJECT, oid, binaryTransfer);
-   }
- 
-+  /**
-+   * <p>Escapes a given text value as a literal, wraps it in single quotes, casts it to the
-+   * to the given data type, and finally wraps the whole thing in parentheses.</p>
-+   *
-+   * <p>For example, "123" and "int4" becomes "('123'::int)"</p>
-+   *
-+   * <p>The additional parentheses is added to ensure that the surrounding text of where the
-+   * parameter value is entered does modify the interpretation of the value.</p>
-+   *
-+   * <p>For example if our input SQL is: <code>SELECT ?b</code></p>
-+   *
-+   * <p>Using a parameter value of '{}' and type of json we'd get:</p>
-+   *
-+   * <pre>
-+   * test=# SELECT ('{}'::json)b;
-+   *  b
-+   * ----
-+   *  {}
-+   * </pre>
-+   *
-+   * <p>But without the parentheses the result changes:</p>
-+   *
-+   * <pre>
-+   * test=# SELECT '{}'::jsonb;
-+   * jsonb
-+   * -------
-+   * {}
-+   * </pre>
-+   **/
-+  private static String quoteAndCast(String text, String type, boolean standardConformingStrings) {
-+    StringBuilder sb = new StringBuilder((text.length() + 10) / 10 * 11); // Add 10% for escaping.
-+    sb.append("('");
-+    try {
-+      Utils.escapeLiteral(sb, text, standardConformingStrings);
-+    } catch (SQLException e) {
-+      // This should only happen if we have an embedded null
-+      // and there's not much we can do if we do hit one.
-+      //
-+      // To force a server side failure, we deliberately include
-+      // a zero byte character in the literal to force the server
-+      // to reject the command.
-+      sb.append('\u0000');
-+    }
-+    sb.append("'");
-+    if (type != null) {
-+      sb.append("::");
-+      sb.append(type);
-+    }
-+    sb.append(")");
-+    return sb.toString();
-+  }
-+
-   @Override
-   public String toString(int index, boolean standardConformingStrings) {
-     --index;
-     if (paramValues[index] == null) {
-       return "?";
-     } else if (paramValues[index] == NULL_OBJECT) {
-      return "NULL";
-    } else if ((flags[index] & BINARY) == BINARY) {
-+      return "(NULL)";
-+    }
-+    String textValue;
-+    String type;
-+    if ((flags[index] & BINARY) == BINARY) {
-       // handle some of the numeric types
-
-       switch (paramTypes[index]) {
-         case Oid.INT2:
-           short s = ByteConverter.int2((byte[]) paramValues[index], 0);
-          return Short.toString(s);
-+          textValue = Short.toString(s);
-+          type = "int2";
-+          break;
- 
-         case Oid.INT4:
-           int i = ByteConverter.int4((byte[]) paramValues[index], 0);
-          return Integer.toString(i);
-+          textValue = Integer.toString(i);
-+          type = "int4";
-+          break;
- 
-         case Oid.INT8:
-           long l = ByteConverter.int8((byte[]) paramValues[index], 0);
-          return Long.toString(l);
-+          textValue = Long.toString(l);
-+          type = "int8";
-+          break;
- 
-         case Oid.FLOAT4:
-           float f = ByteConverter.float4((byte[]) paramValues[index], 0);
-           if (Float.isNaN(f)) {
-            return "'NaN'::real";
-+            return "('NaN'::real)";
-           }
-          return Float.toString(f);
-+          textValue = Float.toString(f);
-+          type = "real";
-+          break;
- 
-         case Oid.FLOAT8:
-           double d = ByteConverter.float8((byte[]) paramValues[index], 0);
-           if (Double.isNaN(d)) {
-            return "'NaN'::double precision";
-+            return "('NaN'::double precision)";
-+          }
-+          textValue = Double.toString(d);
-+          type = "double precision";
-+          break;
-+
-+        case Oid.NUMERIC:
-+          Number n = ByteConverter.numeric((byte[]) paramValues[index]);
-+          if (n instanceof Double) {
-+            assert ((Double) n).isNaN();
-+            return "('NaN'::numeric)";
-           }
-          return Double.toString(d);
-+          textValue = n.toString();
-+          type = "numeric";
-+          break;
- 
-         case Oid.UUID:
-          String uuid =
-+          textValue =
-               new UUIDArrayAssistant().buildElement((byte[]) paramValues[index], 0, 16).toString();
-          return "'" + uuid + "'::uuid";
-+          type = "uuid";
-+          break;
- 
-         case Oid.POINT:
-           PGpoint pgPoint = new PGpoint();
-           pgPoint.setByteValue((byte[]) paramValues[index], 0);
-          return "'" + pgPoint.toString() + "'::point";
-+          textValue = pgPoint.toString();
-+          type = "point";
-+          break;
- 
-         case Oid.BOX:
-           PGbox pgBox = new PGbox();
-           pgBox.setByteValue((byte[]) paramValues[index], 0);
-          return "'" + pgBox.toString() + "'::box";
-+          textValue = pgBox.toString();
-+          type = "box";
-+          break;
-+
-+        default:
-+          return "?";
-       }
-      return "?";
-     } else {
-      String param = paramValues[index].toString();
-
-      // add room for quotes + potential escaping.
-      StringBuilder p = new StringBuilder(3 + (param.length() + 10) / 10 * 11);
-
-      // No E'..' here since escapeLiteral escapes all things and it does not use \123 kind of
-      // escape codes
-      p.append('\'');
-      try {
-        p = Utils.escapeLiteral(p, param, standardConformingStrings);
-      } catch (SQLException sqle) {
-        // This should only happen if we have an embedded null
-        // and there's not much we can do if we do hit one.
-        //
-        // The goal of toString isn't to be sent to the server,
-        // so we aren't 100% accurate (see StreamWrapper), put
-        // the unescaped version of the data.
-        //
-        p.append(param);
-      }
-      p.append('\'');
-+      textValue = paramValues[index].toString();
-+
-       int paramType = paramTypes[index];
-       if (paramType == Oid.TIMESTAMP) {
-        p.append("::timestamp");
-+        type = "timestamp";
-       } else if (paramType == Oid.TIMESTAMPTZ) {
-        p.append("::timestamp with time zone");
-+        type = "timestamp with time zone";
-       } else if (paramType == Oid.TIME) {
-        p.append("::time");
-+        type = "time";
-       } else if (paramType == Oid.TIMETZ) {
-        p.append("::time with time zone");
-+        type = "time with time zone";
-       } else if (paramType == Oid.DATE) {
-        p.append("::date");
-+        type = "date";
-       } else if (paramType == Oid.INTERVAL) {
-        p.append("::interval");
-+        type = "interval";
-       } else if (paramType == Oid.NUMERIC) {
-        p.append("::numeric");
-+        type = "numeric";
-+      } else {
-+        type = null;
-       }
-      return p.toString();
-     }
-+    return quoteAndCast(textValue, type, standardConformingStrings);
-   }
- 
-   @Override
--- a/SPECS/postgresql-jdbc.spec
+++ b/SPECS/postgresql-jdbc.spec
@ -28,27 +28,56 @@
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


+# Configuration for rpmbuild, might be specified by options
+# like e.g. 'rpmbuild --define "runselftest 0"'.
+
+# =============================================================================
+# IMPORTANT NOTE: This spec file is maintained on two places -- in native
+# Fedora repo [1] and in pgjdbc upstream [2].  Please, keep that in sync
+# (manual effort!) so both Fedora and Upstream can benefit from automatic
+# packaging CI, this is now done in [3] Copr project.
+# [1] https://src.fedoraproject.org/rpms/postgresql-jdbc
+# [2] https://github.com/pgjdbc/pgjdbc/tree/master/packaging/rpm
+# [3] https://copr.fedorainfracloud.org/coprs/g/pgjdbc/pgjdbc-travis/
+# ============================================================================
+
+%{!?runselftest:%global runselftest 1}
+
+%global section		devel
+%global source_path	pgjdbc/src/main/java/org/postgresql
+
 Summary:	JDBC driver for PostgreSQL
 Name:		postgresql-jdbc
-Version:	42.2.14
-Release:	3%{?dist}
+Version:  42.2.28
+Release:	1%{?dist}
 License:	BSD
 URL:		http://jdbc.postgresql.org/

-Source0:	https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-src.tar.gz
-Patch0:	postgresql-jdbc-CVE-2022-41946.patch
-Patch1:	postgresql-jdbc-CVE-2024-1597.patch
+Source0:	https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-jdbc-src.tar.gz
+
 Provides:	pgjdbc = %version-%release

 BuildArch:	noarch
-
+BuildRequires:	java-devel >= 1.8
 BuildRequires:	maven-local
-BuildRequires:	java-comment-preprocessor
-BuildRequires:	properties-maven-plugin
-BuildRequires:	maven-enforcer-plugin
-BuildRequires:	maven-plugin-bundle
-BuildRequires:	maven-plugin-build-helper
+BuildRequires:  maven-enforcer-plugin
+BuildRequires:  maven-plugin-bundle
+BuildRequires:	classloader-leak-test-framework
+
 BuildRequires:	mvn(com.ongres.scram:client)
+BuildRequires:	mvn(org.apache.maven.surefire:surefire-junit-platform)
+BuildRequires:	mvn(org.junit.jupiter:junit-jupiter-api)
+BuildRequires:	mvn(org.junit.jupiter:junit-jupiter-engine)
+BuildRequires:	mvn(org.junit.jupiter:junit-jupiter-params)
+BuildRequires:	mvn(org.junit.vintage:junit-vintage-engine)
+
+%if %runselftest
+BuildRequires:	postgresql-contrib
+BuildRequires:	postgresql-test-rpm-macros
+%endif
+
+# gettext is only needed if we try to update translations
+#BuildRequires:	gettext

 Obsoletes:	%{name}-parent-poms < 42.2.2-2

@ -67,13 +96,16 @@ This package contains the API Documentation for %{name}.

 %prep
 %setup -c -q
-%patch -P 0 -p1
-%patch -P 1 -p2
+
+mv postgresql-%{version}-jdbc-src/* .

 # remove any binary libs
 find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f

-%pom_xpath_remove "pom:plugin[pom:artifactId = 'maven-javadoc-plugin']"
+# Build parent POMs in the same Maven call.
+%pom_xpath_remove "pom:plugin[pom:artifactId = 'maven-shade-plugin']"
+
+%pom_remove_plugin -r :maven-javadoc-plugin

 # compat symlink: requested by dtardon (libreoffice), reverts part of
 # 0af97ce32de877 commit.
@ -90,7 +122,33 @@ find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f
 # different platforms don't build in the same minute.  For now, rely on
 # upstream to have updated the translations files before packaging.

-%mvn_build -f
+# Include PostgreSQL testing methods and variables.
+%if %runselftest
+%postgresql_tests_init
+
+PGTESTS_LOCALE=C.UTF-8
+
+cat <<EOF > build.local.properties
+server=localhost
+port=$PGTESTS_PORT
+database=test
+username=test
+password=test
+privilegedUser=$PGTESTS_ADMIN
+privilegedPassword=$PGTESTS_ADMINPASS
+preparethreshold=5
+loglevel=0
+protocolVersion=0
+EOF
+
+# Start the local PG cluster.
+%postgresql_tests_start
+%else
+# -f is equal to -Dmaven.test.skip=true
+opts="-f"
+%endif
+
+%mvn_build $opts --xmvn-javadoc


 %install
@ -107,39 +165,106 @@ find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f


 %changelog
-* Wed Feb 28 2024 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.14-3
- Fix CVE-2024-1597
+* Wed Feb 28 2024 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.28-1
+- rebase to 42.2.28
+- fix for CVE-2024-1597

-* Mon Jan 09 2023 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.14-2
- Fix CVE-2022-41946
+* Tue Jan 03 2023 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.27-1
+- rebase to 42.2.27
+- fix for CVE-2022-41946

-* Tue Dec 14 2021 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.14-1
- Rebase on 42.2.14
+* Tue Oct 11 2022 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.18-6
+- fix for CVE-2022-31197

-* Wed Jul 22 2020 Ondrej Dubaj <odubaj@redhat.com> - 42.2.3-3
- fixed XXE vulnerability unit test
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com>
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688

-* Tue Jul 14 2020 Ondrej Dubaj <odubaj@redhat.com> - 42.2.3-2
+* Wed Jun 30 2020 Ondrej Dubaj <odubaj@redhat.com> - 42.2.18-4
+- remove unnecessary maven-plugin-* dependencies (#1976951)
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 42.2.18-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 42.2.18-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Oct 20 2020 Ondrej Dubaj <odubaj@redhat.com> - 42.2.18-1
+- rebase to version 42.2.18
+
+* Wed Aug 26 2020 Ondrej Dubaj <odubaj@redhat.com> - 42.2.16-1
+- rebased to version 42.2.16
+
+* Fri Jul 24 2020 Ondrej Dubaj <odubaj@redhat.com> - 42.2.15-1
+- rebased to version 42.2.15
+
+* Fri Jul 24 2020 Ondrej Dubaj <odubaj@redhat.com> - 42.2.12-3
+- fixed javadoc build problem + added missing dependencies
+- remove SSPIClient for windows API
 - fixed XXE vulnerability (CVE-2020-13692)

+* Sat Jul 11 2020 Jiri Vanek <jvanek@redhat.com> - 42.2.12-2
+- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11
+
+* Wed May 13 2020 Ondrej Dubaj <odubaj@redhat.com> - 42.2.12-1
+- new upstream release + skip javadoc due to jdk-11
+
+* Mon Mar 16 2020 Ondrej Dubaj <odubaj@redhat.com> - 42.2.11-1
+- new upstream release
+
+* Mon Mar 02 2020 Ondrej Dubaj <odubaj@redhat.com> - 42.3.0-1
+- new upstream release (rhbz#1800440)
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 42.2.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Dec 13 2019 Ondrej Dubaj <odubaj@redhat.com> - 42.2.9-1
+- new upstream release (rhbz#1782277)
+
+* Fri Sep 20 2019 Pavel Raiskup <praiskup@redhat.com> - 42.2.8-1
+- new upstream release (rhbz#1750766)
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 42.2.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Tue Jun 25 2019 Jakub Janco <jjanco@redhat.com> - 42.2.6-1
+- new version
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 42.2.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Nov 21 2018 Pavel Raiskup <praiskup@redhat.com> - 42.2.5-1
+- new upstream release
+
+* Fri Aug 03 2018 Pavel Raiskup <praiskup@redhat.com> - 42.2.4-1
+- new upstream release (rhbz#1601193)
+
 * Fri Jul 13 2018 Pavel Raiskup <praiskup@redhat.com> - 42.2.3-1
 - new upstream release (rhbz#1600759)

-* Wed May 30 2018 Mikolaj Izdebski <mizdebsk@redhat.com> - 42.2.2-2
+* Wed May 30 2018 Mikolaj Izdebski <mizdebsk@redhat.com> - 42.2.2-4
 - Remove and obsolete parent-poms subpackage

-* Fri Apr 20 2018 Pavel Raiskup <praiskup@redhat.com> - 42.2.2-2
+* Fri Apr 20 2018 Pavel Raiskup <praiskup@redhat.com> - 42.2.2-3
 - provide postgresql.jar, as that's the upstream's artifactId

-* Fri Apr 13 2018 Pavel Raiskup <praiskup@redhat.com> - 42.2.2-1
- rebase to latest upstream release
+* Fri Apr 13 2018 Pavel Raiskup <praiskup@redhat.com> - 42.2.2-2
+- BR postgresql-test-rpm-macros

-* Fri Apr 13 2018 Pavel Raiskup <praiskup@redhat.com> - 42.2.0-1
+* Fri Mar 16 2018 Pavel Raiskup <praiskup@redhat.com> - 42.2.2-1
+- new upstream release
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 42.2.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Jan 26 2018 Pavel Raiskup <praiskup@redhat.com> - 42.2.1-1
+- new upstream release
+
+* Fri Jan 19 2018 Pavel Raiskup <praiskup@redhat.com> - 42.2.0-1
 - rebase to the latest upstream release
 - nicer github source urls
 - sync with upstream spec
 - use new postgresql testing macros (rawhide only)
- depend on postgresql-test-rpm-macros

 * Wed Aug 23 2017 Pavel Raiskup <praiskup@redhat.com> - 42.1.4-1
 - rebase to latest upstream release