From efdfb1922471701ac397de88d63b198260b770bb Mon Sep 17 00:00:00 2001 From: Filip Janus Date: Tue, 13 Feb 2024 20:50:58 +0100 Subject: [PATCH] Fix CVE-2024-0985 Resolves: RHEL-24956 --- postgresql-CVE-2024-0985.patch | 59 ++++++++++++++++++++++++++++++++++ postgresql.spec | 10 ++++-- 2 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 postgresql-CVE-2024-0985.patch diff --git a/postgresql-CVE-2024-0985.patch b/postgresql-CVE-2024-0985.patch new file mode 100644 index 0000000..9b801e3 --- /dev/null +++ b/postgresql-CVE-2024-0985.patch @@ -0,0 +1,59 @@ +Backport of the upstream commit: +https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=2699fc035a75d0774c1f013e9320882287f78adb + +Fix CVE-2023-5869 + +diff -ur postgresql-10.23/src/backend/commands/matview.c postgresql-10.23_patch/src/backend/commands/matview.c +--- postgresql-10.23/src/backend/commands/matview.c 2022-11-07 22:51:10.000000000 +0100 ++++ postgresql-10.23_patch/src/backend/commands/matview.c 2024-02-12 21:22:57.000000000 +0100 +@@ -646,14 +646,35 @@ + errdetail("Row: %s", + SPI_getvalue(SPI_tuptable->vals[0], SPI_tuptable->tupdesc, 1)))); + } +- ++ /* ++ * Create the temporary "diff" table. ++ * ++ * Temporarily switch out of the SECURITY_RESTRICTED_OPERATION context, ++ * because you cannot create temp tables in SRO context. For extra ++ * paranoia, add the composite type column only after switching back to ++ * SRO context. ++ */ + SetUserIdAndSecContext(relowner, + save_sec_context | SECURITY_LOCAL_USERID_CHANGE); ++ resetStringInfo(&querybuf); ++ appendStringInfo(&querybuf, ++ "CREATE TEMP TABLE %s (tid pg_catalog.tid)", ++ diffname); ++ if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY) ++ elog(ERROR, "SPI_exec failed: %s", querybuf.data); ++ SetUserIdAndSecContext(relowner, ++ save_sec_context | SECURITY_RESTRICTED_OPERATION); ++ resetStringInfo(&querybuf); ++ appendStringInfo(&querybuf, ++ "ALTER TABLE %s ADD COLUMN newdata %s", ++ diffname, tempname); ++ if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY) ++ elog(ERROR, "SPI_exec failed: %s", querybuf.data); + + /* Start building the query for creating the diff table. */ + resetStringInfo(&querybuf); + appendStringInfo(&querybuf, +- "CREATE TEMP TABLE %s AS " ++ "INSERT INTO %s " + "SELECT mv.ctid AS tid, newdata.*::%s AS newdata " + "FROM %s mv FULL JOIN %s newdata ON (", + diffname, tempname, matviewname, tempname); +@@ -783,11 +804,9 @@ + "ORDER BY tid"); + + /* Create the temporary "diff" table. */ +- if (SPI_exec(querybuf.data, 0) != SPI_OK_UTILITY) ++ if (SPI_exec(querybuf.data, 0) != SPI_OK_INSERT) + elog(ERROR, "SPI_exec failed: %s", querybuf.data); + +- SetUserIdAndSecContext(relowner, +- save_sec_context | SECURITY_RESTRICTED_OPERATION); + + /* + * We have no further use for data from the "full-data" temp table, but we diff --git a/postgresql.spec b/postgresql.spec index ac2b6e0..fa720fb 100644 --- a/postgresql.spec +++ b/postgresql.spec @@ -59,7 +59,7 @@ Summary: PostgreSQL client programs Name: postgresql %global majorversion 10 Version: %{majorversion}.23 -Release: 3%{?dist} +Release: 4%{?dist} # The PostgreSQL license is very similar to other MIT licenses, but the OSI # recognizes it as an independent license, so we do as well. @@ -112,6 +112,7 @@ Patch11: postgresql-10.23-CVE-2023-2454.patch Patch12: postgresql-10.23-CVE-2023-2455.patch # Fixes CVE-2023-5869 Patch13: postgresql-array-overflow.patch +Patch14: postgresql-CVE-2024-0985.patch BuildRequires: gcc BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk @@ -374,6 +375,7 @@ benchmarks. %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 # We used to run autoconf here, but there's no longer any real need to, # since Postgres ships with a reasonably modern configure script. @@ -1178,7 +1180,11 @@ make -C postgresql-setup-%{setup_version} check %changelog -* Thu Jan 11 2024 Filip Janus - 10.23-3 +* Mon Feb 12 2024 Filip Janus - 10.23-4 +- Fix CVE-2024-0985 +- backport upstream commit + +* Fri Dec 01 2023 Dominik Rehák - 10.23-3 - Fix: CVE-2023-5869 * Wed Jul 19 2023 Dominik Rehák - 10.23-2