postgresql: add fix for CVE-2014-0067 Security Advisory

The make check command for the test suites in PostgreSQL 9.3.3 and earlier does not properly invoke initdb to specify the authentication requirements for a database cluster to be used for the tests, which allows local users to gain privileges by leveraging access to this cluster. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0067 Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Kang Kai <kai.kang@windriver.com> 2014-10-29 08:30:57 +0800
committer: Martin Jansa <Martin.Jansa@gmail.com> 2014-12-01 14:24:51 +0100
commit: 8a118e3db53730626b64f6bf7cd568f77e449a7d (patch)
tree: 05ed99162c0a904c3718772cc9d15852097ad916
parent: b675ed0eaca83e74ff62d0bf86f7003470999240 (diff)
download: meta-openembedded-8a118e3db53730626b64f6bf7cd568f77e449a7d.tar.gz
2 files changed, 76 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/postgresql/files/0007-Make-pqsignal-available-to-pg_regress-of-ECPG-and-is.patch b/meta-oe/recipes-support/postgresql/files/0007-Make-pqsignal-available-to-pg_regress-of-ECPG-and-is.patch
new file mode 100644
index 000000000..3cffc0a85
--- /dev/null
+++ b/meta-oe/recipes-support/postgresql/files/0007-Make-pqsignal-available-to-pg_regress-of-ECPG-and-is.patch
@@ -0,0 +1,75 @@
+From 0ae841a98c21c53901d5bc9a9323a8cc800364f6 Mon Sep 17 00:00:00 2001
+From: Noah Misch <noah@leadboat.com>
+Date: Sat, 14 Jun 2014 10:52:25 -0400
+Subject: [PATCH] Make pqsignal() available to pg_regress of ECPG and
+ isolation suites.
+commit 0ae841a98c21c53901d5bc9a9323a8cc800364f6 REL9_2_STABLE
+Commit 453a5d91d49e4d35054f92785d830df4067e10c1 made it available to the
+src/test/regress build of pg_regress, but all pg_regress builds need the
+same treatment.  Patch 9.2 through 8.4; in 9.3 and later, pg_regress
+gets pqsignal() via libpgport.
+Upstream-Status: Backport
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ src/interfaces/ecpg/test/Makefile |    4 ++--
+ src/test/isolation/Makefile       |   12 +++++++-----
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+diff --git a/src/interfaces/ecpg/test/Makefile b/src/interfaces/ecpg/test/Makefile
+index e9944c6..4bb9525 100644
+--- a/src/interfaces/ecpg/test/Makefile
+++ b/src/interfaces/ecpg/test/Makefile
+@@ -47,10 +47,10 @@ clean distclean maintainer-clean:
+ 
+ all: pg_regress$(X)
+ 
+-pg_regress$(X): pg_regress_ecpg.o $(top_builddir)/src/test/regress/pg_regress.o
+pg_regress$(X): pg_regress_ecpg.o $(top_builddir)/src/test/regress/pg_regress.o $(top_builddir)/src/test/regress/pqsignal.o
+        $(CC) $(CFLAGS) $(LDFLAGS) $(LDFLAGS_EX) $^ $(LIBS) -o $@
+ 
+-$(top_builddir)/src/test/regress/pg_regress.o:
+$(top_builddir)/src/test/regress/pg_regress.o $(top_builddir)/src/test/regress/pqsignal.o:
+        $(MAKE) -C $(dir $@) $(notdir $@)
+ 
+ # dependencies ensure that path changes propagate
+diff --git a/src/test/isolation/Makefile b/src/test/isolation/Makefile
+index 46ea6f0..e20ba48 100644
+--- a/src/test/isolation/Makefile
+++ b/src/test/isolation/Makefile
+@@ -15,13 +15,15 @@ OBJS =  specparse.o isolationtester.o
+ 
+ all: isolationtester$(X) pg_isolation_regress$(X)
+ 
+-submake-regress:
+pg_regress.o:
+        $(MAKE) -C $(top_builddir)/src/test/regress pg_regress.o
+-
+-pg_regress.o: | submake-regress
+        rm -f $@ && $(LN_S) $(top_builddir)/src/test/regress/pg_regress.o .
+ 
+-pg_isolation_regress$(X): isolation_main.o pg_regress.o
+pqsignal.o:
+       $(MAKE) -C $(top_builddir)/src/test/regress pqsignal.o
+       rm -f $@ && $(LN_S) $(top_builddir)/src/test/regress/pqsignal.o .
+
+pg_isolation_regress$(X): isolation_main.o pg_regress.o pqsignal.o
+        $(CC) $(CFLAGS) $^ $(LDFLAGS) $(LDFLAGS_EX) $(LIBS) -o $@
+ 
+ isolationtester$(X): $(OBJS) | submake-libpq submake-libpgport
+@@ -59,7 +61,7 @@ endif
+ # so do not clean them here
+ clean distclean:
+        rm -f isolationtester$(X) pg_isolation_regress$(X) $(OBJS) isolation_main.o
+-       rm -f pg_regress.o
+       rm -f pg_regress.o pqsignal.o
+        rm -rf $(pg_regress_clean_files)
+ 
+ maintainer-clean: distclean
+-- 
+1.7.5.4
diff --git a/meta-oe/recipes-support/postgresql/postgresql.inc b/meta-oe/recipes-support/postgresql/postgresql.inc
index 4a62eb68d..ce3120507 100644
--- a/meta-oe/recipes-support/postgresql/postgresql.inc
+++ b/meta-oe/recipes-support/postgresql/postgresql.inc
@@ -36,6 +36,7 @@ SRC_URI = "http://ftp.postgresql.org/pub/source/v${PV}/${BP}.tar.bz2 \
           file://0004-Prevent-privilege-escalation-in-explicit-calls-to-PL.patch \
           file://0005-Avoid-repeated-name-lookups-during-table-and-index-D.patch \
           file://0006-Fix-handling-of-wide-datetime-input-output.patch \
+           file://0007-Make-pqsignal-available-to-pg_regress-of-ECPG-and-is.patch \
          "
 LEAD_SONAME = "libpq.so"
author	Kang Kai <kai.kang@windriver.com>	2014-10-29 08:30:57 +0800
committer	Martin Jansa <Martin.Jansa@gmail.com>	2014-12-01 14:24:51 +0100
commit	8a118e3db53730626b64f6bf7cd568f77e449a7d (patch)
tree	05ed99162c0a904c3718772cc9d15852097ad916
parent	b675ed0eaca83e74ff62d0bf86f7003470999240 (diff)
download	meta-openembedded-8a118e3db53730626b64f6bf7cd568f77e449a7d.tar.gz

diff --git a/meta-oe/recipes-support/postgresql/files/0007-Make-pqsignal-available-to-pg_regress-of-ECPG-and-is.patch b/meta-oe/recipes-support/postgresql/files/0007-Make-pqsignal-available-to-pg_regress-of-ECPG-and-is.patch new file mode 100644 index 000000000..3cffc0a85 --- /dev/null +++ b/meta-oe/recipes-support/postgresql/files/0007-Make-pqsignal-available-to-pg_regress-of-ECPG-and-is.patch
@@ -0,0 +1,75 @@
		1	From 0ae841a98c21c53901d5bc9a9323a8cc800364f6 Mon Sep 17 00:00:00 2001
		2	From: Noah Misch <noah@leadboat.com>
		3	Date: Sat, 14 Jun 2014 10:52:25 -0400
		4	Subject: [PATCH] Make pqsignal() available to pg_regress of ECPG and
		5	isolation suites.
		6
		7	commit 0ae841a98c21c53901d5bc9a9323a8cc800364f6 REL9_2_STABLE
		8
		9	Commit 453a5d91d49e4d35054f92785d830df4067e10c1 made it available to the
		10	src/test/regress build of pg_regress, but all pg_regress builds need the
		11	same treatment. Patch 9.2 through 8.4; in 9.3 and later, pg_regress
		12	gets pqsignal() via libpgport.
		13
		14
		15	Upstream-Status: Backport
		16
		17	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		18	---
		19	src/interfaces/ecpg/test/Makefile \| 4 ++--
		20	src/test/isolation/Makefile \| 12 +++++++-----
		21	2 files changed, 9 insertions(+), 7 deletions(-)
		22
		23	diff --git a/src/interfaces/ecpg/test/Makefile b/src/interfaces/ecpg/test/Makefile
		24	index e9944c6..4bb9525 100644
		25	--- a/src/interfaces/ecpg/test/Makefile
		26	+++ b/src/interfaces/ecpg/test/Makefile
		27	@@ -47,10 +47,10 @@ clean distclean maintainer-clean:
		28
		29	all: pg_regress$(X)
		30
		31	-pg_regress$(X): pg_regress_ecpg.o $(top_builddir)/src/test/regress/pg_regress.o
		32	+pg_regress$(X): pg_regress_ecpg.o $(top_builddir)/src/test/regress/pg_regress.o $(top_builddir)/src/test/regress/pqsignal.o
		33	$(CC) $(CFLAGS) $(LDFLAGS) $(LDFLAGS_EX) $^ $(LIBS) -o $@
		34
		35	-$(top_builddir)/src/test/regress/pg_regress.o:
		36	+$(top_builddir)/src/test/regress/pg_regress.o $(top_builddir)/src/test/regress/pqsignal.o:
		37	$(MAKE) -C $(dir $@) $(notdir $@)
		38
		39	# dependencies ensure that path changes propagate
		40	diff --git a/src/test/isolation/Makefile b/src/test/isolation/Makefile
		41	index 46ea6f0..e20ba48 100644
		42	--- a/src/test/isolation/Makefile
		43	+++ b/src/test/isolation/Makefile
		44	@@ -15,13 +15,15 @@ OBJS = specparse.o isolationtester.o
		45
		46	all: isolationtester$(X) pg_isolation_regress$(X)
		47
		48	-submake-regress:
		49	+pg_regress.o:
		50	$(MAKE) -C $(top_builddir)/src/test/regress pg_regress.o
		51	-
		52	-pg_regress.o: \| submake-regress
		53	rm -f $@ && $(LN_S) $(top_builddir)/src/test/regress/pg_regress.o .
		54
		55	-pg_isolation_regress$(X): isolation_main.o pg_regress.o
		56	+pqsignal.o:
		57	+ $(MAKE) -C $(top_builddir)/src/test/regress pqsignal.o
		58	+ rm -f $@ && $(LN_S) $(top_builddir)/src/test/regress/pqsignal.o .
		59	+
		60	+pg_isolation_regress$(X): isolation_main.o pg_regress.o pqsignal.o
		61	$(CC) $(CFLAGS) $^ $(LDFLAGS) $(LDFLAGS_EX) $(LIBS) -o $@
		62
		63	isolationtester$(X): $(OBJS) \| submake-libpq submake-libpgport
		64	@@ -59,7 +61,7 @@ endif
		65	# so do not clean them here
		66	clean distclean:
		67	rm -f isolationtester$(X) pg_isolation_regress$(X) $(OBJS) isolation_main.o
		68	- rm -f pg_regress.o
		69	+ rm -f pg_regress.o pqsignal.o
		70	rm -rf $(pg_regress_clean_files)
		71
		72	maintainer-clean: distclean
		73	--
		74	1.7.5.4
		75


diff --git a/meta-oe/recipes-support/postgresql/postgresql.inc b/meta-oe/recipes-support/postgresql/postgresql.inc index 4a62eb68d..ce3120507 100644 --- a/meta-oe/recipes-support/postgresql/postgresql.inc +++ b/meta-oe/recipes-support/postgresql/postgresql.inc
@@ -36,6 +36,7 @@ SRC_URI = "http://ftp.postgresql.org/pub/source/v${PV}/${BP}.tar.bz2 \
36	file://0004-Prevent-privilege-escalation-in-explicit-calls-to-PL.patch \	36	file://0004-Prevent-privilege-escalation-in-explicit-calls-to-PL.patch \
37	file://0005-Avoid-repeated-name-lookups-during-table-and-index-D.patch \	37	file://0005-Avoid-repeated-name-lookups-during-table-and-index-D.patch \
38	file://0006-Fix-handling-of-wide-datetime-input-output.patch \	38	file://0006-Fix-handling-of-wide-datetime-input-output.patch \
		39	file://0007-Make-pqsignal-available-to-pg_regress-of-ECPG-and-is.patch \
39	"	40	"
40		41
41	LEAD_SONAME = "libpq.so"	42	LEAD_SONAME = "libpq.so"