summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZhixiong Chi <zhixiong.chi@windriver.com>2016-03-08 13:43:20 +0800
committerArmin Kuster <akuster808@gmail.com>2016-04-17 13:25:33 -0700
commitfb3ef4d50280d17b588c966dd01fb543450a6dd6 (patch)
treed8e8b0d06ceda8551cfe4dfbb6c821efff639055
parentfe343008937b81c54a8eb67685b755bc407f3fe1 (diff)
downloadmeta-openembedded-fb3ef4d50280d17b588c966dd01fb543450a6dd6.tar.gz
postgresql: Security Advisory-postgresql-CVE-2016-0766
add CVE-2016-0766 patch for avoiding attackers to gain privileges via unspecified vectors. Patch comes from: http://git.postgresql.org/gitweb/?p=postgresql.git;a=summary commit f4aa3a18a20d51575562520754aa376b3b08b2d0 Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat
-rw-r--r--meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch35
-rw-r--r--meta-oe/recipes-support/postgresql/postgresql.inc1
2 files changed, 36 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch b/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch
new file mode 100644
index 000000000..df89eb0a1
--- /dev/null
+++ b/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch
@@ -0,0 +1,35 @@
1From f4aa3a18a20d51575562520754aa376b3b08b2d0 Mon Sep 17 00:00:00 2001
2From: Noah Misch <noah@leadboat.com>
3Date: Fri, 5 Feb 2016 20:22:51 -0500
4Subject: [PATCH] Force certain "pljava" custom GUCs to be PGC_SUSET.
5
6Future PL/Java versions will close CVE-2016-0766 by making these GUCs
7PGC_SUSET. This PostgreSQL change independently mitigates that PL/Java
8vulnerability, helping sites that update PostgreSQL more frequently than
9PL/Java. Back-patch to 9.1 (all supported versions).
10
11Upstream-Status: Backport
12
13Signed-off-by: Noah Misch <noah@leadboat.com>
14Index: postgresql-9.4.4/src/backend/utils/misc/guc.c
15===================================================================
16--- postgresql-9.4.4.orig/src/backend/utils/misc/guc.c 2015-06-10 03:29:38.000000000 +0800
17+++ postgresql-9.4.4/src/backend/utils/misc/guc.c 2016-03-04 15:58:26.459266951 +0800
18@@ -7072,6 +7072,17 @@
19 !process_shared_preload_libraries_in_progress)
20 elog(FATAL, "cannot create PGC_POSTMASTER variables after startup");
21
22+ /*
23+ * Before pljava commit 398f3b876ed402bdaec8bc804f29e2be95c75139
24+ * (2015-12-15), two of that module's PGC_USERSET variables facilitated
25+ * trivial escalation to superuser privileges. Restrict the variables to
26+ * protect sites that have yet to upgrade pljava.
27+ */
28+ if (context == PGC_USERSET &&
29+ (strcmp(name, "pljava.classpath") == 0 ||
30+ strcmp(name, "pljava.vmoptions") == 0))
31+ context = PGC_SUSET;
32+
33 gen = (struct config_generic *) guc_malloc(ERROR, sz);
34 memset(gen, 0, sz);
35
diff --git a/meta-oe/recipes-support/postgresql/postgresql.inc b/meta-oe/recipes-support/postgresql/postgresql.inc
index dbc02a013..06e601fa6 100644
--- a/meta-oe/recipes-support/postgresql/postgresql.inc
+++ b/meta-oe/recipes-support/postgresql/postgresql.inc
@@ -31,6 +31,7 @@ SRC_URI = "http://ftp.postgresql.org/pub/source/v${PV}/${BP}.tar.bz2 \
31 file://postgresql-setup \ 31 file://postgresql-setup \
32 file://postgresql.service \ 32 file://postgresql.service \
33 file://0001-Use-pkg-config-for-libxml2-detection.patch \ 33 file://0001-Use-pkg-config-for-libxml2-detection.patch \
34 file://postgresql-CVE-2016-0766.patch \
34" 35"
35 36
36LEAD_SONAME = "libpq.so" 37LEAD_SONAME = "libpq.so"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-04-28 10:05:18 +0000