diff options
| author | Zhixiong Chi <zhixiong.chi@windriver.com> | 2016-03-08 13:43:20 +0800 |
|---|---|---|
| committer | Martin Jansa <Martin.Jansa@gmail.com> | 2016-03-14 12:15:37 +0100 |
| commit | 21f72b1fe09ca919316f8ed8545b9bf88aa83b29 (patch) | |
| tree | c2a8da556e8e0da3c177fb7813d77888751ccc18 /meta-oe | |
| parent | 830607415dd63ca5244ab8e51f402e046b03ca85 (diff) | |
| download | meta-openembedded-21f72b1fe09ca919316f8ed8545b9bf88aa83b29.tar.gz | |
postgresql: Security Advisory-postgresql-CVE-2016-0766
add CVE-2016-0766 patch for avoiding attackers to gain privileges
via unspecified vectors.
Patch comes from:
http://git.postgresql.org/gitweb/?p=postgresql.git;a=summary
commit f4aa3a18a20d51575562520754aa376b3b08b2d0
Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Diffstat (limited to 'meta-oe')
| -rw-r--r-- | meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch | 35 | ||||
| -rw-r--r-- | meta-oe/recipes-support/postgresql/postgresql.inc | 1 |
2 files changed, 36 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch b/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch new file mode 100644 index 000000000..df89eb0a1 --- /dev/null +++ b/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch | |||
| @@ -0,0 +1,35 @@ | |||
| 1 | From f4aa3a18a20d51575562520754aa376b3b08b2d0 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Noah Misch <noah@leadboat.com> | ||
| 3 | Date: Fri, 5 Feb 2016 20:22:51 -0500 | ||
| 4 | Subject: [PATCH] Force certain "pljava" custom GUCs to be PGC_SUSET. | ||
| 5 | |||
| 6 | Future PL/Java versions will close CVE-2016-0766 by making these GUCs | ||
| 7 | PGC_SUSET. This PostgreSQL change independently mitigates that PL/Java | ||
| 8 | vulnerability, helping sites that update PostgreSQL more frequently than | ||
| 9 | PL/Java. Back-patch to 9.1 (all supported versions). | ||
| 10 | |||
| 11 | Upstream-Status: Backport | ||
| 12 | |||
| 13 | Signed-off-by: Noah Misch <noah@leadboat.com> | ||
| 14 | Index: postgresql-9.4.4/src/backend/utils/misc/guc.c | ||
| 15 | =================================================================== | ||
| 16 | --- postgresql-9.4.4.orig/src/backend/utils/misc/guc.c 2015-06-10 03:29:38.000000000 +0800 | ||
| 17 | +++ postgresql-9.4.4/src/backend/utils/misc/guc.c 2016-03-04 15:58:26.459266951 +0800 | ||
| 18 | @@ -7072,6 +7072,17 @@ | ||
| 19 | !process_shared_preload_libraries_in_progress) | ||
| 20 | elog(FATAL, "cannot create PGC_POSTMASTER variables after startup"); | ||
| 21 | |||
| 22 | + /* | ||
| 23 | + * Before pljava commit 398f3b876ed402bdaec8bc804f29e2be95c75139 | ||
| 24 | + * (2015-12-15), two of that module's PGC_USERSET variables facilitated | ||
| 25 | + * trivial escalation to superuser privileges. Restrict the variables to | ||
| 26 | + * protect sites that have yet to upgrade pljava. | ||
| 27 | + */ | ||
| 28 | + if (context == PGC_USERSET && | ||
| 29 | + (strcmp(name, "pljava.classpath") == 0 || | ||
| 30 | + strcmp(name, "pljava.vmoptions") == 0)) | ||
| 31 | + context = PGC_SUSET; | ||
| 32 | + | ||
| 33 | gen = (struct config_generic *) guc_malloc(ERROR, sz); | ||
| 34 | memset(gen, 0, sz); | ||
| 35 | |||
diff --git a/meta-oe/recipes-support/postgresql/postgresql.inc b/meta-oe/recipes-support/postgresql/postgresql.inc index dbc02a013..06e601fa6 100644 --- a/meta-oe/recipes-support/postgresql/postgresql.inc +++ b/meta-oe/recipes-support/postgresql/postgresql.inc | |||
| @@ -31,6 +31,7 @@ SRC_URI = "http://ftp.postgresql.org/pub/source/v${PV}/${BP}.tar.bz2 \ | |||
| 31 | file://postgresql-setup \ | 31 | file://postgresql-setup \ |
| 32 | file://postgresql.service \ | 32 | file://postgresql.service \ |
| 33 | file://0001-Use-pkg-config-for-libxml2-detection.patch \ | 33 | file://0001-Use-pkg-config-for-libxml2-detection.patch \ |
| 34 | file://postgresql-CVE-2016-0766.patch \ | ||
| 34 | " | 35 | " |
| 35 | 36 | ||
| 36 | LEAD_SONAME = "libpq.so" | 37 | LEAD_SONAME = "libpq.so" |