1 files changed, 116 insertions, 0 deletions
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch
new file mode 100644
index 000000000..58bf81062
--- /dev/null
+++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch
@@ -0,0 +1,116 @@
+From 24c2b9e42edb6d2f4ef2cead3b0aa1d6196adfce Mon Sep 17 00:00:00 2001
+From: Tom Lane <tgl@sss.pgh.pa.us>
+Date: Mon, 8 Nov 2021 11:01:43 -0500
+Subject: [PATCH 2/2] Reject extraneous data after SSL or GSS encryption
+ handshake.
+The server collects up to a bufferload of data whenever it reads data
+from the client socket.  When SSL or GSS encryption is requested
+during startup, any additional data received with the initial
+request message remained in the buffer, and would be treated as
+already-decrypted data once the encryption handshake completed.
+Thus, a man-in-the-middle with the ability to inject data into the 
+TCP connection could stuff some cleartext data into the start of
+a supposedly encryption-protected database session.
+This could be abused to send faked SQL commands to the server,
+although that would only work if the server did not demand any 
+authentication data.  (However, a server relying on SSL certificate
+authentication might well not do so.)
+To fix, throw a protocol-violation error if the internal buffer
+is not empty after the encryption handshake.
+Our thanks to Jacob Champion for reporting this problem.
+Security: CVE-2021-23214
+Upstream-Status: Backport[https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951]
+CVE: CVE-2021-23214
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/backend/libpq/pqcomm.c          | 11 +++++++++++
+ src/backend/postmaster/postmaster.c | 23 ++++++++++++++++++++++-
+ src/include/libpq/libpq.h           |  1 +
+ 3 files changed, 34 insertions(+), 1 deletion(-)
+diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c
+index ee2cd86..4dd1c02 100644
+--- a/src/backend/libpq/pqcomm.c
+++ b/src/backend/libpq/pqcomm.c
+@@ -1183,6 +1183,17 @@ pq_getstring(StringInfo s)
+        }
+ }
+ 
+/* -------------------------------
+ *             pq_buffer_has_data              - is any buffered data available to read?
+ *
+ * This will *not* attempt to read more data.
+ * --------------------------------
+ */
+bool
+pq_buffer_has_data(void)
+{
+       return (PqRecvPointer < PqRecvLength);
+}
+ 
+ /* --------------------------------
+  *             pq_startmsgread - begin reading a message from the client.
+diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
+index 5775fc0..1fcc3f8 100644
+--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
+@@ -2049,6 +2049,17 @@ retry1:
+                        return STATUS_ERROR;
+ #endif
+ 
+               /*
+               * At this point we should have no data already buffered.  If we do,
+               * it was received before we performed the SSL handshake, so it wasn't
+               * encrypted and indeed may have been injected by a man-in-the-middle.
+               * We report this case to the client.
+               */
+               if (pq_buffer_has_data())
+                       ereport(FATAL,
+                               (errcode(ERRCODE_PROTOCOL_VIOLATION),
+                               errmsg("received unencrypted data after SSL request"),
+                               errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
+                /*
+                 * regular startup packet, cancel, etc packet should follow, but not
+                 * another SSL negotiation request, and a GSS request should only
+@@ -2080,7 +2091,17 @@ retry1:
+                if (GSSok == 'G' && secure_open_gssapi(port) == -1)
+                        return STATUS_ERROR;
+ #endif
+-
+               /*
+               * At this point we should have no data already buffered.  If we do,
+               * it was received before we performed the GSS handshake, so it wasn't
+               * encrypted and indeed may have been injected by a man-in-the-middle.
+               * We report this case to the client.
+               */
+               if (pq_buffer_has_data())
+                       ereport(FATAL,
+                               (errcode(ERRCODE_PROTOCOL_VIOLATION),
+                               errmsg("received unencrypted data after GSSAPI encryption request"),
+                               errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
+                /*
+                 * regular startup packet, cancel, etc packet should follow, but not
+                 * another GSS negotiation request, and an SSL request should only
+diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
+index b115247..9969692 100644
+--- a/src/include/libpq/libpq.h
+++ b/src/include/libpq/libpq.h
+@@ -73,6 +73,7 @@ extern int    pq_getbyte(void);
+ extern int     pq_peekbyte(void);
+ extern int     pq_getbyte_if_available(unsigned char *c);
+ extern int     pq_putbytes(const char *s, size_t len);
+extern bool pq_buffer_has_data(void);
+ 
+ /*
+  * prototypes for functions in be-secure.c
+-- 
+2.17.1

diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch new file mode 100644 index 000000000..58bf81062 --- /dev/null +++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch
@@ -0,0 +1,116 @@
	1	From 24c2b9e42edb6d2f4ef2cead3b0aa1d6196adfce Mon Sep 17 00:00:00 2001
	2	From: Tom Lane <tgl@sss.pgh.pa.us>
	3	Date: Mon, 8 Nov 2021 11:01:43 -0500
	4	Subject: [PATCH 2/2] Reject extraneous data after SSL or GSS encryption
	5	handshake.
	6
	7	The server collects up to a bufferload of data whenever it reads data
	8	from the client socket. When SSL or GSS encryption is requested
	9	during startup, any additional data received with the initial
	10	request message remained in the buffer, and would be treated as
	11	already-decrypted data once the encryption handshake completed.
	12	Thus, a man-in-the-middle with the ability to inject data into the
	13	TCP connection could stuff some cleartext data into the start of
	14	a supposedly encryption-protected database session.
	15
	16	This could be abused to send faked SQL commands to the server,
	17	although that would only work if the server did not demand any
	18	authentication data. (However, a server relying on SSL certificate
	19	authentication might well not do so.)
	20
	21	To fix, throw a protocol-violation error if the internal buffer
	22	is not empty after the encryption handshake.
	23
	24	Our thanks to Jacob Champion for reporting this problem.
	25
	26	Security: CVE-2021-23214
	27
	28	Upstream-Status: Backport[https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951]
	29	CVE: CVE-2021-23214
	30
	31	Signed-off-by: Changqing Li <changqing.li@windriver.com>
	32
	33	---
	34	src/backend/libpq/pqcomm.c \| 11 +++++++++++
	35	src/backend/postmaster/postmaster.c \| 23 ++++++++++++++++++++++-
	36	src/include/libpq/libpq.h \| 1 +
	37	3 files changed, 34 insertions(+), 1 deletion(-)
	38
	39	diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c
	40	index ee2cd86..4dd1c02 100644
	41	--- a/src/backend/libpq/pqcomm.c
	42	+++ b/src/backend/libpq/pqcomm.c
	43	@@ -1183,6 +1183,17 @@ pq_getstring(StringInfo s)
	44	}
	45	}
	46
	47	+/* -------------------------------
	48	+ * pq_buffer_has_data - is any buffered data available to read?
	49	+ *
	50	+ * This will not attempt to read more data.
	51	+ * --------------------------------
	52	+ */
	53	+bool
	54	+pq_buffer_has_data(void)
	55	+{
	56	+ return (PqRecvPointer < PqRecvLength);
	57	+}
	58
	59	/* --------------------------------
	60	* pq_startmsgread - begin reading a message from the client.
	61	diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
	62	index 5775fc0..1fcc3f8 100644
	63	--- a/src/backend/postmaster/postmaster.c
	64	+++ b/src/backend/postmaster/postmaster.c
	65	@@ -2049,6 +2049,17 @@ retry1:
	66	return STATUS_ERROR;
	67	#endif
	68
	69	+ /*
	70	+ * At this point we should have no data already buffered. If we do,
	71	+ * it was received before we performed the SSL handshake, so it wasn't
	72	+ * encrypted and indeed may have been injected by a man-in-the-middle.
	73	+ * We report this case to the client.
	74	+ */
	75	+ if (pq_buffer_has_data())
	76	+ ereport(FATAL,
	77	+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
	78	+ errmsg("received unencrypted data after SSL request"),
	79	+ errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
	80	/*
	81	* regular startup packet, cancel, etc packet should follow, but not
	82	* another SSL negotiation request, and a GSS request should only
	83	@@ -2080,7 +2091,17 @@ retry1:
	84	if (GSSok == 'G' && secure_open_gssapi(port) == -1)
	85	return STATUS_ERROR;
	86	#endif
	87	-
	88	+ /*
	89	+ * At this point we should have no data already buffered. If we do,
	90	+ * it was received before we performed the GSS handshake, so it wasn't
	91	+ * encrypted and indeed may have been injected by a man-in-the-middle.
	92	+ * We report this case to the client.
	93	+ */
	94	+ if (pq_buffer_has_data())
	95	+ ereport(FATAL,
	96	+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
	97	+ errmsg("received unencrypted data after GSSAPI encryption request"),
	98	+ errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
	99	/*
	100	* regular startup packet, cancel, etc packet should follow, but not
	101	* another GSS negotiation request, and an SSL request should only
	102	diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
	103	index b115247..9969692 100644
	104	--- a/src/include/libpq/libpq.h
	105	+++ b/src/include/libpq/libpq.h
	106	@@ -73,6 +73,7 @@ extern int pq_getbyte(void);
	107	extern int pq_peekbyte(void);
	108	extern int pq_getbyte_if_available(unsigned char *c);
	109	extern int pq_putbytes(const char *s, size_t len);
	110	+extern bool pq_buffer_has_data(void);
	111
	112	/*
	113	* prototypes for functions in be-secure.c
	114	--
	115	2.17.1
	116