postgresql: Update to 13.5

This is a security and bugfix release. With this update, the backported patches for CVE-2021-2314 and CVE-2021-23222 are no longer needed. Full release notes are available at: https://www.postgresql.org/docs/release/13.5/ Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Robert Joslyn <robert.joslyn@redrectangle.org> 2022-01-15 13:33:51 -0800
committer: Armin Kuster <akuster808@gmail.com> 2022-01-30 15:13:01 -0800
commit: 6704d6d3d7549c8170d050d36ee4a3b345cf6aa6 (patch)
tree: 2331e32fc707cad2f6180b4d130600228ac0c08c /meta-oe
parent: 9b20f34ca909b8fae8f9c3e33be0959958e1d678 (diff)
download: meta-openembedded-6704d6d3d7549c8170d050d36ee4a3b345cf6aa6.tar.gz
5 files changed, 8 insertions, 255 deletions
diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch
index 0dc6ece6da..5c65e6185f 100644
--- a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch
+++ b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch
@@ -1,4 +1,4 @@
-From b06a228a5fd1589fc9bed654b3288b321fc21aa1 Mon Sep 17 00:00:00 2001
+From 0b60fe3c39b2f62f9867d955da82d9d20c42d028 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Sun, 20 Nov 2016 15:04:52 +0000
 Subject: [PATCH] Add support for RISC-V.
@@ -9,9 +9,11 @@ extending the existing aarch64 macro works.
 src/include/storage/s_lock.h | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/src/include/storage/s_lock.h b/src/include/storage/s_lock.h
+index 6b368a5..f7d3387 100644
 --- a/src/include/storage/s_lock.h
 +++ b/src/include/storage/s_lock.h
-@@ -316,11 +316,12 @@ tas(volatile slock_t *lock)
+@@ -317,11 +317,12 @@ tas(volatile slock_t *lock)
 
 /*
  * On ARM and ARM64, we use __sync_lock_test_and_set(int *, int) if available.
@@ -25,7 +27,7 @@ extending the existing aarch64 macro works.
 #ifdef HAVE_GCC__SYNC_INT32_TAS
 #define HAS_TEST_AND_SET
 
-@@ -337,7 +338,7 @@ tas(volatile slock_t *lock)
+@@ -338,7 +339,7 @@ tas(volatile slock_t *lock)
 #define S_UNLOCK(lock) __sync_lock_release(lock)
 
 #endif  /* HAVE_GCC__SYNC_INT32_TAS */
@@ -33,4 +35,4 @@ extending the existing aarch64 macro works.
 +#endif  /* __arm__ || __arm || __aarch64__ || __aarch64 || __riscv */
 
 
- /* S/390 and S/390x Linux (32- and 64-bit zSeries) */
+ /*
diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch b/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch
index db9769f82e..17ba04b664 100644
--- a/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch
+++ b/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch
@@ -18,7 +18,7 @@ index fb14dcc..a2b4a4f 100644
 +++ b/configure.in
 @@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch undefined macros
 
- AC_INIT([PostgreSQL], [13.4], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/])
+ AC_INIT([PostgreSQL], [13.5], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/])
 
 -m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required.
 -Untested combinations of 'autoconf' and PostgreSQL versions are not
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch
deleted file mode 100644
index 58bf810626..0000000000
--- a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From 24c2b9e42edb6d2f4ef2cead3b0aa1d6196adfce Mon Sep 17 00:00:00 2001
-From: Tom Lane <tgl@sss.pgh.pa.us>
-Date: Mon, 8 Nov 2021 11:01:43 -0500
-Subject: [PATCH 2/2] Reject extraneous data after SSL or GSS encryption
- handshake.
-The server collects up to a bufferload of data whenever it reads data
-from the client socket.  When SSL or GSS encryption is requested
-during startup, any additional data received with the initial
-request message remained in the buffer, and would be treated as
-already-decrypted data once the encryption handshake completed.
-Thus, a man-in-the-middle with the ability to inject data into the 
-TCP connection could stuff some cleartext data into the start of
-a supposedly encryption-protected database session.
-This could be abused to send faked SQL commands to the server,
-although that would only work if the server did not demand any 
-authentication data.  (However, a server relying on SSL certificate
-authentication might well not do so.)
-To fix, throw a protocol-violation error if the internal buffer
-is not empty after the encryption handshake.
-Our thanks to Jacob Champion for reporting this problem.
-Security: CVE-2021-23214
-Upstream-Status: Backport[https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951]
-CVE: CVE-2021-23214
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
- src/backend/libpq/pqcomm.c          | 11 +++++++++++
- src/backend/postmaster/postmaster.c | 23 ++++++++++++++++++++++-
- src/include/libpq/libpq.h           |  1 +
- 3 files changed, 34 insertions(+), 1 deletion(-)
-diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c
-index ee2cd86..4dd1c02 100644
--- a/src/backend/libpq/pqcomm.c
-+++ b/src/backend/libpq/pqcomm.c
-@@ -1183,6 +1183,17 @@ pq_getstring(StringInfo s)
-        }
- }
- 
-+/* -------------------------------
-+ *             pq_buffer_has_data              - is any buffered data available to read?
-+ *
-+ * This will *not* attempt to read more data.
-+ * --------------------------------
-+ */
-+bool
-+pq_buffer_has_data(void)
-+{
-+       return (PqRecvPointer < PqRecvLength);
-+}
- 
- /* --------------------------------
-  *             pq_startmsgread - begin reading a message from the client.
-diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
-index 5775fc0..1fcc3f8 100644
--- a/src/backend/postmaster/postmaster.c
-+++ b/src/backend/postmaster/postmaster.c
-@@ -2049,6 +2049,17 @@ retry1:
-                        return STATUS_ERROR;
- #endif
- 
-+               /*
-+               * At this point we should have no data already buffered.  If we do,
-+               * it was received before we performed the SSL handshake, so it wasn't
-+               * encrypted and indeed may have been injected by a man-in-the-middle.
-+               * We report this case to the client.
-+               */
-+               if (pq_buffer_has_data())
-+                       ereport(FATAL,
-+                               (errcode(ERRCODE_PROTOCOL_VIOLATION),
-+                               errmsg("received unencrypted data after SSL request"),
-+                               errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
-                /*
-                 * regular startup packet, cancel, etc packet should follow, but not
-                 * another SSL negotiation request, and a GSS request should only
-@@ -2080,7 +2091,17 @@ retry1:
-                if (GSSok == 'G' && secure_open_gssapi(port) == -1)
-                        return STATUS_ERROR;
- #endif
-
-+               /*
-+               * At this point we should have no data already buffered.  If we do,
-+               * it was received before we performed the GSS handshake, so it wasn't
-+               * encrypted and indeed may have been injected by a man-in-the-middle.
-+               * We report this case to the client.
-+               */
-+               if (pq_buffer_has_data())
-+                       ereport(FATAL,
-+                               (errcode(ERRCODE_PROTOCOL_VIOLATION),
-+                               errmsg("received unencrypted data after GSSAPI encryption request"),
-+                               errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
-                /*
-                 * regular startup packet, cancel, etc packet should follow, but not
-                 * another GSS negotiation request, and an SSL request should only
-diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
-index b115247..9969692 100644
--- a/src/include/libpq/libpq.h
-+++ b/src/include/libpq/libpq.h
-@@ -73,6 +73,7 @@ extern int    pq_getbyte(void);
- extern int     pq_peekbyte(void);
- extern int     pq_getbyte_if_available(unsigned char *c);
- extern int     pq_putbytes(const char *s, size_t len);
-+extern bool pq_buffer_has_data(void);
- 
- /*
-  * prototypes for functions in be-secure.c
-- 
-2.17.1
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23222.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23222.patch
deleted file mode 100644
index 42b78539b4..0000000000
--- a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23222.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-From 79125ead2a6a234086844bb42f06d49603fe6ca0 Mon Sep 17 00:00:00 2001
-From: Tom Lane <tgl@sss.pgh.pa.us>
-Date: Mon, 8 Nov 2021 11:14:56 -0500
-Subject: [PATCH 1/2] libpq: reject extraneous data after SSL or GSS encryption
- handshake.
-libpq collects up to a bufferload of data whenever it reads data from
-the socket.  When SSL or GSS encryption is requested during startup,
-any additional data received with the server's yes-or-no reply
-remained in the buffer, and would be treated as already-decrypted data
-once the encryption handshake completed.  Thus, a man-in-the-middle
-with the ability to inject data into the TCP connection could stuff
-some cleartext data into the start of a supposedly encryption-protected
-database session.
-This could probably be abused to inject faked responses to the
-client's first few queries, although other details of libpq's behavior
-make that harder than it sounds.  A different line of attack is to
-exfiltrate the client's password, or other sensitive data that might
-be sent early in the session.  That has been shown to be possible with
-a server vulnerable to CVE-2021-23214.
-To fix, throw a protocol-violation error if the internal buffer
-is not empty after the encryption handshake.
-Our thanks to Jacob Champion for reporting this problem.
-Security: CVE-2021-23222
-Upstream-Status: Backport[https://github.com/postgres/postgres/commit/160c0258802d10b0600d7671b1bbea55d8e17d45]
-CVE: CVE-2021-23222
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
- doc/src/sgml/protocol.sgml        | 28 ++++++++++++++++++++++++++++
- src/interfaces/libpq/fe-connect.c | 26 ++++++++++++++++++++++++++
- 2 files changed, 54 insertions(+)
-diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
-index e26619e1b5..b692648fca 100644
--- a/doc/src/sgml/protocol.sgml
-+++ b/doc/src/sgml/protocol.sgml
-@@ -1471,6 +1471,20 @@ SELCT 1/0;<!-- this typo is intentional -->
-     and proceed without requesting <acronym>SSL</acronym>.
-    </para>
- 
-+   <para>
-+    When <acronym>SSL</acronym> encryption can be performed, the server
-+    is expected to send only the single <literal>S</literal> byte and then
-+    wait for the frontend to initiate an <acronym>SSL</acronym> handshake.
-+    If additional bytes are available to read at this point, it likely
-+    means that a man-in-the-middle is attempting to perform a
-+    buffer-stuffing attack
-+    (<ulink url="https://www.postgresql.org/support/security/CVE-2021-23222/">CVE-2021-23222</ulink>).
-+    Frontends should be coded either to read exactly one byte from the
-+    socket before turning the socket over to their SSL library, or to
-+    treat it as a protocol violation if they find they have read additional
-+    bytes.
-+   </para>
-+
-    <para>
-     An initial SSLRequest can also be used in a connection that is being
-     opened to send a CancelRequest message.
-@@ -1532,6 +1546,20 @@ SELCT 1/0;<!-- this typo is intentional -->
-     encryption.
-    </para>
- 
-+   <para>
-+    When <acronym>GSSAPI</acronym> encryption can be performed, the server
-+    is expected to send only the single <literal>G</literal> byte and then
-+    wait for the frontend to initiate a <acronym>GSSAPI</acronym> handshake.
-+    If additional bytes are available to read at this point, it likely
-+    means that a man-in-the-middle is attempting to perform a
-+    buffer-stuffing attack
-+    (<ulink url="https://www.postgresql.org/support/security/CVE-2021-23222/">CVE-2021-23222</ulink>).
-+    Frontends should be coded either to read exactly one byte from the
-+    socket before turning the socket over to their GSSAPI library, or to
-+    treat it as a protocol violation if they find they have read additional
-+    bytes.
-+   </para>
-+
-    <para>
-     An initial GSSENCRequest can also be used in a connection that is being
-     opened to send a CancelRequest message.
-diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
-index f80f4e98d8..57aee95183 100644
--- a/src/interfaces/libpq/fe-connect.c
-+++ b/src/interfaces/libpq/fe-connect.c
-@@ -3076,6 +3076,19 @@ keep_going:                                              /* We will come back to here until there is
-                                pollres = pqsecure_open_client(conn);
-                                if (pollres == PGRES_POLLING_OK)
-                                {
-+                                       /*
-+                                        * At this point we should have no data already buffered.
-+                                        * If we do, it was received before we performed the SSL
-+                                        * handshake, so it wasn't encrypted and indeed may have
-+                                        * been injected by a man-in-the-middle.
-+                                        */
-+                                       if (conn->inCursor != conn->inEnd)
-+                                       {
-+                                               appendPQExpBufferStr(&conn->errorMessage,
-+                                                                                        libpq_gettext("received unencrypted data after SSL response\n"));
-+                                               goto error_return;
-+                                       }
-+
-                                        /* SSL handshake done, ready to send startup packet */
-                                        conn->status = CONNECTION_MADE;
-                                        return PGRES_POLLING_WRITING;
-@@ -3175,6 +3188,19 @@ keep_going:                                              /* We will come back to here until there is
-                                pollres = pqsecure_open_gss(conn);
-                                if (pollres == PGRES_POLLING_OK)
-                                {
-+                                       /*
-+                                        * At this point we should have no data already buffered.
-+                                        * If we do, it was received before we performed the GSS
-+                                        * handshake, so it wasn't encrypted and indeed may have
-+                                        * been injected by a man-in-the-middle.
-+                                        */
-+                                       if (conn->inCursor != conn->inEnd)
-+                                       {
-+                                               appendPQExpBufferStr(&conn->errorMessage,
-+                                                                                        libpq_gettext("received unencrypted data after GSSAPI encryption response\n"));
-+                                               goto error_return;
-+                                       }
-+
-                                        /* All set for startup packet */
-                                        conn->status = CONNECTION_MADE;
-                                        return PGRES_POLLING_WRITING;
-- 
-2.17.1
diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_13.4.bb b/meta-oe/recipes-dbs/postgresql/postgresql_13.5.bb
index 2ed0fa49bb..81193e30e5 100644
--- a/meta-oe/recipes-dbs/postgresql/postgresql_13.4.bb
+++ b/meta-oe/recipes-dbs/postgresql/postgresql_13.5.bb
@@ -7,8 +7,6 @@ SRC_URI += "\
   file://0001-Add-support-for-RISC-V.patch \
   file://0001-Improve-reproducibility.patch \
   file://0001-configure.in-bypass-autoconf-2.69-version-check.patch \
-   file://CVE-2021-23214.patch \
-   file://CVE-2021-23222.patch \
 "
-SRC_URI[sha256sum] = "ea93e10390245f1ce461a54eb5f99a48d8cabd3a08ce4d652ec2169a357bc0cd"
+SRC_URI[sha256sum] = "9b81067a55edbaabc418aacef457dd8477642827499560b00615a6ea6c13f6b3"
author	Robert Joslyn <robert.joslyn@redrectangle.org>	2022-01-15 13:33:51 -0800
committer	Armin Kuster <akuster808@gmail.com>	2022-01-30 15:13:01 -0800
commit	6704d6d3d7549c8170d050d36ee4a3b345cf6aa6 (patch)
tree	2331e32fc707cad2f6180b4d130600228ac0c08c /meta-oe
parent	9b20f34ca909b8fae8f9c3e33be0959958e1d678 (diff)
download	meta-openembedded-6704d6d3d7549c8170d050d36ee4a3b345cf6aa6.tar.gz

diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch index 0dc6ece6da..5c65e6185f 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch
@@ -1,4 +1,4 @@
1	From b06a228a5fd1589fc9bed654b3288b321fc21aa1 Mon Sep 17 00:00:00 2001	1	From 0b60fe3c39b2f62f9867d955da82d9d20c42d028 Mon Sep 17 00:00:00 2001
2	From: "Richard W.M. Jones" <rjones@redhat.com>	2	From: "Richard W.M. Jones" <rjones@redhat.com>
3	Date: Sun, 20 Nov 2016 15:04:52 +0000	3	Date: Sun, 20 Nov 2016 15:04:52 +0000
4	Subject: [PATCH] Add support for RISC-V.	4	Subject: [PATCH] Add support for RISC-V.
@@ -9,9 +9,11 @@ extending the existing aarch64 macro works.
9	src/include/storage/s_lock.h \| 5 +++--	9	src/include/storage/s_lock.h \| 5 +++--
10	1 file changed, 3 insertions(+), 2 deletions(-)	10	1 file changed, 3 insertions(+), 2 deletions(-)
11		11
		12	diff --git a/src/include/storage/s_lock.h b/src/include/storage/s_lock.h
		13	index 6b368a5..f7d3387 100644
12	--- a/src/include/storage/s_lock.h	14	--- a/src/include/storage/s_lock.h
13	+++ b/src/include/storage/s_lock.h	15	+++ b/src/include/storage/s_lock.h
14	@@ -316,11 +316,12 @@ tas(volatile slock_t *lock)	16	@@ -317,11 +317,12 @@ tas(volatile slock_t *lock)
15		17
16	/*	18	/*
17	* On ARM and ARM64, we use __sync_lock_test_and_set(int *, int) if available.	19	* On ARM and ARM64, we use __sync_lock_test_and_set(int *, int) if available.
@@ -25,7 +27,7 @@ extending the existing aarch64 macro works.
25	#ifdef HAVE_GCC__SYNC_INT32_TAS	27	#ifdef HAVE_GCC__SYNC_INT32_TAS
26	#define HAS_TEST_AND_SET	28	#define HAS_TEST_AND_SET
27		29
28	@@ -337,7 +338,7 @@ tas(volatile slock_t *lock)	30	@@ -338,7 +339,7 @@ tas(volatile slock_t *lock)
29	#define S_UNLOCK(lock) __sync_lock_release(lock)	31	#define S_UNLOCK(lock) __sync_lock_release(lock)
30		32
31	#endif /* HAVE_GCC__SYNC_INT32_TAS */	33	#endif /* HAVE_GCC__SYNC_INT32_TAS */
@@ -33,4 +35,4 @@ extending the existing aarch64 macro works.
33	+#endif /* __arm__ \|\| __arm \|\| __aarch64__ \|\| __aarch64 \|\| __riscv */	35	+#endif /* __arm__ \|\| __arm \|\| __aarch64__ \|\| __aarch64 \|\| __riscv */
34		36
35		37
36	/* S/390 and S/390x Linux (32- and 64-bit zSeries) */	38	/*


diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch b/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch index db9769f82e..17ba04b664 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch
@@ -18,7 +18,7 @@ index fb14dcc..a2b4a4f 100644
18	+++ b/configure.in	18	+++ b/configure.in
19	@@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch undefined macros	19	@@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch undefined macros
20		20
21	AC_INIT([PostgreSQL], [13.4], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/])	21	AC_INIT([PostgreSQL], [13.5], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/])
22		22
23	-m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required.	23	-m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required.
24	-Untested combinations of 'autoconf' and PostgreSQL versions are not	24	-Untested combinations of 'autoconf' and PostgreSQL versions are not


diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch deleted file mode 100644 index 58bf810626..0000000000 --- a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch +++ /dev/null
@@ -1,116 +0,0 @@
1	From 24c2b9e42edb6d2f4ef2cead3b0aa1d6196adfce Mon Sep 17 00:00:00 2001
2	From: Tom Lane <tgl@sss.pgh.pa.us>
3	Date: Mon, 8 Nov 2021 11:01:43 -0500
4	Subject: [PATCH 2/2] Reject extraneous data after SSL or GSS encryption
5	handshake.
6
7	The server collects up to a bufferload of data whenever it reads data
8	from the client socket. When SSL or GSS encryption is requested
9	during startup, any additional data received with the initial
10	request message remained in the buffer, and would be treated as
11	already-decrypted data once the encryption handshake completed.
12	Thus, a man-in-the-middle with the ability to inject data into the
13	TCP connection could stuff some cleartext data into the start of
14	a supposedly encryption-protected database session.
15
16	This could be abused to send faked SQL commands to the server,
17	although that would only work if the server did not demand any
18	authentication data. (However, a server relying on SSL certificate
19	authentication might well not do so.)
20
21	To fix, throw a protocol-violation error if the internal buffer
22	is not empty after the encryption handshake.
23
24	Our thanks to Jacob Champion for reporting this problem.
25
26	Security: CVE-2021-23214
27
28	Upstream-Status: Backport[https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951]
29	CVE: CVE-2021-23214
30
31	Signed-off-by: Changqing Li <changqing.li@windriver.com>
32
33	---
34	src/backend/libpq/pqcomm.c \| 11 +++++++++++
35	src/backend/postmaster/postmaster.c \| 23 ++++++++++++++++++++++-
36	src/include/libpq/libpq.h \| 1 +
37	3 files changed, 34 insertions(+), 1 deletion(-)
38
39	diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c
40	index ee2cd86..4dd1c02 100644
41	--- a/src/backend/libpq/pqcomm.c
42	+++ b/src/backend/libpq/pqcomm.c
43	@@ -1183,6 +1183,17 @@ pq_getstring(StringInfo s)
44	}
45	}
46
47	+/* -------------------------------
48	+ * pq_buffer_has_data - is any buffered data available to read?
49	+ *
50	+ * This will not attempt to read more data.
51	+ * --------------------------------
52	+ */
53	+bool
54	+pq_buffer_has_data(void)
55	+{
56	+ return (PqRecvPointer < PqRecvLength);
57	+}
58
59	/* --------------------------------
60	* pq_startmsgread - begin reading a message from the client.
61	diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
62	index 5775fc0..1fcc3f8 100644
63	--- a/src/backend/postmaster/postmaster.c
64	+++ b/src/backend/postmaster/postmaster.c
65	@@ -2049,6 +2049,17 @@ retry1:
66	return STATUS_ERROR;
67	#endif
68
69	+ /*
70	+ * At this point we should have no data already buffered. If we do,
71	+ * it was received before we performed the SSL handshake, so it wasn't
72	+ * encrypted and indeed may have been injected by a man-in-the-middle.
73	+ * We report this case to the client.
74	+ */
75	+ if (pq_buffer_has_data())
76	+ ereport(FATAL,
77	+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
78	+ errmsg("received unencrypted data after SSL request"),
79	+ errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
80	/*
81	* regular startup packet, cancel, etc packet should follow, but not
82	* another SSL negotiation request, and a GSS request should only
83	@@ -2080,7 +2091,17 @@ retry1:
84	if (GSSok == 'G' && secure_open_gssapi(port) == -1)
85	return STATUS_ERROR;
86	#endif
87	-
88	+ /*
89	+ * At this point we should have no data already buffered. If we do,
90	+ * it was received before we performed the GSS handshake, so it wasn't
91	+ * encrypted and indeed may have been injected by a man-in-the-middle.
92	+ * We report this case to the client.
93	+ */
94	+ if (pq_buffer_has_data())
95	+ ereport(FATAL,
96	+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
97	+ errmsg("received unencrypted data after GSSAPI encryption request"),
98	+ errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
99	/*
100	* regular startup packet, cancel, etc packet should follow, but not
101	* another GSS negotiation request, and an SSL request should only
102	diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
103	index b115247..9969692 100644
104	--- a/src/include/libpq/libpq.h
105	+++ b/src/include/libpq/libpq.h
106	@@ -73,6 +73,7 @@ extern int pq_getbyte(void);
107	extern int pq_peekbyte(void);
108	extern int pq_getbyte_if_available(unsigned char *c);
109	extern int pq_putbytes(const char *s, size_t len);
110	+extern bool pq_buffer_has_data(void);
111
112	/*
113	* prototypes for functions in be-secure.c
114	--
115	2.17.1
116


diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23222.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23222.patch deleted file mode 100644 index 42b78539b4..0000000000 --- a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23222.patch +++ /dev/null
@@ -1,131 +0,0 @@
1	From 79125ead2a6a234086844bb42f06d49603fe6ca0 Mon Sep 17 00:00:00 2001
2	From: Tom Lane <tgl@sss.pgh.pa.us>
3	Date: Mon, 8 Nov 2021 11:14:56 -0500
4	Subject: [PATCH 1/2] libpq: reject extraneous data after SSL or GSS encryption
5	handshake.
6
7	libpq collects up to a bufferload of data whenever it reads data from
8	the socket. When SSL or GSS encryption is requested during startup,
9	any additional data received with the server's yes-or-no reply
10	remained in the buffer, and would be treated as already-decrypted data
11	once the encryption handshake completed. Thus, a man-in-the-middle
12	with the ability to inject data into the TCP connection could stuff
13	some cleartext data into the start of a supposedly encryption-protected
14	database session.
15
16	This could probably be abused to inject faked responses to the
17	client's first few queries, although other details of libpq's behavior
18	make that harder than it sounds. A different line of attack is to
19	exfiltrate the client's password, or other sensitive data that might
20	be sent early in the session. That has been shown to be possible with
21	a server vulnerable to CVE-2021-23214.
22
23	To fix, throw a protocol-violation error if the internal buffer
24	is not empty after the encryption handshake.
25
26	Our thanks to Jacob Champion for reporting this problem.
27
28	Security: CVE-2021-23222
29
30	Upstream-Status: Backport[https://github.com/postgres/postgres/commit/160c0258802d10b0600d7671b1bbea55d8e17d45]
31	CVE: CVE-2021-23222
32
33	Signed-off-by: Changqing Li <changqing.li@windriver.com>
34	---
35	doc/src/sgml/protocol.sgml \| 28 ++++++++++++++++++++++++++++
36	src/interfaces/libpq/fe-connect.c \| 26 ++++++++++++++++++++++++++
37	2 files changed, 54 insertions(+)
38
39	diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
40	index e26619e1b5..b692648fca 100644
41	--- a/doc/src/sgml/protocol.sgml
42	+++ b/doc/src/sgml/protocol.sgml
43	@@ -1471,6 +1471,20 @@ SELCT 1/0;<!-- this typo is intentional -->
44	and proceed without requesting <acronym>SSL</acronym>.
45	</para>
46
47	+ <para>
48	+ When <acronym>SSL</acronym> encryption can be performed, the server
49	+ is expected to send only the single <literal>S</literal> byte and then
50	+ wait for the frontend to initiate an <acronym>SSL</acronym> handshake.
51	+ If additional bytes are available to read at this point, it likely
52	+ means that a man-in-the-middle is attempting to perform a
53	+ buffer-stuffing attack
54	+ (<ulink url="https://www.postgresql.org/support/security/CVE-2021-23222/">CVE-2021-23222</ulink>).
55	+ Frontends should be coded either to read exactly one byte from the
56	+ socket before turning the socket over to their SSL library, or to
57	+ treat it as a protocol violation if they find they have read additional
58	+ bytes.
59	+ </para>
60	+
61	<para>
62	An initial SSLRequest can also be used in a connection that is being
63	opened to send a CancelRequest message.
64	@@ -1532,6 +1546,20 @@ SELCT 1/0;<!-- this typo is intentional -->
65	encryption.
66	</para>
67
68	+ <para>
69	+ When <acronym>GSSAPI</acronym> encryption can be performed, the server
70	+ is expected to send only the single <literal>G</literal> byte and then
71	+ wait for the frontend to initiate a <acronym>GSSAPI</acronym> handshake.
72	+ If additional bytes are available to read at this point, it likely
73	+ means that a man-in-the-middle is attempting to perform a
74	+ buffer-stuffing attack
75	+ (<ulink url="https://www.postgresql.org/support/security/CVE-2021-23222/">CVE-2021-23222</ulink>).
76	+ Frontends should be coded either to read exactly one byte from the
77	+ socket before turning the socket over to their GSSAPI library, or to
78	+ treat it as a protocol violation if they find they have read additional
79	+ bytes.
80	+ </para>
81	+
82	<para>
83	An initial GSSENCRequest can also be used in a connection that is being
84	opened to send a CancelRequest message.
85	diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
86	index f80f4e98d8..57aee95183 100644
87	--- a/src/interfaces/libpq/fe-connect.c
88	+++ b/src/interfaces/libpq/fe-connect.c
89	@@ -3076,6 +3076,19 @@ keep_going: /* We will come back to here until there is
90	pollres = pqsecure_open_client(conn);
91	if (pollres == PGRES_POLLING_OK)
92	{
93	+ /*
94	+ * At this point we should have no data already buffered.
95	+ * If we do, it was received before we performed the SSL
96	+ * handshake, so it wasn't encrypted and indeed may have
97	+ * been injected by a man-in-the-middle.
98	+ */
99	+ if (conn->inCursor != conn->inEnd)
100	+ {
101	+ appendPQExpBufferStr(&conn->errorMessage,
102	+ libpq_gettext("received unencrypted data after SSL response\n"));
103	+ goto error_return;
104	+ }
105	+
106	/* SSL handshake done, ready to send startup packet */
107	conn->status = CONNECTION_MADE;
108	return PGRES_POLLING_WRITING;
109	@@ -3175,6 +3188,19 @@ keep_going: /* We will come back to here until there is
110	pollres = pqsecure_open_gss(conn);
111	if (pollres == PGRES_POLLING_OK)
112	{
113	+ /*
114	+ * At this point we should have no data already buffered.
115	+ * If we do, it was received before we performed the GSS
116	+ * handshake, so it wasn't encrypted and indeed may have
117	+ * been injected by a man-in-the-middle.
118	+ */
119	+ if (conn->inCursor != conn->inEnd)
120	+ {
121	+ appendPQExpBufferStr(&conn->errorMessage,
122	+ libpq_gettext("received unencrypted data after GSSAPI encryption response\n"));
123	+ goto error_return;
124	+ }
125	+
126	/* All set for startup packet */
127	conn->status = CONNECTION_MADE;
128	return PGRES_POLLING_WRITING;
129	--
130	2.17.1
131


diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_13.4.bb b/meta-oe/recipes-dbs/postgresql/postgresql_13.5.bb index 2ed0fa49bb..81193e30e5 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql_13.4.bb +++ b/meta-oe/recipes-dbs/postgresql/postgresql_13.5.bb
@@ -7,8 +7,6 @@ SRC_URI += "\
7	file://0001-Add-support-for-RISC-V.patch \	7	file://0001-Add-support-for-RISC-V.patch \
8	file://0001-Improve-reproducibility.patch \	8	file://0001-Improve-reproducibility.patch \
9	file://0001-configure.in-bypass-autoconf-2.69-version-check.patch \	9	file://0001-configure.in-bypass-autoconf-2.69-version-check.patch \
10	file://CVE-2021-23214.patch \
11	file://CVE-2021-23222.patch \
12	"	10	"
13		11
14	SRC_URI[sha256sum] = "ea93e10390245f1ce461a54eb5f99a48d8cabd3a08ce4d652ec2169a357bc0cd"	12	SRC_URI[sha256sum] = "9b81067a55edbaabc418aacef457dd8477642827499560b00615a6ea6c13f6b3"