summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta-oe/recipes-dbs/postgresql/files/CVE-2023-5868.patch125
-rw-r--r--meta-oe/recipes-dbs/postgresql/files/CVE-2023-5869.patch294
-rw-r--r--meta-oe/recipes-dbs/postgresql/files/CVE-2023-5870.patch108
-rw-r--r--meta-oe/recipes-dbs/postgresql/postgresql_14.9.bb3
4 files changed, 530 insertions, 0 deletions
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5868.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5868.patch
new file mode 100644
index 0000000000..50953f49b2
--- /dev/null
+++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5868.patch
@@ -0,0 +1,125 @@
1From 3b0776fde56763c549df35ce9750f3399bc710b2 Mon Sep 17 00:00:00 2001
2From: Tom Lane <tgl@sss.pgh.pa.us>
3Date: Tue, 21 Nov 2023 11:37:27 +0000
4Subject: [PATCH] Compute aggregate argument types correctly in
5
6 transformAggregateCall().
7
8transformAggregateCall() captures the datatypes of the aggregate's
9arguments immediately to construct the Aggref.aggargtypes list.
10This seems reasonable because the arguments have already been
11transformed --- but there is an edge case where they haven't been.
12Specifically, if we have an unknown-type literal in an ANY argument
13position, nothing will have been done with it earlier. But if we
14also have DISTINCT, then addTargetToGroupList() converts the literal
15to "text" type, resulting in the aggargtypes list not matching the
16actual runtime type of the argument. The end result is that the
17aggregate tries to interpret a "text" value as being of type
18"unknown", that is a zero-terminated C string. If the text value
19contains no zero bytes, this could result in disclosure of server
20memory following the text literal value.
21
22To fix, move the collection of the aggargtypes list to the end
23of transformAggregateCall(), after DISTINCT has been handled.
24This requires slightly more code, but not a great deal.
25
26Our thanks to Jingzhou Fu for reporting this problem.
27
28Security: CVE-2023-5868
29
30CVE: CVE-2023-5868
31Upstream-Status: Backport [https://github.com/postgres/postgres/commit/3b0776fde56763c549df35ce9750f3399bc710b2]
32
33Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
34
35---
36 src/backend/parser/parse_agg.c | 35 +++++++++++++++++++----------
37 src/test/regress/expected/jsonb.out | 7 ++++++
38 src/test/regress/sql/jsonb.sql | 3 +++
39 3 files changed, 33 insertions(+), 12 deletions(-)
40
41diff --git a/src/backend/parser/parse_agg.c b/src/backend/parser/parse_agg.c
42index 828cd99..90cf150 100644
43--- a/src/backend/parser/parse_agg.c
44+++ b/src/backend/parser/parse_agg.c
45@@ -110,18 +110,6 @@ transformAggregateCall(ParseState *pstate, Aggref *agg,
46 int save_next_resno;
47 ListCell *lc;
48
49- /*
50- * Before separating the args into direct and aggregated args, make a list
51- * of their data type OIDs for use later.
52- */
53- foreach(lc, args)
54- {
55- Expr *arg = (Expr *) lfirst(lc);
56-
57- argtypes = lappend_oid(argtypes, exprType((Node *) arg));
58- }
59- agg->aggargtypes = argtypes;
60-
61 if (AGGKIND_IS_ORDERED_SET(agg->aggkind))
62 {
63 /*
64@@ -233,6 +221,29 @@ transformAggregateCall(ParseState *pstate, Aggref *agg,
65 agg->aggorder = torder;
66 agg->aggdistinct = tdistinct;
67
68+ /*
69+ * Now build the aggargtypes list with the type OIDs of the direct and
70+ * aggregated args, ignoring any resjunk entries that might have been
71+ * added by ORDER BY/DISTINCT processing. We can't do this earlier
72+ * because said processing can modify some args' data types, in particular
73+ * by resolving previously-unresolved "unknown" literals.
74+ */
75+ foreach(lc, agg->aggdirectargs)
76+ {
77+ Expr *arg = (Expr *) lfirst(lc);
78+
79+ argtypes = lappend_oid(argtypes, exprType((Node *) arg));
80+ }
81+ foreach(lc, tlist)
82+ {
83+ TargetEntry *tle = (TargetEntry *) lfirst(lc);
84+
85+ if (tle->resjunk)
86+ continue; /* ignore junk */
87+ argtypes = lappend_oid(argtypes, exprType((Node *) tle->expr));
88+ }
89+ agg->aggargtypes = argtypes;
90+
91 check_agglevels_and_constraints(pstate, (Node *) agg);
92 }
93
94diff --git a/src/test/regress/expected/jsonb.out b/src/test/regress/expected/jsonb.out
95index bec355d..eb7f410 100644
96--- a/src/test/regress/expected/jsonb.out
97+++ b/src/test/regress/expected/jsonb.out
98@@ -1558,6 +1558,13 @@ SELECT jsonb_object_agg(name, type) FROM foo;
99 INSERT INTO foo VALUES (999999, NULL, 'bar');
100 SELECT jsonb_object_agg(name, type) FROM foo;
101 ERROR: field name must not be null
102+-- edge case for parser
103+SELECT jsonb_object_agg(DISTINCT 'a', 'abc');
104+ jsonb_object_agg
105+------------------
106+ {"a": "abc"}
107+(1 row)
108+
109 -- jsonb_object
110 -- empty object, one dimension
111 SELECT jsonb_object('{}');
112diff --git a/src/test/regress/sql/jsonb.sql b/src/test/regress/sql/jsonb.sql
113index f8d5960..040e1ba 100644
114--- a/src/test/regress/sql/jsonb.sql
115+++ b/src/test/regress/sql/jsonb.sql
116@@ -397,6 +397,9 @@ SELECT jsonb_object_agg(name, type) FROM foo;
117 INSERT INTO foo VALUES (999999, NULL, 'bar');
118 SELECT jsonb_object_agg(name, type) FROM foo;
119
120+-- edge case for parser
121+SELECT jsonb_object_agg(DISTINCT 'a', 'abc');
122+
123 -- jsonb_object
124
125 -- empty object, one dimension
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5869.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5869.patch
new file mode 100644
index 0000000000..cef2ab2253
--- /dev/null
+++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5869.patch
@@ -0,0 +1,294 @@
1From 18b585155a891784ca8985f595ebc0dde94e0d43 Mon Sep 17 00:00:00 2001
2From: Tom Lane <tgl@sss.pgh.pa.us>
3Date: Tue, 21 Nov 2023 11:43:00 +0000
4Subject: [PATCH] Detect integer overflow while computing new array dimensions.
5
6array_set_element() and related functions allow an array to be
7enlarged by assigning to subscripts outside the current array bounds.
8While these places were careful to check that the new bounds are
9allowable, they neglected to consider the risk of integer overflow
10in computing the new bounds. In edge cases, we could compute new
11bounds that are invalid but get past the subsequent checks,
12allowing bad things to happen. Memory stomps that are potentially
13exploitable for arbitrary code execution are possible, and so is
14disclosure of server memory.
15
16To fix, perform the hazardous computations using overflow-detecting
17arithmetic routines, which fortunately exist in all still-supported
18branches.
19
20The test cases added for this generate (after patching) errors that
21mention the value of MaxArraySize, which is platform-dependent.
22Rather than introduce multiple expected-files, use psql's VERBOSITY
23parameter to suppress the printing of the message text. v11 psql
24lacks that parameter, so omit the tests in that branch.
25
26Our thanks to Pedro Gallegos for reporting this problem.
27
28Security: CVE-2023-5869
29
30CVE: CVE-2023-5869
31Upstream-Status: Backport [https://github.com/postgres/postgres/commit/18b585155a891784ca8985f595ebc0dde94e0d43]
32
33Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
34
35---
36 src/backend/utils/adt/arrayfuncs.c | 85 ++++++++++++++++++++++------
37 src/backend/utils/adt/arrayutils.c | 6 --
38 src/include/utils/array.h | 7 +++
39 src/test/regress/expected/arrays.out | 17 ++++++
40 src/test/regress/sql/arrays.sql | 19 +++++++
41 5 files changed, 110 insertions(+), 24 deletions(-)
42
43diff --git a/src/backend/utils/adt/arrayfuncs.c b/src/backend/utils/adt/arrayfuncs.c
44index 949737d..0071f7d 100644
45--- a/src/backend/utils/adt/arrayfuncs.c
46+++ b/src/backend/utils/adt/arrayfuncs.c
47@@ -19,6 +19,7 @@
48
49 #include "access/htup_details.h"
50 #include "catalog/pg_type.h"
51+#include "common/int.h"
52 #include "funcapi.h"
53 #include "libpq/pqformat.h"
54 #include "nodes/nodeFuncs.h"
55@@ -2334,22 +2335,38 @@ array_set_element(Datum arraydatum,
56 addedbefore = addedafter = 0;
57
58 /*
59- * Check subscripts
60+ * Check subscripts. We assume the existing subscripts passed
61+ * ArrayCheckBounds, so that dim[i] + lb[i] can be computed without
62+ * overflow. But we must beware of other overflows in our calculations of
63+ * new dim[] values.
64 */
65 if (ndim == 1)
66 {
67 if (indx[0] < lb[0])
68 {
69- addedbefore = lb[0] - indx[0];
70- dim[0] += addedbefore;
71+ /* addedbefore = lb[0] - indx[0]; */
72+ /* dim[0] += addedbefore; */
73+ if (pg_sub_s32_overflow(lb[0], indx[0], &addedbefore) ||
74+ pg_add_s32_overflow(dim[0], addedbefore, &dim[0]))
75+ ereport(ERROR,
76+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
77+ errmsg("array size exceeds the maximum allowed (%d)",
78+ (int) MaxArraySize)));
79 lb[0] = indx[0];
80 if (addedbefore > 1)
81 newhasnulls = true; /* will insert nulls */
82 }
83 if (indx[0] >= (dim[0] + lb[0]))
84 {
85- addedafter = indx[0] - (dim[0] + lb[0]) + 1;
86- dim[0] += addedafter;
87+ /* addedafter = indx[0] - (dim[0] + lb[0]) + 1; */
88+ /* dim[0] += addedafter; */
89+ if (pg_sub_s32_overflow(indx[0], dim[0] + lb[0], &addedafter) ||
90+ pg_add_s32_overflow(addedafter, 1, &addedafter) ||
91+ pg_add_s32_overflow(dim[0], addedafter, &dim[0]))
92+ ereport(ERROR,
93+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
94+ errmsg("array size exceeds the maximum allowed (%d)",
95+ (int) MaxArraySize)));
96 if (addedafter > 1)
97 newhasnulls = true; /* will insert nulls */
98 }
99@@ -2595,14 +2612,23 @@ array_set_element_expanded(Datum arraydatum,
100 addedbefore = addedafter = 0;
101
102 /*
103- * Check subscripts (this logic matches original array_set_element)
104+ * Check subscripts (this logic must match array_set_element). We assume
105+ * the existing subscripts passed ArrayCheckBounds, so that dim[i] + lb[i]
106+ * can be computed without overflow. But we must beware of other
107+ * overflows in our calculations of new dim[] values.
108 */
109 if (ndim == 1)
110 {
111 if (indx[0] < lb[0])
112 {
113- addedbefore = lb[0] - indx[0];
114- dim[0] += addedbefore;
115+ /* addedbefore = lb[0] - indx[0]; */
116+ /* dim[0] += addedbefore; */
117+ if (pg_sub_s32_overflow(lb[0], indx[0], &addedbefore) ||
118+ pg_add_s32_overflow(dim[0], addedbefore, &dim[0]))
119+ ereport(ERROR,
120+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
121+ errmsg("array size exceeds the maximum allowed (%d)",
122+ (int) MaxArraySize)));
123 lb[0] = indx[0];
124 dimschanged = true;
125 if (addedbefore > 1)
126@@ -2610,8 +2636,15 @@ array_set_element_expanded(Datum arraydatum,
127 }
128 if (indx[0] >= (dim[0] + lb[0]))
129 {
130- addedafter = indx[0] - (dim[0] + lb[0]) + 1;
131- dim[0] += addedafter;
132+ /* addedafter = indx[0] - (dim[0] + lb[0]) + 1; */
133+ /* dim[0] += addedafter; */
134+ if (pg_sub_s32_overflow(indx[0], dim[0] + lb[0], &addedafter) ||
135+ pg_add_s32_overflow(addedafter, 1, &addedafter) ||
136+ pg_add_s32_overflow(dim[0], addedafter, &dim[0]))
137+ ereport(ERROR,
138+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
139+ errmsg("array size exceeds the maximum allowed (%d)",
140+ (int) MaxArraySize)));
141 dimschanged = true;
142 if (addedafter > 1)
143 newhasnulls = true; /* will insert nulls */
144@@ -2894,7 +2927,10 @@ array_set_slice(Datum arraydatum,
145 addedbefore = addedafter = 0;
146
147 /*
148- * Check subscripts
149+ * Check subscripts. We assume the existing subscripts passed
150+ * ArrayCheckBounds, so that dim[i] + lb[i] can be computed without
151+ * overflow. But we must beware of other overflows in our calculations of
152+ * new dim[] values.
153 */
154 if (ndim == 1)
155 {
156@@ -2909,18 +2945,31 @@ array_set_slice(Datum arraydatum,
157 errmsg("upper bound cannot be less than lower bound")));
158 if (lowerIndx[0] < lb[0])
159 {
160- if (upperIndx[0] < lb[0] - 1)
161- newhasnulls = true; /* will insert nulls */
162- addedbefore = lb[0] - lowerIndx[0];
163- dim[0] += addedbefore;
164+ /* addedbefore = lb[0] - lowerIndx[0]; */
165+ /* dim[0] += addedbefore; */
166+ if (pg_sub_s32_overflow(lb[0], lowerIndx[0], &addedbefore) ||
167+ pg_add_s32_overflow(dim[0], addedbefore, &dim[0]))
168+ ereport(ERROR,
169+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
170+ errmsg("array size exceeds the maximum allowed (%d)",
171+ (int) MaxArraySize)));
172 lb[0] = lowerIndx[0];
173+ if (addedbefore > 1)
174+ newhasnulls = true; /* will insert nulls */
175 }
176 if (upperIndx[0] >= (dim[0] + lb[0]))
177 {
178- if (lowerIndx[0] > (dim[0] + lb[0]))
179+ /* addedafter = upperIndx[0] - (dim[0] + lb[0]) + 1; */
180+ /* dim[0] += addedafter; */
181+ if (pg_sub_s32_overflow(upperIndx[0], dim[0] + lb[0], &addedafter) ||
182+ pg_add_s32_overflow(addedafter, 1, &addedafter) ||
183+ pg_add_s32_overflow(dim[0], addedafter, &dim[0]))
184+ ereport(ERROR,
185+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
186+ errmsg("array size exceeds the maximum allowed (%d)",
187+ (int) MaxArraySize)));
188+ if (addedafter > 1)
189 newhasnulls = true; /* will insert nulls */
190- addedafter = upperIndx[0] - (dim[0] + lb[0]) + 1;
191- dim[0] += addedafter;
192 }
193 }
194 else
195diff --git a/src/backend/utils/adt/arrayutils.c b/src/backend/utils/adt/arrayutils.c
196index 6988edd..fdaf712 100644
197--- a/src/backend/utils/adt/arrayutils.c
198+++ b/src/backend/utils/adt/arrayutils.c
199@@ -64,10 +64,6 @@ ArrayGetOffset0(int n, const int *tup, const int *scale)
200 * This must do overflow checking, since it is used to validate that a user
201 * dimensionality request doesn't overflow what we can handle.
202 *
203- * We limit array sizes to at most about a quarter billion elements,
204- * so that it's not necessary to check for overflow in quite so many
205- * places --- for instance when palloc'ing Datum arrays.
206- *
207 * The multiplication overflow check only works on machines that have int64
208 * arithmetic, but that is nearly all platforms these days, and doing check
209 * divides for those that don't seems way too expensive.
210@@ -78,8 +74,6 @@ ArrayGetNItems(int ndim, const int *dims)
211 int32 ret;
212 int i;
213
214-#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum)))
215-
216 if (ndim <= 0)
217 return 0;
218 ret = 1;
219diff --git a/src/include/utils/array.h b/src/include/utils/array.h
220index 4ae6c3b..0d6db51 100644
221--- a/src/include/utils/array.h
222+++ b/src/include/utils/array.h
223@@ -74,6 +74,13 @@ struct ExprContext;
224 */
225 #define MAXDIM 6
226
227+/*
228+ * Maximum number of elements in an array. We limit this to at most about a
229+ * quarter billion elements, so that it's not necessary to check for overflow
230+ * in quite so many places --- for instance when palloc'ing Datum arrays.
231+ */
232+#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum)))
233+
234 /*
235 * Arrays are varlena objects, so must meet the varlena convention that
236 * the first int32 of the object contains the total object size in bytes.
237diff --git a/src/test/regress/expected/arrays.out b/src/test/regress/expected/arrays.out
238index 4923cf3..7f9b693 100644
239--- a/src/test/regress/expected/arrays.out
240+++ b/src/test/regress/expected/arrays.out
241@@ -1380,6 +1380,23 @@ insert into arr_pk_tbl(pk, f1[1:2]) values (1, '{6,7,8}') on conflict (pk)
242 -- then you didn't get an indexscan plan, and something is busted.
243 reset enable_seqscan;
244 reset enable_bitmapscan;
245+-- test subscript overflow detection
246+-- The normal error message includes a platform-dependent limit,
247+-- so suppress it to avoid needing multiple expected-files.
248+\set VERBOSITY sqlstate
249+insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}');
250+update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
251+ERROR: 54000
252+update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
253+ERROR: 54000
254+-- also exercise the expanded-array case
255+do $$ declare a int[];
256+begin
257+ a := '[-2147483648:-2147483647]={1,2}'::int[];
258+ a[2147483647] := 42;
259+end $$;
260+ERROR: 54000
261+\set VERBOSITY default
262 -- test [not] (like|ilike) (any|all) (...)
263 select 'foo' like any (array['%a', '%o']); -- t
264 ?column?
265diff --git a/src/test/regress/sql/arrays.sql b/src/test/regress/sql/arrays.sql
266index 5eedc4c..3ad8bdf 100644
267--- a/src/test/regress/sql/arrays.sql
268+++ b/src/test/regress/sql/arrays.sql
269@@ -415,6 +415,25 @@ insert into arr_pk_tbl(pk, f1[1:2]) values (1, '{6,7,8}') on conflict (pk)
270 reset enable_seqscan;
271 reset enable_bitmapscan;
272
273+-- test subscript overflow detection
274+
275+-- The normal error message includes a platform-dependent limit,
276+-- so suppress it to avoid needing multiple expected-files.
277+\set VERBOSITY sqlstate
278+
279+insert into arr_pk_tbl values(10, '[-2147483648:-2147483647]={1,2}');
280+update arr_pk_tbl set f1[2147483647] = 42 where pk = 10;
281+update arr_pk_tbl set f1[2147483646:2147483647] = array[4,2] where pk = 10;
282+
283+-- also exercise the expanded-array case
284+do $$ declare a int[];
285+begin
286+ a := '[-2147483648:-2147483647]={1,2}'::int[];
287+ a[2147483647] := 42;
288+end $$;
289+
290+\set VERBOSITY default
291+
292 -- test [not] (like|ilike) (any|all) (...)
293 select 'foo' like any (array['%a', '%o']); -- t
294 select 'foo' like any (array['%a', '%b']); -- f
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5870.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5870.patch
new file mode 100644
index 0000000000..b1a16e4660
--- /dev/null
+++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2023-5870.patch
@@ -0,0 +1,108 @@
1From 3a9b18b3095366cd0c4305441d426d04572d88c1 Mon Sep 17 00:00:00 2001
2From: Noah Misch <noah@leadboat.com>
3Date: Tue, 21 Nov 2023 11:49:50 +0000
4Subject: [PATCH] Ban role pg_signal_backend from more superuser backend types.
5
6Documentation says it cannot signal "a backend owned by a superuser".
7On the contrary, it could signal background workers, including the
8logical replication launcher. It could signal autovacuum workers and
9the autovacuum launcher. Block all that. Signaling autovacuum workers
10and those two launchers doesn't stall progress beyond what one could
11achieve other ways. If a cluster uses a non-core extension with a
12background worker that does not auto-restart, this could create a denial
13of service with respect to that background worker. A background worker
14with bugs in its code for responding to terminations or cancellations
15could experience those bugs at a time the pg_signal_backend member
16chooses. Back-patch to v11 (all supported versions).
17
18Reviewed by Jelte Fennema-Nio. Reported by Hemanth Sandrana and
19Mahendrakar Srinivasarao.
20
21Security: CVE-2023-5870
22
23CVE: CVE-2023-5870
24Upstream-Status: Backport [https://github.com/postgres/postgres/commit/3a9b18b3095366cd0c4305441d426d04572d88c1]
25
26Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
27
28---
29 src/backend/storage/ipc/signalfuncs.c | 9 +++++++--
30 src/test/regress/expected/privileges.out | 18 ++++++++++++++++++
31 src/test/regress/sql/privileges.sql | 15 +++++++++++++++
32 3 files changed, 40 insertions(+), 2 deletions(-)
33
34diff --git a/src/backend/storage/ipc/signalfuncs.c b/src/backend/storage/ipc/signalfuncs.c
35index de69d60..b6ff412 100644
36--- a/src/backend/storage/ipc/signalfuncs.c
37+++ b/src/backend/storage/ipc/signalfuncs.c
38@@ -69,8 +69,13 @@ pg_signal_backend(int pid, int sig)
39 return SIGNAL_BACKEND_ERROR;
40 }
41
42- /* Only allow superusers to signal superuser-owned backends. */
43- if (superuser_arg(proc->roleId) && !superuser())
44+ /*
45+ * Only allow superusers to signal superuser-owned backends. Any process
46+ * not advertising a role might have the importance of a superuser-owned
47+ * backend, so treat it that way.
48+ */
49+ if ((!OidIsValid(proc->roleId) || superuser_arg(proc->roleId)) &&
50+ !superuser())
51 return SIGNAL_BACKEND_NOSUPERUSER;
52
53 /* Users can signal backends they have role membership in. */
54diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
55index b3c3b25..90e70f9 100644
56--- a/src/test/regress/expected/privileges.out
57+++ b/src/test/regress/expected/privileges.out
58@@ -1846,6 +1846,24 @@ SELECT * FROM pg_largeobject LIMIT 0;
59 SET SESSION AUTHORIZATION regress_priv_user1;
60 SELECT * FROM pg_largeobject LIMIT 0; -- to be denied
61 ERROR: permission denied for table pg_largeobject
62+-- pg_signal_backend can't signal superusers
63+RESET SESSION AUTHORIZATION;
64+BEGIN;
65+CREATE OR REPLACE FUNCTION terminate_nothrow(pid int) RETURNS bool
66+ LANGUAGE plpgsql SECURITY DEFINER SET client_min_messages = error AS $$
67+BEGIN
68+ RETURN pg_terminate_backend($1);
69+EXCEPTION WHEN OTHERS THEN
70+ RETURN false;
71+END$$;
72+ALTER FUNCTION terminate_nothrow OWNER TO pg_signal_backend;
73+SELECT backend_type FROM pg_stat_activity
74+WHERE CASE WHEN COALESCE(usesysid, 10) = 10 THEN terminate_nothrow(pid) END;
75+ backend_type
76+--------------
77+(0 rows)
78+
79+ROLLBACK;
80 -- test pg_database_owner
81 RESET SESSION AUTHORIZATION;
82 GRANT pg_database_owner TO regress_priv_user1;
83diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
84index af05f95..f96143e 100644
85--- a/src/test/regress/sql/privileges.sql
86+++ b/src/test/regress/sql/privileges.sql
87@@ -1133,6 +1133,21 @@ SELECT * FROM pg_largeobject LIMIT 0;
88 SET SESSION AUTHORIZATION regress_priv_user1;
89 SELECT * FROM pg_largeobject LIMIT 0; -- to be denied
90
91+-- pg_signal_backend can't signal superusers
92+RESET SESSION AUTHORIZATION;
93+BEGIN;
94+CREATE OR REPLACE FUNCTION terminate_nothrow(pid int) RETURNS bool
95+ LANGUAGE plpgsql SECURITY DEFINER SET client_min_messages = error AS $$
96+BEGIN
97+ RETURN pg_terminate_backend($1);
98+EXCEPTION WHEN OTHERS THEN
99+ RETURN false;
100+END$$;
101+ALTER FUNCTION terminate_nothrow OWNER TO pg_signal_backend;
102+SELECT backend_type FROM pg_stat_activity
103+WHERE CASE WHEN COALESCE(usesysid, 10) = 10 THEN terminate_nothrow(pid) END;
104+ROLLBACK;
105+
106 -- test pg_database_owner
107 RESET SESSION AUTHORIZATION;
108 GRANT pg_database_owner TO regress_priv_user1;
diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_14.9.bb b/meta-oe/recipes-dbs/postgresql/postgresql_14.9.bb
index f779ea7abd..a879de20cc 100644
--- a/meta-oe/recipes-dbs/postgresql/postgresql_14.9.bb
+++ b/meta-oe/recipes-dbs/postgresql/postgresql_14.9.bb
@@ -9,6 +9,9 @@ SRC_URI += "\
9 file://0001-configure.ac-bypass-autoconf-2.69-version-check.patch \ 9 file://0001-configure.ac-bypass-autoconf-2.69-version-check.patch \
10 file://0001-config_info.c-not-expose-build-info.patch \ 10 file://0001-config_info.c-not-expose-build-info.patch \
11 file://0001-postgresql-fix-ptest-failure-of-sysviews.patch \ 11 file://0001-postgresql-fix-ptest-failure-of-sysviews.patch \
12 file://CVE-2023-5868.patch \
13 file://CVE-2023-5869.patch \
14 file://CVE-2023-5870.patch \
12" 15"
13 16
14SRC_URI[sha256sum] = "b1fe3ba9b1a7f3a9637dd1656dfdad2889016073fd4d35f13b50143cbbb6a8ef" 17SRC_URI[sha256sum] = "b1fe3ba9b1a7f3a9637dd1656dfdad2889016073fd4d35f13b50143cbbb6a8ef"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-05-26 10:14:41 +0000