packages/postgresql-jdbc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2022-41946

Browse Source 
(cherry picked from commit a82447fb82c85c4d7e36d1433becfbeb8db15350)
This commit is contained in:
starlet-dx 2023-06-16 14:06:33 +08:00 committed by openeuler-sync-bot
parent bd855538f4
commit b0f7ee6005
2 changed files with 45 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
CVE-2022-41946.patch Normal file
View File

@ -0,0 +1,39 @@
From 2c22de4fc6e4a097ace36eec8b03535b5e2486fe Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Fri, 16 Jun 2023 14:00:11 +0800
Subject: [PATCH 1/1] Merge pull request from GHSA-562r-vg33-8x8h
* Fix: createTempFile vulnerability on unix like systems where temporary files can be read by other users on the system
* Update site with change logs and new version information
Origin:
https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5
---
src/main/java/org/postgresql/util/StreamWrapper.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/main/java/org/postgresql/util/StreamWrapper.java b/src/main/java/org/postgresql/util/StreamWrapper.java
index c4027ce..49f0b5d 100644
--- a/src/main/java/org/postgresql/util/StreamWrapper.java
+++ b/src/main/java/org/postgresql/util/StreamWrapper.java
@@ -17,6 +17,7 @@ import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
+import java.nio.file.Files;
/**
* Wrapper around a length-limited InputStream.
@@ -51,7 +52,7 @@ public class StreamWrapper {
if (memoryLength == -1) {
final int diskLength;
- final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null);
+ final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX, null).toFile();
FileOutputStream diskOutputStream = new FileOutputStream(tempFile);
diskOutputStream.write(rawData);
try {
--
2.30.0

7
postgresql-jdbc.spec
View File

@ -1,11 +1,12 @@
Name: postgresql-jdbc Name: postgresql-jdbc
Summary: Postgresql JDBC Driver Summary: Postgresql JDBC Driver
Version: 42.4.1 Version: 42.4.1
Release: 1 Release: 2
License: BSD License: BSD
URL: http://jdbc.postgresql.org/ URL: http://jdbc.postgresql.org/
Source0: https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-jdbc-src.tar.gz Source0: https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-jdbc-src.tar.gz
Patch0: CVE-2022-41946.patch
BuildRequires: maven-local java-comment-preprocessor properties-maven-plugin classloader-leak-test-framework BuildRequires: maven-local java-comment-preprocessor properties-maven-plugin classloader-leak-test-framework
BuildRequires: maven-enforcer-plugin maven-plugin-bundle maven-plugin-build-helper java-devel >= 1.8 BuildRequires: maven-enforcer-plugin maven-plugin-bundle maven-plugin-build-helper java-devel >= 1.8
@ -38,6 +39,7 @@ This package contains the API Documentation for %{name}.
%prep %prep
%setup -c -q %setup -c -q
mv postgresql-%{version}-jdbc-src/* . mv postgresql-%{version}-jdbc-src/* .
%patch0 -p1
find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f
%pom_xpath_remove "pom:plugin[pom:artifactId = 'maven-shade-plugin']" %pom_xpath_remove "pom:plugin[pom:artifactId = 'maven-shade-plugin']"
%mvn_file org.postgresql:postgresql %{name}/postgresql %{name} postgresql %mvn_file org.postgresql:postgresql %{name}/postgresql %{name} postgresql
@ -78,6 +80,9 @@ find %{_buildrootdir} -name "%{name}.xml" | xargs sed -i '/pgjdbc-aggregate.pom<
%doc README.md %doc README.md
%changelog %changelog
* Fri Jun 16 2023 yaoxin <yao_xin001@hoperun.com> - 42.4.1-2
- Fix CVE-2022-41946
* Tue Aug 09 2022 yaoxin <yaoxin30@h-partners.com> - 42.4.1-1 * Tue Aug 09 2022 yaoxin <yaoxin30@h-partners.com> - 42.4.1-1
- Update to 42.4.1 to fix CVE-2022-31197 - Update to 42.4.1 to fix CVE-2022-31197