postgresql-jdbc/CVE-2022-41946.patch

From 2c22de4fc6e4a097ace36eec8b03535b5e2486fe Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Fri, 16 Jun 2023 14:00:11 +0800
Subject: [PATCH 1/1] Merge pull request from GHSA-562r-vg33-8x8h

* Fix: createTempFile vulnerability on unix like systems where temporary files can be read by other users on the system

* Update site with change logs and new version information

Origin:
https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5
---
 src/main/java/org/postgresql/util/StreamWrapper.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/postgresql/util/StreamWrapper.java b/src/main/java/org/postgresql/util/StreamWrapper.java
index c4027ce..49f0b5d 100644
--- a/src/main/java/org/postgresql/util/StreamWrapper.java
+++ b/src/main/java/org/postgresql/util/StreamWrapper.java
@@ -17,6 +17,7 @@ import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.nio.file.Files;
 
 /**
  * Wrapper around a length-limited InputStream.
@@ -51,7 +52,7 @@ public class StreamWrapper {
 
       if (memoryLength == -1) {
         final int diskLength;
-        final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null);
+        final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX, null).toFile();
         FileOutputStream diskOutputStream = new FileOutputStream(tempFile);
         diskOutputStream.write(rawData);
         try {
-- 
2.30.0