packages/postgresql
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

13.12

Browse Source
This commit is contained in:
root 2023-08-11 01:52:20 +08:00
parent b1def38479
commit af018a44a4
11 changed files with 192 additions and 257 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
CVE-2021-23214.patch
View File

@ -1,108 +0,0 @@
From e92ed93e8eb76ee0701b42d4f0ce94e6af3fc741 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Mon, 8 Nov 2021 11:01:43 -0500
Subject: [PATCH] Reject extraneous data after SSL or GSS encryption handshake.
The server collects up to a bufferload of data whenever it reads data
from the client socket. When SSL or GSS encryption is requested
during startup, any additional data received with the initial
request message remained in the buffer, and would be treated as
already-decrypted data once the encryption handshake completed.
Thus, a man-in-the-middle with the ability to inject data into the
TCP connection could stuff some cleartext data into the start of
a supposedly encryption-protected database session.
This could be abused to send faked SQL commands to the server,
although that would only work if the server did not demand any
authentication data. (However, a server relying on SSL certificate
authentication might well not do so.)
To fix, throw a protocol-violation error if the internal buffer
is not empty after the encryption handshake.
Our thanks to Jacob Champion for reporting this problem.
Security: CVE-2021-23214
---
src/backend/libpq/pqcomm.c | 12 ++++++++++++
src/backend/postmaster/postmaster.c | 24 ++++++++++++++++++++++++
src/include/libpq/libpq.h | 1 +
3 files changed, 37 insertions(+)
diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c
index ee2cd86866da..93f2e0b81d32 100644
--- a/src/backend/libpq/pqcomm.c
+++ b/src/backend/libpq/pqcomm.c
@@ -1183,6 +1183,18 @@ pq_getstring(StringInfo s)
}
}
+/* --------------------------------
+ * pq_buffer_has_data - is any buffered data available to read?
+ *
+ * This will *not* attempt to read more data.
+ * --------------------------------
+ */
+bool
+pq_buffer_has_data(void)
+{
+ return (PqRecvPointer < PqRecvLength);
+}
+
/* --------------------------------
* pq_startmsgread - begin reading a message from the client.
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index 5775fc0c0910..1e0936e5b482 100644
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -2049,6 +2049,18 @@ ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done)
return STATUS_ERROR;
#endif
+ /*
+ * At this point we should have no data already buffered. If we do,
+ * it was received before we performed the SSL handshake, so it wasn't
+ * encrypted and indeed may have been injected by a man-in-the-middle.
+ * We report this case to the client.
+ */
+ if (pq_buffer_has_data())
+ ereport(FATAL,
+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
+ errmsg("received unencrypted data after SSL request"),
+ errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
+
/*
* regular startup packet, cancel, etc packet should follow, but not
* another SSL negotiation request, and a GSS request should only
@@ -2081,6 +2093,18 @@ ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done)
return STATUS_ERROR;
#endif
+ /*
+ * At this point we should have no data already buffered. If we do,
+ * it was received before we performed the GSS handshake, so it wasn't
+ * encrypted and indeed may have been injected by a man-in-the-middle.
+ * We report this case to the client.
+ */
+ if (pq_buffer_has_data())
+ ereport(FATAL,
+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
+ errmsg("received unencrypted data after GSSAPI encryption request"),
+ errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
+
/*
* regular startup packet, cancel, etc packet should follow, but not
* another GSS negotiation request, and an SSL request should only
diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
index b1152475ace5..54c5fa779773 100644
--- a/src/include/libpq/libpq.h
+++ b/src/include/libpq/libpq.h
@@ -72,6 +72,7 @@ extern int pq_getmessage(StringInfo s, int maxlen);
extern int pq_getbyte(void);
extern int pq_peekbyte(void);
extern int pq_getbyte_if_available(unsigned char *c);
+extern bool pq_buffer_has_data(void);
extern int pq_putbytes(const char *s, size_t len);
/*

123
CVE-2021-23222.patch
View File

@ -1,123 +0,0 @@
From 844b3169204c28cd086c1b4fae4a2cbdd0540640 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Mon, 8 Nov 2021 11:14:56 -0500
Subject: [PATCH] libpq: reject extraneous data after SSL or GSS encryption
handshake.
libpq collects up to a bufferload of data whenever it reads data from
the socket. When SSL or GSS encryption is requested during startup,
any additional data received with the server's yes-or-no reply
remained in the buffer, and would be treated as already-decrypted data
once the encryption handshake completed. Thus, a man-in-the-middle
with the ability to inject data into the TCP connection could stuff
some cleartext data into the start of a supposedly encryption-protected
database session.
This could probably be abused to inject faked responses to the
client's first few queries, although other details of libpq's behavior
make that harder than it sounds. A different line of attack is to
exfiltrate the client's password, or other sensitive data that might
be sent early in the session. That has been shown to be possible with
a server vulnerable to CVE-2021-23214.
To fix, throw a protocol-violation error if the internal buffer
is not empty after the encryption handshake.
Our thanks to Jacob Champion for reporting this problem.
Security: CVE-2021-23222
---
doc/src/sgml/protocol.sgml | 28 ++++++++++++++++++++++++++++
src/interfaces/libpq/fe-connect.c | 26 ++++++++++++++++++++++++++
2 files changed, 54 insertions(+)
diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index e26619e1b53d..b692648fca47 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1471,6 +1471,20 @@ SELCT 1/0;<!-- this typo is intentional -->
and proceed without requesting <acronym>SSL</acronym>.
</para>
+ <para>
+ When <acronym>SSL</acronym> encryption can be performed, the server
+ is expected to send only the single <literal>S</literal> byte and then
+ wait for the frontend to initiate an <acronym>SSL</acronym> handshake.
+ If additional bytes are available to read at this point, it likely
+ means that a man-in-the-middle is attempting to perform a
+ buffer-stuffing attack
+ (<ulink url="https://www.postgresql.org/support/security/CVE-2021-23222/">CVE-2021-23222</ulink>).
+ Frontends should be coded either to read exactly one byte from the
+ socket before turning the socket over to their SSL library, or to
+ treat it as a protocol violation if they find they have read additional
+ bytes.
+ </para>
+
<para>
An initial SSLRequest can also be used in a connection that is being
opened to send a CancelRequest message.
@@ -1532,6 +1546,20 @@ SELCT 1/0;<!-- this typo is intentional -->
encryption.
</para>
+ <para>
+ When <acronym>GSSAPI</acronym> encryption can be performed, the server
+ is expected to send only the single <literal>G</literal> byte and then
+ wait for the frontend to initiate a <acronym>GSSAPI</acronym> handshake.
+ If additional bytes are available to read at this point, it likely
+ means that a man-in-the-middle is attempting to perform a
+ buffer-stuffing attack
+ (<ulink url="https://www.postgresql.org/support/security/CVE-2021-23222/">CVE-2021-23222</ulink>).
+ Frontends should be coded either to read exactly one byte from the
+ socket before turning the socket over to their GSSAPI library, or to
+ treat it as a protocol violation if they find they have read additional
+ bytes.
+ </para>
+
<para>
An initial GSSENCRequest can also be used in a connection that is being
opened to send a CancelRequest message.
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index f80f4e98d8e0..57aee9518308 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -3076,6 +3076,19 @@ PQconnectPoll(PGconn *conn)
pollres = pqsecure_open_client(conn);
if (pollres == PGRES_POLLING_OK)
{
+ /*
+ * At this point we should have no data already buffered.
+ * If we do, it was received before we performed the SSL
+ * handshake, so it wasn't encrypted and indeed may have
+ * been injected by a man-in-the-middle.
+ */
+ if (conn->inCursor != conn->inEnd)
+ {
+ appendPQExpBufferStr(&conn->errorMessage,
+ libpq_gettext("received unencrypted data after SSL response\n"));
+ goto error_return;
+ }
+
/* SSL handshake done, ready to send startup packet */
conn->status = CONNECTION_MADE;
return PGRES_POLLING_WRITING;
@@ -3175,6 +3188,19 @@ PQconnectPoll(PGconn *conn)
pollres = pqsecure_open_gss(conn);
if (pollres == PGRES_POLLING_OK)
{
+ /*
+ * At this point we should have no data already buffered.
+ * If we do, it was received before we performed the GSS
+ * handshake, so it wasn't encrypted and indeed may have
+ * been injected by a man-in-the-middle.
+ */
+ if (conn->inCursor != conn->inEnd)
+ {
+ appendPQExpBufferStr(&conn->errorMessage,
+ libpq_gettext("received unencrypted data after GSSAPI encryption response\n"));
+ goto error_return;
+ }
+
/* All set for startup packet */
conn->status = CONNECTION_MADE;
return PGRES_POLLING_WRITING;

BIN
postgresql-13.3.tar.bz2 → postgresql-12.16.tar.bz2
View File

Binary file not shown.

1
postgresql-12.16.tar.bz2.sha256 Normal file
View File

@ -0,0 +1 @@
c5f1fff7a0f93e1ec3746417b0594290ece617b4995ed95b8d527af0ba0e38f3 postgresql-12.16.tar.bz2

1
postgresql-12.7.tar.bz2.sha256
View File

@ -1 +0,0 @@
8490741f47c88edc8b6624af009ce19fda4dc9b31c4469ce2551d84075d5d995 postgresql-12.7.tar.bz2

BIN
postgresql-13.3-US.pdf → postgresql-13.12-US.pdf
View File

Binary file not shown.

BIN
postgresql-12.7.tar.bz2 → postgresql-13.12.tar.bz2
View File

Binary file not shown.

1
postgresql-13.12.tar.bz2.sha256 Normal file
View File

@ -0,0 +1 @@
0da1edcee3514b7bc7ba6dbaf0c00499e8ac1590668e8789c50253a6249f218b postgresql-13.12.tar.bz2

1
postgresql-13.3.tar.bz2.sha256
View File

@ -1 +0,0 @@
3cd9454fa8c7a6255b6743b767700925ead1b9ab0d7a0f9dcb1151010f8eb4a1 postgresql-13.3.tar.bz2

102
postgresql-pgcrypto-openssl3-tests.patch Normal file
View File

@ -0,0 +1,102 @@
diff -ur postgresql-13.4/contrib/pgcrypto/expected/pgp-decrypt.out postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-decrypt.out
--- postgresql-13.4/contrib/pgcrypto/expected/pgp-decrypt.out 2021-08-09 16:49:05.000000000 -0400
+++ postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-decrypt.out 2021-09-01 08:16:48.138600886 -0400
@@ -4,20 +4,6 @@
-- Checking ciphers
select pgp_sym_decrypt(dearmor('
-----BEGIN PGP MESSAGE-----
-Comment: dat1.blowfish.sha1.mdc.s2k3.z0
-
-jA0EBAMCfFNwxnvodX9g0jwB4n4s26/g5VmKzVab1bX1SmwY7gvgvlWdF3jKisvS
-yA6Ce1QTMK3KdL2MPfamsTUSAML8huCJMwYQFfE=
-=JcP+
------END PGP MESSAGE-----
-'), 'foobar');
- pgp_sym_decrypt
------------------
- Secret message.
-(1 row)
-
-select pgp_sym_decrypt(dearmor('
------BEGIN PGP MESSAGE-----
Comment: dat1.aes.sha1.mdc.s2k3.z0
jA0EBwMCci97v0Q6Z0Zg0kQBsVf5Oe3iC+FBzUmuMV9KxmAyOMyjCc/5i8f1Eest
diff -ur postgresql-13.4/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out
--- postgresql-13.4/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out 2021-08-09 16:49:05.000000000 -0400
+++ postgresql-13.4.patched/contrib/pgcrypto/expected/pgp-pubkey-decrypt.out 2021-09-01 08:05:27.750172653 -0400
@@ -594,13 +594,6 @@
(1 row)
select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
-from keytbl, encdata where keytbl.id=2 and encdata.id=2;
- pgp_pub_decrypt
------------------
- Secret msg
-(1 row)
-
-select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
from keytbl, encdata where keytbl.id=3 and encdata.id=3;
pgp_pub_decrypt
-----------------
diff -ur postgresql-13.4/contrib/pgcrypto/Makefile postgresql-13.4.patched/contrib/pgcrypto/Makefile
--- postgresql-13.4/contrib/pgcrypto/Makefile 2021-08-09 16:49:05.000000000 -0400
+++ postgresql-13.4.patched/contrib/pgcrypto/Makefile 2021-09-01 08:26:47.207164873 -0400
@@ -5,7 +5,7 @@
INT_TESTS = sha2
OSSL_SRCS = openssl.c pgp-mpi-openssl.c
-OSSL_TESTS = sha2 des 3des cast5
+OSSL_TESTS = sha2
ZLIB_TST = pgp-compression
ZLIB_OFF_TST = pgp-zlib-DISABLED
@@ -49,12 +49,13 @@
pgcrypto--1.0--1.1.sql
PGFILEDESC = "pgcrypto - cryptographic functions"
-REGRESS = init md5 sha1 hmac-md5 hmac-sha1 blowfish rijndael \
+REGRESS = init md5 sha1 hmac-md5 hmac-sha1 rijndael \
$(CF_TESTS) \
- crypt-des crypt-md5 crypt-blowfish crypt-xdes \
+ crypt-md5 \
pgp-armor pgp-decrypt pgp-encrypt $(CF_PGP_TESTS) \
pgp-pubkey-decrypt pgp-pubkey-encrypt pgp-info
+#REGRESS = init pgp-pubkey-decrypt pgp-decrypt \
EXTRA_CLEAN = gen-rtab
ifdef USE_PGXS
diff -ur postgresql-13.4/contrib/pgcrypto/sql/pgp-decrypt.sql postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-decrypt.sql
--- postgresql-13.4/contrib/pgcrypto/sql/pgp-decrypt.sql 2021-08-09 16:49:05.000000000 -0400
+++ postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-decrypt.sql 2021-09-01 08:16:12.525212175 -0400
@@ -5,16 +5,6 @@
-- Checking ciphers
select pgp_sym_decrypt(dearmor('
-----BEGIN PGP MESSAGE-----
-Comment: dat1.blowfish.sha1.mdc.s2k3.z0
-
-jA0EBAMCfFNwxnvodX9g0jwB4n4s26/g5VmKzVab1bX1SmwY7gvgvlWdF3jKisvS
-yA6Ce1QTMK3KdL2MPfamsTUSAML8huCJMwYQFfE=
-=JcP+
------END PGP MESSAGE-----
-'), 'foobar');
-
-select pgp_sym_decrypt(dearmor('
------BEGIN PGP MESSAGE-----
Comment: dat1.aes.sha1.mdc.s2k3.z0
jA0EBwMCci97v0Q6Z0Zg0kQBsVf5Oe3iC+FBzUmuMV9KxmAyOMyjCc/5i8f1Eest
diff -ur postgresql-13.4/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql
--- postgresql-13.4/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql 2021-08-09 16:49:05.000000000 -0400
+++ postgresql-13.4.patched/contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql 2021-09-01 08:06:18.963732342 -0400
@@ -606,9 +606,6 @@
from keytbl, encdata where keytbl.id=1 and encdata.id=1;
select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
-from keytbl, encdata where keytbl.id=2 and encdata.id=2;
-
-select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
from keytbl, encdata where keytbl.id=3 and encdata.id=3;
select pgp_pub_decrypt(dearmor(data), dearmor(seckey))

112
postgresql.spec
View File

@ -1,6 +1,6 @@
%{!?beta:%global beta 0}
%{!?test:%global test 1}
%ifarch riscv64
%ifarch riscv64 loongarch64
# Fail to pass tests on riscv64
%{!?llvmjit:%global llvmjit 0}
%else
@ -35,8 +35,8 @@
Summary: PostgreSQL client programs
Name: postgresql
%global majorversion 13
Version: %{majorversion}.3
Release: 7
Version: %{majorversion}.12
Release: 1
# The PostgreSQL license is very similar to other MIT licenses, but the OSI
# recognizes it as an independent license, so we do as well.
@ -44,7 +44,7 @@ License: PostgreSQL
Url: http://www.postgresql.org/
%global prevmajorversion 12
%global prevversion %{prevmajorversion}.7
%global prevversion %{prevmajorversion}.16
%global prev_prefix %{_libdir}/pgsql/postgresql-%{prevmajorversion}
%global precise_version %{?epoch:%epoch:}%version-%release
@ -80,10 +80,10 @@ Patch8: postgresql-external-libpq.patch
Patch9: postgresql-server-pg_config.patch
Patch10: postgresql-no-libecpg.patch
Patch11: postgresql-datalayout-mismatch-on-s390.patch
Patch12: CVE-2021-23214.patch
Patch13: CVE-2021-23222.patch
Patch14: postgresql-subtransaction-test.patch
Patch15: postgresql-13.3-sw.patch
Patch17: postgresql-pgcrypto-openssl3-tests.patch
BuildRequires: gcc
BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk
@ -163,6 +163,36 @@ PostgreSQL server, or on a remote machine that accesses a PostgreSQL server
over a network connection. The PostgreSQL server can be found in the
postgresql-server sub-package.
%if ! %external_libpq
%package private-libs
Summary: The shared libraries required only for this build of PostgreSQL server
Group: Applications/Databases
# for /sbin/ldconfig
Requires(post): glibc
Requires(postun): glibc
%description private-libs
The postgresql-private-libs package provides the shared libraries for this
build of PostgreSQL server and plugins build with this version of server.
For shared libraries used by client packages that need to connect to a
PostgreSQL server, install libpq package instead.
%package private-devel
Summary: PostgreSQL development header files for this build of PostgreSQL server
Group: Development/Libraries
Requires: %{name}-private-libs%{?_isa} = %precise_version
# Conflict is desired here, a user must pick one or another
Conflicts: libpq-devel
%description private-devel
The postgresql-private-devel package contains the header files and libraries
needed to compile C or C++ applications which will directly interact
with a PostgreSQL database management server.
You need to install this package if you want to develop applications which
will interact with a PostgreSQL server.
%endif
%package server
Summary: The programs needed to create and run a PostgreSQL server
@ -345,23 +375,21 @@ goal of accelerating analytics queries.
%endif
)
%setup -q -a 12 -n postgresql-%{version}
%patch1 -p1
%patch2 -p1
%patch5 -p1
%patch6 -p1
%patch -P 1 -p1
%patch -P 2 -p1
%patch -P 5 -p1
%patch -P 6 -p1
%if %external_libpq
%patch8 -p1
%patch -P 8 -p1
%else
%patch10 -p1
%patch -P 10 -p1
%endif
%patch9 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch -P 9 -p1
%patch -P 11 -p1
%ifarch sw_64
%patch15 -p1
%patch -P 15 -p1
%endif
%patch -P 17 -p1
# We used to run autoconf here, but there's no longer any real need to,
# since Postgres ships with a reasonably modern configure script.
@ -428,7 +456,7 @@ export CFLAGS
# since that's still considered the default plpython version.
common_configure_options='
--disable-rpath
%ifarch riscv64
%ifarch riscv64 loongarch64
--disable-spinlocks
%endif
%if %beta
@ -620,7 +648,7 @@ upgrade_configure ()
--host=%{_host} \
--prefix=%prev_prefix \
--disable-rpath \
%ifarch riscv64
%ifarch riscv64 loongarch64
--disable-spinlocks \
%endif
%if %beta
@ -690,6 +718,16 @@ make DESTDIR=$RPM_BUILD_ROOT install-world
# We ship pg_config through libpq-devel
mv $RPM_BUILD_ROOT/%_mandir/man1/pg_{,server_}config.1
%if %external_libpq
rm $RPM_BUILD_ROOT/%_includedir/pg_config*.h
rm $RPM_BUILD_ROOT/%_includedir/libpq/libpq-fs.h
rm $RPM_BUILD_ROOT/%_includedir/postgres_ext.h
rm -r $RPM_BUILD_ROOT/%_includedir/pgsql/internal/
%else
ln -s pg_server_config $RPM_BUILD_ROOT/%_bindir/pg_config
rm $RPM_BUILD_ROOT/%{_libdir}/libpq.a
%endif
%if %plpython3
mv src/Makefile.global src/Makefile.global.save
@ -1163,14 +1201,29 @@ make -C postgresql-setup-%{setup_version} check
%dir %{_includedir}/pgsql
%{_includedir}/pgsql/server
%{_libdir}/pgsql/pgxs/
%{_includedir}/*
%{_libdir}/{pgsql/pgxs/,pkgconfig/*.pc}
%{_libdir}/{libecpg,libecpg_compat,libpgtypes,libpq}.so*
%{_libdir}/libpq.a
%{_mandir}/man1/pg_server_config.*
%{_mandir}/man3/SPI_*
%{macrosdir}/macros.%name
%if ! %external_libpq
%files private-libs
%{_libdir}/libpq.so.*
%endif
%if ! %external_libpq
%files private-devel
%{_bindir}/pg_config
%{_includedir}/libpq-events.h
%{_includedir}/libpq-fe.h
%{_includedir}/postgres_ext.h
%{_includedir}/pgsql/internal/*.h
%{_includedir}/pgsql/internal/libpq/pqcomm.h
%{_includedir}/libpq/*.h
%{_libdir}/pkgconfig/*.pc
%{_libdir}/libpq.so
%{_includedir}/pg_config*.h
%endif
%files test-rpm-macros
%{_datadir}/postgresql-setup/postgresql_pkg_tests.sh
@ -1248,6 +1301,17 @@ make -C postgresql-setup-%{setup_version} check
%changelog
* Fri Aug 11 2023 Funda Wang <fundawang@yeah.net> - 13.12-1
- New version 13.12
* Fri Jun 9 2023 dillon chen <dillon.chen@gmail.com> - 13.3-8
- Fix build error for loongarch64
- Fix issue: confilct between libpq-devel and postgresql-devel
- guess init spec from redhat
- change redhat spec:rm private package and add files to server-devel
- so add delete lines to Fix issue
- Next: write oe libpq and postgresql spec by myself
* Tue Oct 25 2022 wuzx<wuzx1226@qq.com> - 13.3-7
- Add sw64 architecture