diff --git a/SOURCES/postgresql-libpq-crypto-no-callback-stomping-v2.patch b/SOURCES/postgresql-libpq-crypto-no-callback-stomping-v2.patch new file mode 100644 index 0000000..f2933bb --- /dev/null +++ b/SOURCES/postgresql-libpq-crypto-no-callback-stomping-v2.patch @@ -0,0 +1,52 @@ +Do not attempt to manage OpenSSL locking callbacks in libpq + +A deadlock occurs when connecting to Postgresql using SSL with postgresql-libs in +a multi-threaded environment with other threads performing SSL independently. + +This issue has been causing Module Build Service (https://pagure.io/fm-orchestrator) +outages, which is deployed on RHEL 7.4 but with the latest postgresql-libs package installed. + +You can find a reproducer script and a more in-depth description of the issue here: +https://postgrespro.com/list/thread-id/1861629 + +The upstream patch that resolves this issue is here: +https://commitfest.postgresql.org/4/140/ + +RHBZ: #1755154 + +diff -ur postgresql-9.2.24/src/interfaces/libpq/fe-secure.c postgresql-patch/src/interfaces/libpq/fe-secure.c +--- postgresql-9.2.24/src/interfaces/libpq/fe-secure.c 2017-11-06 23:17:39.000000000 +0100 ++++ postgresql-patch/src/interfaces/libpq/fe-secure.c 2019-10-29 15:25:28.448918186 +0100 +@@ -941,9 +941,12 @@ + + if (ssl_open_connections++ == 0) + { +- /* These are only required for threaded libcrypto applications */ +- CRYPTO_set_id_callback(pq_threadidcallback); +- CRYPTO_set_locking_callback(pq_lockingcallback); ++ /* These are only required for threaded libcrypto applications, but ++ * make sure we don't stomp on them if they're already set. */ ++ if (CRYPTO_get_id_callback() == NULL) ++ CRYPTO_set_id_callback(pq_threadidcallback); ++ if (CRYPTO_get_locking_callback() == NULL) ++ CRYPTO_set_locking_callback(pq_lockingcallback); + } + } + #endif /* HAVE_CRYPTO_LOCK */ +@@ -997,10 +1000,13 @@ + + if (pq_init_crypto_lib && ssl_open_connections == 0) + { +- /* No connections left, unregister libcrypto callbacks */ +- CRYPTO_set_locking_callback(NULL); +- CRYPTO_set_id_callback(NULL); + ++ /* No connections left, unregister libcrypto callbacks, if no one ++ * registered different ones in the meantime. */ ++ if (CRYPTO_get_id_callback() == pq_threadidcallback) ++ CRYPTO_set_id_callback(NULL); ++ if (CRYPTO_get_locking_callback() == pq_lockingcallback) ++ CRYPTO_set_locking_callback(NULL); + /* + * We don't free the lock array. If we get another connection in + * this process, we will just re-use them with the existing mutexes. diff --git a/SPECS/postgresql.spec b/SPECS/postgresql.spec index 1c12079..121b4a8 100644 --- a/SPECS/postgresql.spec +++ b/SPECS/postgresql.spec @@ -63,7 +63,7 @@ Summary: PostgreSQL client programs Name: postgresql %global majorversion 9.2 Version: 9.2.24 -Release: 1%{?dist} +Release: 2%{?dist} # The PostgreSQL license is very similar to other MIT licenses, but the OSI # recognizes it as an independent license, so we do as well. @@ -135,6 +135,9 @@ Patch13: postgresql-9.2.4-upgrade-and-perm-problems.patch # Upstream commit: 243de06be96d6001d01f2ec7c4573aad8b657195 Patch14: postgresql-CVE-2018-10915.patch +# Check if callback is already set +Patch15: postgresql-libpq-crypto-no-callback-stomping-v2.patch + BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk help2man BuildRequires: perl(ExtUtils::Embed), perl-devel BuildRequires: readline-devel zlib-devel @@ -373,6 +376,7 @@ benchmarks. %patch8 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 # We used to run autoconf here, but there's no longer any real need to, # since Postgres ships with a reasonably modern configure script. @@ -1170,6 +1174,10 @@ fi %endif %changelog +* Tue Nov 5 2019 Filip Januš 9.2.24-2 +- Check if callback is already set + Resolves: #1755154 + * Tue Aug 14 2018 Pavel Raiskup - 9.2.24-1 - update to the latest 9.2 release - fix CVE-2018-10915