diff --git a/SOURCES/postgresql-CVE-2023-5869.patch b/SOURCES/postgresql-CVE-2023-5869.patch new file mode 100644 index 0000000..343de03 --- /dev/null +++ b/SOURCES/postgresql-CVE-2023-5869.patch @@ -0,0 +1,615 @@ +This patch was created based on upstream commit: +https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=18b585155a891784ca8985f595ebc0dde94e0d43 + +The upstream regression test is not applicable for PG9.2 + +int.h source file comes from: +https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/include/common/int.h;h=487124473d25b206a985a9742f39b348f50a5324 + +diff -urN -x '*cscope*' postgresql-9.2.24/src/backend/utils/adt/arrayfuncs.c postgresql-final/src/backend/utils/adt/arrayfuncs.c +--- postgresql-9.2.24/src/backend/utils/adt/arrayfuncs.c 2017-11-06 23:17:39.000000000 +0100 ++++ postgresql-final/src/backend/utils/adt/arrayfuncs.c 2023-11-21 15:20:49.000000000 +0100 +@@ -24,7 +24,7 @@ + #include "utils/lsyscache.h" + #include "utils/memutils.h" + #include "utils/typcache.h" +- ++#include "common/int.h" + + /* + * GUC parameter +@@ -2138,22 +2138,38 @@ + addedbefore = addedafter = 0; + + /* +- * Check subscripts ++ * Check subscripts. We assume the existing subscripts passed ++ * ArrayCheckBounds, so that dim[i] + lb[i] can be computed without ++ * overflow. But we must beware of other overflows in our calculations of ++ * new dim[] values. + */ + if (ndim == 1) + { + if (indx[0] < lb[0]) + { +- addedbefore = lb[0] - indx[0]; +- dim[0] += addedbefore; ++ // addedbefore = lb[0] - indx[0]; ++ // dim[0] += addedbefore; ++ if (pg_sub_s32_overflow(lb[0], indx[0], &addedbefore) || ++ pg_add_s32_overflow(dim[0], addedbefore, &dim[0])) ++ ereport(ERROR, ++ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), ++ errmsg("array size exceeds the maximum allowed (%d)", ++ (int) MaxArraySize))); + lb[0] = indx[0]; + if (addedbefore > 1) + newhasnulls = true; /* will insert nulls */ + } + if (indx[0] >= (dim[0] + lb[0])) + { +- addedafter = indx[0] - (dim[0] + lb[0]) + 1; +- dim[0] += addedafter; ++ // addedafter = indx[0] - (dim[0] + lb[0]) + 1; ++ // dim[0] += addedafter; ++ if (pg_sub_s32_overflow(indx[0], dim[0] + lb[0], &addedafter) || ++ pg_add_s32_overflow(addedafter, 1, &addedafter) || ++ pg_add_s32_overflow(dim[0], addedafter, &dim[0])) ++ ereport(ERROR, ++ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), ++ errmsg("array size exceeds the maximum allowed (%d)", ++ (int) MaxArraySize))); + if (addedafter > 1) + newhasnulls = true; /* will insert nulls */ + } +@@ -2435,18 +2451,31 @@ + errmsg("upper bound cannot be less than lower bound"))); + if (lowerIndx[0] < lb[0]) + { +- if (upperIndx[0] < lb[0] - 1) +- newhasnulls = true; /* will insert nulls */ +- addedbefore = lb[0] - lowerIndx[0]; +- dim[0] += addedbefore; ++ // addedbefore = lb[0] - lowerIndx[0]; ++ // dim[0] += addedbefore; ++ if (pg_sub_s32_overflow(lb[0], lowerIndx[0], &addedbefore) || ++ pg_add_s32_overflow(dim[0], addedbefore, &dim[0])) ++ ereport(ERROR, ++ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), ++ errmsg("array size exceeds the maximum allowed (%d)", ++ (int) MaxArraySize))); + lb[0] = lowerIndx[0]; ++ if (addedbefore > 1) ++ newhasnulls = true; /* will insert nulls */ + } + if (upperIndx[0] >= (dim[0] + lb[0])) + { +- if (lowerIndx[0] > (dim[0] + lb[0])) ++ if (pg_sub_s32_overflow(upperIndx[0], dim[0] + lb[0], &addedafter) || ++ pg_add_s32_overflow(addedafter, 1, &addedafter) || ++ pg_add_s32_overflow(dim[0], addedafter, &dim[0])) ++ ereport(ERROR, ++ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED), ++ errmsg("array size exceeds the maximum allowed (%d)", ++ (int) MaxArraySize))); ++ if (addedafter > 1) + newhasnulls = true; /* will insert nulls */ +- addedafter = upperIndx[0] - (dim[0] + lb[0]) + 1; +- dim[0] += addedafter; ++ // addedafter = upperIndx[0] - (dim[0] + lb[0]) + 1; ++ // dim[0] += addedafter; + } + } + else +diff -urN -x '*cscope*' postgresql-9.2.24/src/backend/utils/adt/arrayutils.c postgresql-final/src/backend/utils/adt/arrayutils.c +--- postgresql-9.2.24/src/backend/utils/adt/arrayutils.c 2017-11-06 23:17:39.000000000 +0100 ++++ postgresql-final/src/backend/utils/adt/arrayutils.c 2023-11-21 15:19:25.000000000 +0100 +@@ -63,10 +63,6 @@ + * This must do overflow checking, since it is used to validate that a user + * dimensionality request doesn't overflow what we can handle. + * +- * We limit array sizes to at most about a quarter billion elements, +- * so that it's not necessary to check for overflow in quite so many +- * places --- for instance when palloc'ing Datum arrays. +- * + * The multiplication overflow check only works on machines that have int64 + * arithmetic, but that is nearly all platforms these days, and doing check + * divides for those that don't seems way too expensive. +@@ -77,7 +73,6 @@ + int32 ret; + int i; + +-#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum))) + + if (ndim <= 0) + return 0; +diff -urN -x '*cscope*' postgresql-9.2.24/src/include/c.h postgresql-final/src/include/c.h +--- postgresql-9.2.24/src/include/c.h 2017-11-06 23:17:39.000000000 +0100 ++++ postgresql-final/src/include/c.h 2023-11-21 15:19:25.000000000 +0100 +@@ -215,6 +215,23 @@ + */ + + /* ++ * stdint.h limits aren't guaranteed to be present and aren't guaranteed to ++ * have compatible types with our fixed width types. So just define our own. ++ */ ++#define PG_INT8_MIN (-0x7F-1) ++#define PG_INT8_MAX (0x7F) ++#define PG_UINT8_MAX (0xFF) ++#define PG_INT16_MIN (-0x7FFF-1) ++#define PG_INT16_MAX (0x7FFF) ++#define PG_UINT16_MAX (0xFFFF) ++#define PG_INT32_MIN (-0x7FFFFFFF-1) ++#define PG_INT32_MAX (0x7FFFFFFF) ++#define PG_UINT32_MAX (0xFFFFFFFFU) ++#define PG_INT64_MIN (-INT64CONST(0x7FFFFFFFFFFFFFFF) - 1) ++#define PG_INT64_MAX INT64CONST(0x7FFFFFFFFFFFFFFF) ++#define PG_UINT64_MAX UINT64CONST(0xFFFFFFFFFFFFFFFF) ++ ++/* + * Pointer + * Variable holding address of any memory resident object. + * +diff -urN -x '*cscope*' postgresql-9.2.24/src/include/common/int.h postgresql-final/src/include/common/int.h +--- postgresql-9.2.24/src/include/common/int.h 1970-01-01 01:00:00.000000000 +0100 ++++ postgresql-final/src/include/common/int.h 2023-11-21 15:19:25.000000000 +0100 +@@ -0,0 +1,441 @@ ++/*------------------------------------------------------------------------- ++ * ++ * int.h ++ * Routines to perform integer math, while checking for overflows. ++ * ++ * The routines in this file are intended to be well defined C, without ++ * relying on compiler flags like -fwrapv. ++ * ++ * To reduce the overhead of these routines try to use compiler intrinsics ++ * where available. That's not that important for the 16, 32 bit cases, but ++ * the 64 bit cases can be considerably faster with intrinsics. In case no ++ * intrinsics are available 128 bit math is used where available. ++ * ++ * Copyright (c) 2017-2023, PostgreSQL Global Development Group ++ * ++ * src/include/common/int.h ++ * ++ *------------------------------------------------------------------------- ++ */ ++#ifndef COMMON_INT_H ++#define COMMON_INT_H ++ ++ ++/*--------- ++ * The following guidelines apply to all the routines: ++ * - If a + b overflows, return true, otherwise store the result of a + b ++ * into *result. The content of *result is implementation defined in case of ++ * overflow. ++ * - If a - b overflows, return true, otherwise store the result of a - b ++ * into *result. The content of *result is implementation defined in case of ++ * overflow. ++ * - If a * b overflows, return true, otherwise store the result of a * b ++ * into *result. The content of *result is implementation defined in case of ++ * overflow. ++ *--------- ++ */ ++ ++/*------------------------------------------------------------------------ ++ * Overflow routines for signed integers ++ *------------------------------------------------------------------------ ++ */ ++ ++/* ++ * INT16 ++ */ ++static inline bool ++pg_add_s16_overflow(int16 a, int16 b, int16 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_add_overflow(a, b, result); ++#else ++ int32 res = (int32) a + (int32) b; ++ ++ if (res > PG_INT16_MAX || res < PG_INT16_MIN) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = (int16) res; ++ return false; ++#endif ++} ++ ++static inline bool ++pg_sub_s16_overflow(int16 a, int16 b, int16 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_sub_overflow(a, b, result); ++#else ++ int32 res = (int32) a - (int32) b; ++ ++ if (res > PG_INT16_MAX || res < PG_INT16_MIN) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = (int16) res; ++ return false; ++#endif ++} ++ ++static inline bool ++pg_mul_s16_overflow(int16 a, int16 b, int16 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ int32 res = (int32) a * (int32) b; ++ ++ if (res > PG_INT16_MAX || res < PG_INT16_MIN) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = (int16) res; ++ return false; ++#endif ++} ++ ++/* ++ * INT32 ++ */ ++static inline bool ++pg_add_s32_overflow(int32 a, int32 b, int32 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_add_overflow(a, b, result); ++#else ++ int64 res = (int64) a + (int64) b; ++ ++ if (res > PG_INT32_MAX || res < PG_INT32_MIN) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = (int32) res; ++ return false; ++#endif ++} ++ ++static inline bool ++pg_sub_s32_overflow(int32 a, int32 b, int32 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_sub_overflow(a, b, result); ++#else ++ int64 res = (int64) a - (int64) b; ++ ++ if (res > PG_INT32_MAX || res < PG_INT32_MIN) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = (int32) res; ++ return false; ++#endif ++} ++ ++static inline bool ++pg_mul_s32_overflow(int32 a, int32 b, int32 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ int64 res = (int64) a * (int64) b; ++ ++ if (res > PG_INT32_MAX || res < PG_INT32_MIN) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = (int32) res; ++ return false; ++#endif ++} ++ ++/* ++ * INT64 ++ */ ++static inline bool ++pg_add_s64_overflow(int64 a, int64 b, int64 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_add_overflow(a, b, result); ++#elif defined(HAVE_INT128) ++ int128 res = (int128) a + (int128) b; ++ ++ if (res > PG_INT64_MAX || res < PG_INT64_MIN) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = (int64) res; ++ return false; ++#else ++ if ((a > 0 && b > 0 && a > PG_INT64_MAX - b) || ++ (a < 0 && b < 0 && a < PG_INT64_MIN - b)) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = a + b; ++ return false; ++#endif ++} ++ ++static inline bool ++pg_sub_s64_overflow(int64 a, int64 b, int64 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_sub_overflow(a, b, result); ++#elif defined(HAVE_INT128) ++ int128 res = (int128) a - (int128) b; ++ ++ if (res > PG_INT64_MAX || res < PG_INT64_MIN) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = (int64) res; ++ return false; ++#else ++ /* ++ * Note: overflow is also possible when a == 0 and b < 0 (specifically, ++ * when b == PG_INT64_MIN). ++ */ ++ if ((a < 0 && b > 0 && a < PG_INT64_MIN + b) || ++ (a >= 0 && b < 0 && a > PG_INT64_MAX + b)) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = a - b; ++ return false; ++#endif ++} ++ ++static inline bool ++pg_mul_s64_overflow(int64 a, int64 b, int64 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_mul_overflow(a, b, result); ++#elif defined(HAVE_INT128) ++ int128 res = (int128) a * (int128) b; ++ ++ if (res > PG_INT64_MAX || res < PG_INT64_MIN) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = (int64) res; ++ return false; ++#else ++ /* ++ * Overflow can only happen if at least one value is outside the range ++ * sqrt(min)..sqrt(max) so check that first as the division can be quite a ++ * bit more expensive than the multiplication. ++ * ++ * Multiplying by 0 or 1 can't overflow of course and checking for 0 ++ * separately avoids any risk of dividing by 0. Be careful about dividing ++ * INT_MIN by -1 also, note reversing the a and b to ensure we're always ++ * dividing it by a positive value. ++ * ++ */ ++ if ((a > PG_INT32_MAX || a < PG_INT32_MIN || ++ b > PG_INT32_MAX || b < PG_INT32_MIN) && ++ a != 0 && a != 1 && b != 0 && b != 1 && ++ ((a > 0 && b > 0 && a > PG_INT64_MAX / b) || ++ (a > 0 && b < 0 && b < PG_INT64_MIN / a) || ++ (a < 0 && b > 0 && a < PG_INT64_MIN / b) || ++ (a < 0 && b < 0 && a < PG_INT64_MAX / b))) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = a * b; ++ return false; ++#endif ++} ++ ++/*------------------------------------------------------------------------ ++ * Overflow routines for unsigned integers ++ *------------------------------------------------------------------------ ++ */ ++ ++/* ++ * UINT16 ++ */ ++static inline bool ++pg_add_u16_overflow(uint16 a, uint16 b, uint16 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_add_overflow(a, b, result); ++#else ++ uint16 res = a + b; ++ ++ if (res < a) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = res; ++ return false; ++#endif ++} ++ ++static inline bool ++pg_sub_u16_overflow(uint16 a, uint16 b, uint16 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_sub_overflow(a, b, result); ++#else ++ if (b > a) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = a - b; ++ return false; ++#endif ++} ++ ++static inline bool ++pg_mul_u16_overflow(uint16 a, uint16 b, uint16 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ uint32 res = (uint32) a * (uint32) b; ++ ++ if (res > PG_UINT16_MAX) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = (uint16) res; ++ return false; ++#endif ++} ++ ++/* ++ * INT32 ++ */ ++static inline bool ++pg_add_u32_overflow(uint32 a, uint32 b, uint32 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_add_overflow(a, b, result); ++#else ++ uint32 res = a + b; ++ ++ if (res < a) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = res; ++ return false; ++#endif ++} ++ ++static inline bool ++pg_sub_u32_overflow(uint32 a, uint32 b, uint32 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_sub_overflow(a, b, result); ++#else ++ if (b > a) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = a - b; ++ return false; ++#endif ++} ++ ++static inline bool ++pg_mul_u32_overflow(uint32 a, uint32 b, uint32 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_mul_overflow(a, b, result); ++#else ++ uint64 res = (uint64) a * (uint64) b; ++ ++ if (res > PG_UINT32_MAX) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = (uint32) res; ++ return false; ++#endif ++} ++ ++/* ++ * UINT64 ++ */ ++static inline bool ++pg_add_u64_overflow(uint64 a, uint64 b, uint64 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_add_overflow(a, b, result); ++#else ++ uint64 res = a + b; ++ ++ if (res < a) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = res; ++ return false; ++#endif ++} ++ ++static inline bool ++pg_sub_u64_overflow(uint64 a, uint64 b, uint64 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_sub_overflow(a, b, result); ++#else ++ if (b > a) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = a - b; ++ return false; ++#endif ++} ++ ++static inline bool ++pg_mul_u64_overflow(uint64 a, uint64 b, uint64 *result) ++{ ++#if defined(HAVE__BUILTIN_OP_OVERFLOW) ++ return __builtin_mul_overflow(a, b, result); ++#elif defined(HAVE_INT128) ++ uint128 res = (uint128) a * (uint128) b; ++ ++ if (res > PG_UINT64_MAX) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = (uint64) res; ++ return false; ++#else ++ uint64 res = a * b; ++ ++ if (a != 0 && b != res / a) ++ { ++ *result = 0x5EED; /* to avoid spurious warnings */ ++ return true; ++ } ++ *result = res; ++ return false; ++#endif ++} ++ ++#endif /* COMMON_INT_H */ +diff -urN -x '*cscope*' postgresql-9.2.24/src/include/utils/array.h postgresql-final/src/include/utils/array.h +--- postgresql-9.2.24/src/include/utils/array.h 2017-11-06 23:17:39.000000000 +0100 ++++ postgresql-final/src/include/utils/array.h 2023-11-21 15:19:25.000000000 +0100 +@@ -59,6 +59,14 @@ + #include "fmgr.h" + + /* ++* Maximum number of elements in an array. We limit this to at most about a ++* quarter billion elements, so that it's not necessary to check for overflow ++* in quite so many places --- for instance when palloc'ing Datum arrays. ++*/ ++#define MaxArraySize ((Size) (MaxAllocSize / sizeof(Datum))) ++ ++ ++/* + * Arrays are varlena objects, so must meet the varlena convention that + * the first int32 of the object contains the total object size in bytes. + * Be sure to use VARSIZE() and SET_VARSIZE() to access it, though! diff --git a/SPECS/postgresql.spec b/SPECS/postgresql.spec index e1c7178..34bd520 100644 --- a/SPECS/postgresql.spec +++ b/SPECS/postgresql.spec @@ -63,7 +63,7 @@ Summary: PostgreSQL client programs Name: postgresql %global majorversion 9.2 Version: 9.2.24 -Release: 8%{?dist} +Release: 9%{?dist} # The PostgreSQL license is very similar to other MIT licenses, but the OSI # recognizes it as an independent license, so we do as well. @@ -158,11 +158,16 @@ Patch18: postgresql-9.2.24-CVE-2020-25695.patch Patch19: postgresql-9.2.24-CVE-2019-10208.patch Patch20: postgresql-CVE-2021-32027.patch -# Backport fox for: CVE-2022-1552 +# Backport fix for: CVE-2022-1552 # Upstream commit: a117cebd638dd02e5c2e791c25e43745f233111b # See: https://bugzilla.redhat.com/show_bug.cgi?id=2081126 Patch21: postgresql-CVE-2022-1552.patch +# Backport fix for: CVE-2023-5869 +# Upstream commit: 18b585155a891784ca8985f595ebc0dde94e0d43 +# BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2247169 +Patch22: postgresql-CVE-2023-5869.patch + BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk help2man BuildRequires: perl(ExtUtils::Embed), perl-devel BuildRequires: readline-devel zlib-devel @@ -408,6 +413,7 @@ benchmarks. %patch19 -p1 %patch20 -p1 %patch21 -p1 +%patch22 -p1 # We used to run autoconf here, but there's no longer any real need to, # since Postgres ships with a reasonably modern configure script. @@ -1205,6 +1211,9 @@ fi %endif %changelog +* Thu Nov 16 2023 Filip Janus - 9.2.24-9 +- Backport fix for CVE-2023-5869 + * Wed Jun 1 2022 Filip Januš - 9.2.24-8 - Resolves: CVE-2022-1552 - Backport upstrem fix: a117cebd638dd02e5c2e791c25e43745f233111b