postgresql: 9.4.5 -> 9.4.8

* Upgrade postgresql from 9.4.5 to 9.4.8 * Update LIC_FILES_CHKSUM as COPYRIGHT file updates * Remove two backport CVE patches Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2026-06-13 17:39:57 +00:00 · 2016-08-05 14:38:11 +08:00
parent aff7b7ee79
commit 92c500e967
5 changed files with 14 additions and 273 deletions
@@ -1,35 +0,0 @@
 From f4aa3a18a20d51575562520754aa376b3b08b2d0 Mon Sep 17 00:00:00 2001
 From: Noah Misch <noah@leadboat.com>
 Date: Fri, 5 Feb 2016 20:22:51 -0500
 Subject: [PATCH] Force certain "pljava" custom GUCs to be PGC_SUSET.
 Future PL/Java versions will close CVE-2016-0766 by making these GUCs
 PGC_SUSET.  This PostgreSQL change independently mitigates that PL/Java
 vulnerability, helping sites that update PostgreSQL more frequently than
 PL/Java.  Back-patch to 9.1 (all supported versions).
 Upstream-Status: Backport
 Signed-off-by: Noah Misch <noah@leadboat.com>
 Index: postgresql-9.4.4/src/backend/utils/misc/guc.c
 ===================================================================
 --- postgresql-9.4.4.orig/src/backend/utils/misc/guc.c	2015-06-10 03:29:38.000000000 +0800
 +++ postgresql-9.4.4/src/backend/utils/misc/guc.c	2016-03-04 15:58:26.459266951 +0800
@@ -7072,6 +7072,17 @@
 		!process_shared_preload_libraries_in_progress)
 		elog(FATAL, "cannot create PGC_POSTMASTER variables after startup");
 +	/*
 +	 * Before pljava commit 398f3b876ed402bdaec8bc804f29e2be95c75139
 +	 * (2015-12-15), two of that module's PGC_USERSET variables facilitated
 +	 * trivial escalation to superuser privileges.  Restrict the variables to
 +	 * protect sites that have yet to upgrade pljava.
 +	 */
 +	if (context == PGC_USERSET &&
 +		(strcmp(name, "pljava.classpath") == 0 ||
 +		 strcmp(name, "pljava.vmoptions") == 0))
 +		context = PGC_SUSET;
 +
 	gen = (struct config_generic *) guc_malloc(ERROR, sz);
 	memset(gen, 0, sz);
@@ -1,222 +0,0 @@
 From 3bb3f42f3749d40b8d4de65871e8d828b18d4a45 Mon Sep 17 00:00:00 2001
 From: Tom Lane <tgl@sss.pgh.pa.us>
 Date: Mon, 8 Feb 2016 10:25:40 -0500
 Subject: [PATCH] Fix some regex issues with out-of-range characters and large
 char ranges.
 Previously, our regex code defined CHR_MAX as 0xfffffffe, which is a
 bad choice because it is outside the range of type "celt" (int32).
 Characters approaching that limit could lead to infinite loops in logic
 such as "for (c = a; c <= b; c++)" where c is of type celt but the
 range bounds are chr.  Such loops will work safely only if CHR_MAX+1
 is representable in celt, since c must advance to beyond b before the
 loop will exit.
 Fortunately, there seems no reason not to restrict CHR_MAX to 0x7ffffffe.
 It's highly unlikely that Unicode will ever assign codes that high, and
 none of our other backend encodings need characters beyond that either.
 In addition to modifying the macro, we have to explicitly enforce character
 range restrictions on the values of \u, \U, and \x escape sequences, else
 the limit is trivially bypassed.
 Also, the code for expanding case-independent character ranges in bracket
 expressions had a potential integer overflow in its calculation of the
 number of characters it could generate, which could lead to allocating too
 small a character vector and then overwriting memory.  An attacker with the
 ability to supply arbitrary regex patterns could easily cause transient DOS
 via server crashes, and the possibility for privilege escalation has not
 been ruled out.
 Quite aside from the integer-overflow problem, the range expansion code was
 unnecessarily inefficient in that it always produced a result consisting of
 individual characters, abandoning the knowledge that we had a range to
 start with.  If the input range is large, this requires excessive memory.
 Change it so that the original range is reported as-is, and then we add on
 any case-equivalent characters that are outside that range.  With this
 approach, we can bound the number of individual characters allowed without
 sacrificing much.  This patch allows at most 100000 individual characters,
 which I believe to be more than the number of case pairs existing in
 Unicode, so that the restriction will never be hit in practice.
 It's still possible for range() to take awhile given a large character code
 range, so also add statement-cancel detection to its loop.  The downstream
 function dovec() also lacked cancel detection, and could take a long time
 given a large output from range().
 Per fuzz testing by Greg Stark.  Back-patch to all supported branches.
 Security: CVE-2016-0773
 Upstream-Status: Backport
 Signed-off-by: Tom Lane <tgl@sss.pgh.pa.us>
 Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
 Index: postgresql-9.4.5/src/backend/regex/regc_lex.c
 ===================================================================
 --- postgresql-9.4.5.orig/src/backend/regex/regc_lex.c	2015-10-06 03:12:06.000000000 +0800
 +++ postgresql-9.4.5/src/backend/regex/regc_lex.c	2016-03-10 10:29:57.045784317 +0800
@@ -792,13 +792,13 @@
 			break;
 		case CHR('u'):
 			c = lexdigits(v, 16, 4, 4);
 -			if (ISERR())
 +			if (ISERR() || c < CHR_MIN || c > CHR_MAX)
 				FAILW(REG_EESCAPE);
 			RETV(PLAIN, c);
 			break;
 		case CHR('U'):
 			c = lexdigits(v, 16, 8, 8);
 -			if (ISERR())
 +			if (ISERR() || c < CHR_MIN || c > CHR_MAX)
 				FAILW(REG_EESCAPE);
 			RETV(PLAIN, c);
 			break;
@@ -816,7 +816,7 @@
 		case CHR('x'):
 			NOTE(REG_UUNPORT);
 			c = lexdigits(v, 16, 1, 255);		/* REs >255 long outside spec */
 -			if (ISERR())
 +			if (ISERR() || c < CHR_MIN || c > CHR_MAX)
 				FAILW(REG_EESCAPE);
 			RETV(PLAIN, c);
 			break;
@@ -872,6 +872,9 @@
 /*
  * lexdigits - slurp up digits and return chr value
 + *
 + * This does not account for overflow; callers should range-check the result
 + * if maxlen is large enough to make that possible.
  */
 static chr						/* chr value; errors signalled via ERR */
 lexdigits(struct vars * v,
 Index: postgresql-9.4.5/src/backend/regex/regc_locale.c
 ===================================================================
 --- postgresql-9.4.5.orig/src/backend/regex/regc_locale.c	2015-10-06 03:12:06.000000000 +0800
 +++ postgresql-9.4.5/src/backend/regex/regc_locale.c	2016-03-10 10:34:28.757781726 +0800
@@ -408,8 +408,7 @@
 	int			nchrs;
 	struct cvec *cv;
 	celt		c,
 -				lc,
 -				uc;
 +				cc;
 	if (a != b && !before(a, b))
 	{
@@ -427,24 +426,48 @@
 	/*
 	 * When case-independent, it's hard to decide when cvec ranges are usable,
 -	 * so for now at least, we won't try.  We allocate enough space for two
 -	 * case variants plus a little extra for the two title case variants.
 +	 * so for now at least, we won't try.  We use a range for the originally
 +	 * specified chrs and then add on any case-equivalents that are outside
 +	 * that range as individual chrs.
 +	 *
 +	 * To ensure sane behavior if someone specifies a very large range, limit
 +	 * the allocation size to 100000 chrs (arbitrary) and check for overrun
 +	 * inside the loop below.
 	 */
 -	nchrs = (b - a + 1) * 2 + 4;
 -
 -	cv = getcvec(v, nchrs, 0);
 +	cv = getcvec(v, nchrs, 1);
 	NOERRN();
 +	addrange(cv, a, b);
 	for (c = a; c <= b; c++)
 	{
 -		addchr(cv, c);
 -		lc = pg_wc_tolower((chr) c);
 -		if (c != lc)
 -			addchr(cv, lc);
 -		uc = pg_wc_toupper((chr) c);
 -		if (c != uc)
 -			addchr(cv, uc);
 +		cc = pg_wc_tolower((chr) c);
 +		if (cc != c &&
 +			(before(cc, a) || before(b, cc)))
 +		{
 +			if (cv->nchrs >= cv->chrspace)
 +			{
 +				ERR(REG_ETOOBIG);
 +				return NULL;
 +			}
 +			addchr(cv, cc);
 +		}
 +		cc = pg_wc_toupper((chr) c);
 +		if (cc != c &&
 +			(before(cc, a) || before(b, cc)))
 +		{
 +			if (cv->nchrs >= cv->chrspace)
 +			{
 +				ERR(REG_ETOOBIG);
 +				return NULL;
 +			}
 +			addchr(cv, cc);
 +		}
 +		if (CANCEL_REQUESTED(v->re))
 +		{
 +			ERR(REG_CANCEL);
 +			return NULL;
 +		}
 	}
 	return cv;
 Index: postgresql-9.4.5/src/backend/regex/regcomp.c
 ===================================================================
 --- postgresql-9.4.5.orig/src/backend/regex/regcomp.c	2015-10-06 03:12:06.000000000 +0800
 +++ postgresql-9.4.5/src/backend/regex/regcomp.c	2016-03-10 10:35:25.397781185 +0800
@@ -1569,6 +1569,7 @@
 	{
 		ch = *p;
 		newarc(v->nfa, PLAIN, subcolor(v->cm, ch), lp, rp);
 +		NOERR();
 	}
 	/* and the ranges */
@@ -1578,6 +1579,7 @@
 		to = *(p + 1);
 		if (from <= to)
 			subrange(v, from, to, lp, rp);
 +		NOERR();
 	}
 }
 Index: postgresql-9.4.5/src/include/regex/regcustom.h
 ===================================================================
 --- postgresql-9.4.5.orig/src/include/regex/regcustom.h	2015-10-06 03:12:06.000000000 +0800
 +++ postgresql-9.4.5/src/include/regex/regcustom.h	2016-03-10 10:37:09.989780188 +0800
@@ -65,7 +65,8 @@
 #define DIGITVAL(c) ((c)-'0')	/* turn chr digit into its value */
 #define CHRBITS 32				/* bits in a chr; must not use sizeof */
 #define CHR_MIN 0x00000000		/* smallest and largest chr; the value */
 -#define CHR_MAX 0xfffffffe		/* CHR_MAX-CHR_MIN+1 should fit in uchr */
 +#define CHR_MAX 0x7ffffffe		/* CHR_MAX-CHR_MIN+1 must fit in an int, and
 +								 * CHR_MAX+1 must fit in both chr and celt */
 /* functions operating on chr */
 #define iscalnum(x) pg_wc_isalnum(x)
 Index: postgresql-9.4.5/src/test/regress/expected/regex.out
 ===================================================================
 --- postgresql-9.4.5.orig/src/test/regress/expected/regex.out	2015-10-06 03:12:06.000000000 +0800
 +++ postgresql-9.4.5/src/test/regress/expected/regex.out	2016-03-10 10:38:28.821779436 +0800
@@ -222,3 +222,5 @@
  t
 (1 row)
 +select 'a' ~ '\x7fffffff';  -- invalid chr code
 +ERROR:  invalid regular expression: invalid escape \ sequence
 Index: postgresql-9.4.5/src/test/regress/sql/regex.sql
 ===================================================================
 --- postgresql-9.4.5.orig/src/test/regress/sql/regex.sql	2015-10-06 03:12:06.000000000 +0800
 +++ postgresql-9.4.5/src/test/regress/sql/regex.sql	2016-03-10 10:38:57.845779159 +0800
@@ -57,3 +57,4 @@
 select 'a' ~ '.. ()|\1';
 select 'a' ~ '()*\1';
 select 'a' ~ '()+\1';
 +select 'a' ~ '\x7fffffff';  -- invalid chr code
@@ -31,8 +31,6 @@ SRC_URI = "http://ftp.postgresql.org/pub/source/v${PV}/${BP}.tar.bz2 \
    file://postgresql-setup \
    file://postgresql.service \
    file://0001-Use-pkg-config-for-libxml2-detection.patch \
    file://postgresql-CVE-2016-0766.patch \
    file://postgresql-CVE-2016-0773.patch \
 "
 LEAD_SONAME = "libpq.so"
@@ -1,14 +0,0 @@
 require postgresql.inc
 LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=7d847a9b446ddfe187acfac664189672"
 PR = "${INC_PR}.0"
 SRC_URI += "\
    file://remove.autoconf.version.check.patch \
    file://not-check-libperl.patch \
 "
 SRC_URI[md5sum] = "8b2e3472a8dc786649b4d02d02e039a0"
 SRC_URI[sha256sum] = "b87c50c66b6ea42a9712b5f6284794fabad0616e6ae420cf0f10523be6d94a39"
@@ -0,0 +1,14 @@
 require postgresql.inc
 LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=3a9c1120056a102a8c8c4013cd828dce"
 PR = "${INC_PR}.0"
 SRC_URI += "\
    file://remove.autoconf.version.check.patch \
    file://not-check-libperl.patch \
 "
 SRC_URI[md5sum] = "a1a2e8014b2b4c49fc58fe2e2fe83681"
 SRC_URI[sha256sum] = "4a10640e180e0d9adb587bc25a82dcce6bf507b033637e7fb9d4eeffa33a6b4c"