import-layers/meta-openembedded/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch - openbmc/openbmc - Gitiles

 From f4aa3a18a20d51575562520754aa376b3b08b2d0 Mon Sep 17 00:00:00 2001
 From: Noah Misch <noah@leadboat.com>
 Date: Fri, 5 Feb 2016 20:22:51 -0500
 Subject: [PATCH] Force certain "pljava" custom GUCs to be PGC_SUSET.

 Future PL/Java versions will close CVE-2016-0766 by making these GUCs
 PGC_SUSET.  This PostgreSQL change independently mitigates that PL/Java
 vulnerability, helping sites that update PostgreSQL more frequently than
 PL/Java.  Back-patch to 9.1 (all supported versions).

 Upstream-Status: Backport

 Signed-off-by: Noah Misch <noah@leadboat.com>
 Index: postgresql-9.4.4/src/backend/utils/misc/guc.c
 ===================================================================
 --- postgresql-9.4.4.orig/src/backend/utils/misc/guc.c	2015-06-10 03:29:38.000000000 +0800
 +++ postgresql-9.4.4/src/backend/utils/misc/guc.c	2016-03-04 15:58:26.459266951 +0800
 @@ -7072,6 +7072,17 @@
  		!process_shared_preload_libraries_in_progress)
  		elog(FATAL, "cannot create PGC_POSTMASTER variables after startup");

 +	/*
 +	 * Before pljava commit 398f3b876ed402bdaec8bc804f29e2be95c75139
 +	 * (2015-12-15), two of that module's PGC_USERSET variables facilitated
 +	 * trivial escalation to superuser privileges.  Restrict the variables to
 +	 * protect sites that have yet to upgrade pljava.
 +	 */
 +	if (context == PGC_USERSET &&
 +		(strcmp(name, "pljava.classpath") == 0 ||
 +		 strcmp(name, "pljava.vmoptions") == 0))
 +		context = PGC_SUSET;
 +
  	gen = (struct config_generic *) guc_malloc(ERROR, sz);
  	memset(gen, 0, sz);
	From f4aa3a18a20d51575562520754aa376b3b08b2d0 Mon Sep 17 00:00:00 2001
	From: Noah Misch <noah@leadboat.com>
	Date: Fri, 5 Feb 2016 20:22:51 -0500
	Subject: [PATCH] Force certain "pljava" custom GUCs to be PGC_SUSET.

	Future PL/Java versions will close CVE-2016-0766 by making these GUCs
	PGC_SUSET. This PostgreSQL change independently mitigates that PL/Java
	vulnerability, helping sites that update PostgreSQL more frequently than
	PL/Java. Back-patch to 9.1 (all supported versions).

	Upstream-Status: Backport

	Signed-off-by: Noah Misch <noah@leadboat.com>
	Index: postgresql-9.4.4/src/backend/utils/misc/guc.c
	===================================================================
	--- postgresql-9.4.4.orig/src/backend/utils/misc/guc.c 2015-06-10 03:29:38.000000000 +0800
	+++ postgresql-9.4.4/src/backend/utils/misc/guc.c 2016-03-04 15:58:26.459266951 +0800
	@@ -7072,6 +7072,17 @@
	!process_shared_preload_libraries_in_progress)
	elog(FATAL, "cannot create PGC_POSTMASTER variables after startup");

	+ /*
	+ * Before pljava commit 398f3b876ed402bdaec8bc804f29e2be95c75139
	+ * (2015-12-15), two of that module's PGC_USERSET variables facilitated
	+ * trivial escalation to superuser privileges. Restrict the variables to
	+ * protect sites that have yet to upgrade pljava.
	+ */
	+ if (context == PGC_USERSET &&
	+ (strcmp(name, "pljava.classpath") == 0 \|\|
	+ strcmp(name, "pljava.vmoptions") == 0))
	+ context = PGC_SUSET;
	+
	gen = (struct config_generic *) guc_malloc(ERROR, sz);
	memset(gen, 0, sz);