diff options
| author | Patrick Williams <patrick@stwcx.xyz> | 2016-08-17 15:04:38 -0500 |
|---|---|---|
| committer | Patrick Williams <patrick@stwcx.xyz> | 2016-08-22 16:43:32 +0000 |
| commit | b48b7b4109868a8c0ddda090992e936e821c7ea6 (patch) | |
| tree | 696be8ea782f2548c0f63bb0188f4c8d3eeed681 /import-layers/meta-openembedded/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch | |
| parent | d849ec78de728ef9a2d383b92ccfeabf40f8f1d0 (diff) | |
| download | talos-openbmc-b48b7b4109868a8c0ddda090992e936e821c7ea6.tar.gz talos-openbmc-b48b7b4109868a8c0ddda090992e936e821c7ea6.zip | |
Squashed 'import-layers/meta-openembedded/' content from commit 247b126
Change-Id: I40827e9ce5fba63f1cca2a0be44976ae8383b4c0
git-subtree-dir: import-layers/meta-openembedded
git-subtree-split: 247b1267bbe95719cd4877d2d3cfbaf2a2f4865a
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Diffstat (limited to 'import-layers/meta-openembedded/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch')
| -rw-r--r-- | import-layers/meta-openembedded/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/import-layers/meta-openembedded/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch b/import-layers/meta-openembedded/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch new file mode 100644 index 000000000..df89eb0a1 --- /dev/null +++ b/import-layers/meta-openembedded/meta-oe/recipes-support/postgresql/files/postgresql-CVE-2016-0766.patch @@ -0,0 +1,35 @@ +From f4aa3a18a20d51575562520754aa376b3b08b2d0 Mon Sep 17 00:00:00 2001 +From: Noah Misch <noah@leadboat.com> +Date: Fri, 5 Feb 2016 20:22:51 -0500 +Subject: [PATCH] Force certain "pljava" custom GUCs to be PGC_SUSET. + +Future PL/Java versions will close CVE-2016-0766 by making these GUCs +PGC_SUSET. This PostgreSQL change independently mitigates that PL/Java +vulnerability, helping sites that update PostgreSQL more frequently than +PL/Java. Back-patch to 9.1 (all supported versions). + +Upstream-Status: Backport + +Signed-off-by: Noah Misch <noah@leadboat.com> +Index: postgresql-9.4.4/src/backend/utils/misc/guc.c +=================================================================== +--- postgresql-9.4.4.orig/src/backend/utils/misc/guc.c 2015-06-10 03:29:38.000000000 +0800 ++++ postgresql-9.4.4/src/backend/utils/misc/guc.c 2016-03-04 15:58:26.459266951 +0800 +@@ -7072,6 +7072,17 @@ + !process_shared_preload_libraries_in_progress) + elog(FATAL, "cannot create PGC_POSTMASTER variables after startup"); + ++ /* ++ * Before pljava commit 398f3b876ed402bdaec8bc804f29e2be95c75139 ++ * (2015-12-15), two of that module's PGC_USERSET variables facilitated ++ * trivial escalation to superuser privileges. Restrict the variables to ++ * protect sites that have yet to upgrade pljava. ++ */ ++ if (context == PGC_USERSET && ++ (strcmp(name, "pljava.classpath") == 0 || ++ strcmp(name, "pljava.vmoptions") == 0)) ++ context = PGC_SUSET; ++ + gen = (struct config_generic *) guc_malloc(ERROR, sz); + memset(gen, 0, sz); + |
