| Message ID | 1444330752-31507-1-git-send-email-gustavo@zacarias.com.ar |
|---|---|
| State | Accepted |
| Headers | show |
Dear Gustavo Zacarias, On 10/08/2015 07:59 PM, Gustavo Zacarias wrote: > Fixes: > > CVE-2015-5289: json or jsonb input values constructed from arbitrary > user input can crash the PostgreSQL server and cause a denial of > service. > > CVE-2015-5288: The crypt() function included with the optional pgCrypto > extension could be exploited to read a few additional bytes of memory. > No working exploit for this issue has been developed. > > sparc build fix patch upstream so drop it. > > Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> $ grep ^POSTGRESQL_VERSION package/postgresql/postgresql.mk POSTGRESQL_VERSION = 9.4.5 $ file output/target/usr/bin/postgres output/target/usr/bin/postgres: ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, with unknown capability 0x41000000 = 0xf676e75, with unknown capability 0x10000 = 0x70401, stripped Regards, Vincent.
Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Dear Gustavo Zacarias, On Thu, 8 Oct 2015 15:59:12 -0300, Gustavo Zacarias wrote: > Fixes: > > CVE-2015-5289: json or jsonb input values constructed from arbitrary > user input can crash the PostgreSQL server and cause a denial of > service. > > CVE-2015-5288: The crypt() function included with the optional pgCrypto > extension could be exploited to read a few additional bytes of memory. > No working exploit for this issue has been developed. > > sparc build fix patch upstream so drop it. > > Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> > --- > package/postgresql/0002-fix-sparc-compile.patch | 38 ------------------------- > package/postgresql/postgresql.hash | 4 +-- > package/postgresql/postgresql.mk | 2 +- > 3 files changed, 3 insertions(+), 41 deletions(-) > delete mode 100644 package/postgresql/0002-fix-sparc-compile.patch Applied, thanks. Thomas
diff --git a/package/postgresql/0002-fix-sparc-compile.patch b/package/postgresql/0002-fix-sparc-compile.patch deleted file mode 100644 index 9eec23a..0000000 --- a/package/postgresql/0002-fix-sparc-compile.patch +++ /dev/null @@ -1,38 +0,0 @@ -The gcc predefines for Linux are __sparc_v8__/__sparc_v7__ - -Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> - -diff -Nur postgresql-9.4.4.orig/src/include/storage/s_lock.h postgresql-9.4.4/src/include/storage/s_lock.h ---- postgresql-9.4.4.orig/src/include/storage/s_lock.h 2015-06-09 21:29:38.000000000 +0200 -+++ postgresql-9.4.4/src/include/storage/s_lock.h 2015-08-09 19:57:06.000000000 +0200 -@@ -420,12 +420,12 @@ - : "=r"(_res), "+m"(*lock) - : "r"(lock) - : "memory"); --#if defined(__sparcv7) -+#if defined(__sparcv7) || defined(__sparc_v7__) - /* - * No stbar or membar available, luckily no actually produced hardware - * requires a barrier. - */ --#elif defined(__sparcv8) -+#elif defined(__sparcv8) || defined(__sparc_v8__) - /* stbar is available (and required for both PSO, RMO), membar isn't */ - __asm__ __volatile__ ("stbar \n":::"memory"); - #else -@@ -438,13 +438,13 @@ - return (int) _res; - } - --#if defined(__sparcv7) -+#if defined(__sparcv7) || defined(__sparc_v7__) - /* - * No stbar or membar available, luckily no actually produced hardware - * requires a barrier. - */ - #define S_UNLOCK(lock) (*((volatile slock_t *) (lock)) = 0) --#elif defined(__sparcv8) -+#elif defined(__sparcv8) || defined(__sparc_v8__) - /* stbar is available (and required for both PSO, RMO), membar isn't */ - #define S_UNLOCK(lock) \ - do \ diff --git a/package/postgresql/postgresql.hash b/package/postgresql/postgresql.hash index 5f415af..97bb56d 100644 --- a/package/postgresql/postgresql.hash +++ b/package/postgresql/postgresql.hash @@ -1,2 +1,2 @@ -# From https://ftp.postgresql.org/pub/source/v9.4.4/postgresql-9.4.4.tar.bz2.sha256 -sha256 538ed99688d6fdbec6fd166d1779cf4588bf2f16c52304e5ef29f904c43b0013 postgresql-9.4.4.tar.bz2 +# From https://ftp.postgresql.org/pub/source/v9.4.5/postgresql-9.4.5.tar.bz2.sha256 +sha256 b87c50c66b6ea42a9712b5f6284794fabad0616e6ae420cf0f10523be6d94a39 postgresql-9.4.5.tar.bz2 diff --git a/package/postgresql/postgresql.mk b/package/postgresql/postgresql.mk index e710e92..a42fe73 100644 --- a/package/postgresql/postgresql.mk +++ b/package/postgresql/postgresql.mk @@ -4,7 +4,7 @@ # ################################################################################ -POSTGRESQL_VERSION = 9.4.4 +POSTGRESQL_VERSION = 9.4.5 POSTGRESQL_SOURCE = postgresql-$(POSTGRESQL_VERSION).tar.bz2 POSTGRESQL_SITE = http://ftp.postgresql.org/pub/source/v$(POSTGRESQL_VERSION) POSTGRESQL_LICENSE = PostgreSQL
Fixes: CVE-2015-5289: json or jsonb input values constructed from arbitrary user input can crash the PostgreSQL server and cause a denial of service. CVE-2015-5288: The crypt() function included with the optional pgCrypto extension could be exploited to read a few additional bytes of memory. No working exploit for this issue has been developed. sparc build fix patch upstream so drop it. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> --- package/postgresql/0002-fix-sparc-compile.patch | 38 ------------------------- package/postgresql/postgresql.hash | 4 +-- package/postgresql/postgresql.mk | 2 +- 3 files changed, 3 insertions(+), 41 deletions(-) delete mode 100644 package/postgresql/0002-fix-sparc-compile.patch