Skip to content

Commit

Permalink
Merge pull request from GHSA-562r-vg33-8x8h
Browse files Browse the repository at this point in the history 
* Fix: createTempFile vulnerability on unix like systems where temporary files can be read by other users on the system

* Update site with change logs and new version information
  • Loading branch information
@davecramer
davecramer committed Nov 23, 2022
1 parent 135be5a commit 9008dc9
Show file tree
Hide file tree
Showing 7 changed files with 111 additions and 25 deletions.
16 changes: 15 additions & 1 deletion CHANGELOG.md
View file
Expand Up @@ -10,6 +10,19 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).

### Fixed

[42.5.1] (2022-11-21 15:21:59 -0500)
### Security
- security: StreamWrapper spills to disk if setText, or setBytea sends very large Strings or arrays to the server. createTempFile creates a file which can be read by other users on unix like systems (Not macos).
This has been fixed in this version fixes CVE-2022-41946 see the [security advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h) for more details. Reported by [Jonathan Leitschuh](https://github.com/JLLeitschuh) This has been fixed in versions 42.5.1, 42.4.3 42.3.8, 42.2.27.jre7. Note there is no fix for 42.2.26.jre6. See the security advisory for work arounds.

### Fixed

- fix: make sure we select array_in from pg_catalog to avoid duplicate array_in functions fixes [#Issue 2548](https://github.com/pgjdbc/pgjdbc/issues/2548) [PR #2552](https://github.com/pgjdbc/pgjdbc/issues/2552)
- fix: binary decoding of bool values [PR #2640](https://github.com/pgjdbc/pgjdbc/pull/2640)
- perf: improve performance of PgResultSet getByte/getShort/getInt/getLong for float-typed columns [PR #2634](https://github.com/pgjdbc/pgjdbc/pull/2634)
- chore: fix various spelling errors [PR #2592](https://github.com/pgjdbc/pgjdbc/pull/2592)
- chore: Feature/urlparser improve URLParser [PR #2641](https://github.com/pgjdbc/pgjdbc/pull/2592)

## [42.5.0] (2022-08-23 11:20:11 -0400)
### Changed
- fix: revert change in [PR #1986](https://github.com/pgjdbc/pgjdbc/pull/1986) where float was aliased to float4 from float8.
Expand Down Expand Up @@ -743,4 +756,5 @@ thrown to caller to be dealt with so no need to log at this verbosity by pgjdbc
[42.4.1]: https://github.com/pgjdbc/pgjdbc/compare/REL42.4.0...REL42.4.1
[42.4.2]: https://github.com/pgjdbc/pgjdbc/compare/REL42.4.1...REL42.4.2
[42.5.0]: https://github.com/pgjdbc/pgjdbc/compare/REL42.4.2...REL42.5.0
[Unreleased]: https://github.com/pgjdbc/pgjdbc/compare/REL42.5.0...HEAD
[42.5.0]: https://github.com/pgjdbc/pgjdbc/compare/REL42.5.0...REL42.5.1
[Unreleased]: https://github.com/pgjdbc/pgjdbc/compare/REL42.5.1...HEAD
7 changes: 6 additions & 1 deletion contributors.json
View file
Expand Up @@ -198,5 +198,10 @@
"Olivier Bourgain" : "olivierbourgain02@gmail.com",
"Andrei Lurie" : "alurie@users.noreply.github.com",
"Sven Diedrichsen" : "sven.diedrichsen@gmail.com",
"Sasa Vilic" : "sasavilic@gmail.com"
"Sasa Vilic" : "sasavilic@gmail.com",
"Evgeniy Devyatykh" : "devyatyh@gmail.com",
"Josh Soref" : "2119212+jsoref@users.noreply.github.com",
"Kevin222004" : "kevinpatel222004@gmail.com",
"Knut Olav Løite" : "koloite@gmail.com",
"μtkarsh" : "61664827+utkar-sh-ukla@users.noreply.github.com"
}
64 changes: 64 additions & 0 deletions docs/content/changelogs/2022-11-21-42.5.1-release.md
View file
@@ -0,0 +1,64 @@
---
title: PostgreSQL JDBC Driver 42.5.1 Released
date: 2022-11-21 15:21:47 -0500
categories:
- new_release
version: 42.5.1
---
**Notable changes**

### Security
- security: StreamWrapper spills to disk if setText, or setBytea sends very large Strings or arrays to the server. createTempFile creates a file which can be read by other users on unix like systems (Not macos).\
This has been fixed in this version fixes CVE-2022-41946 see the [security advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h) for more details.\
Reported by [Jonathan Leitschuh](https://github.com/JLLeitschuh)\
This has been fixed in versions 42.5.1, 42.4.3 42.3.8, 42.2.27.jre7.\
**Note** there is no fix for 42.2.26.jre6. See the security advisory for work arounds.

### Fixed

- fix: make sure we select array_in from pg_catalog to avoid duplicate array_in functions fixes [#Issue 2548](https://github.com/pgjdbc/pgjdbc/issues/2548) [PR #2552](https://github.com/pgjdbc/pgjdbc/issues/2552)
- fix: binary decoding of bool values [PR #2640](https://github.com/pgjdbc/pgjdbc/pull/2640)
- perf: improve performance of PgResultSet getByte/getShort/getInt/getLong for float-typed columns [PR #2634](https://github.com/pgjdbc/pgjdbc/pull/2634)
- chore: fix various spelling errors [PR #2592](https://github.com/pgjdbc/pgjdbc/pull/2592)
- chore: Feature/urlparser improve URLParser [PR #2641](https://github.com/pgjdbc/pgjdbc/pull/2592)


<!--more-->

**Commits by author**

Dave Cramer (13):
Update README.md [PR 2609](https://github.com/pgjdbc/pgjdbc/pull/2609)\
Ignore simplequery for postgresql 8.4 [PR 2614](https://github.com/pgjdbc/pgjdbc/pull/2614)\
Single commit to move newdocs into master [PR 2618](https://github.com/pgjdbc/pgjdbc/pull/2618)\
update versions [PR 2619](https://github.com/pgjdbc/pgjdbc/pull/2619)\
fix grammar, fix downloads, minor edits [PR 2626](https://github.com/pgjdbc/pgjdbc/pull/2626)\
fix: make sure we select array_in from pg_catalog to avoid duplicate array_in functions fixes #Issue 2548 [PR 2552](https://github.com/pgjdbc/pgjdbc/pull/2552)\
clarify prepared statement usage [PR 2629](https://github.com/pgjdbc/pgjdbc/pull/2629)\
fix maven coordinates [PR 2631](https://github.com/pgjdbc/pgjdbc/pull/2631)\
remove javadoc links for java 17 and above [PR 2637](https://github.com/pgjdbc/pgjdbc/pull/2637)\
revert change to PGProperty.get() to keep the API the same [PR 2644](https://github.com/pgjdbc/pgjdbc/pull/2644)\
exclude ArrayTest versions less than 9.1 [PR 2645](https://github.com/pgjdbc/pgjdbc/pull/2645)\

Evgeniy Devyatykh (1):
perf: improve performance of PgResultSet getByte/getShort/getInt/getLong for float-typed columns [PR 2634](https://github.com/pgjdbc/pgjdbc/pull/2634)

Josh Soref (1):
chore: fix various spelling errors [PR 2592](https://github.com/pgjdbc/pgjdbc/pull/2592)

Kevin222004 (1):

Knut Olav Løite (1):
fix: binary decoding of bool values [PR 2640](https://github.com/pgjdbc/pgjdbc/pull/2640)

Marek Läll (1):
Feature/urlparser improve3 pr1 [PR 2641](https://github.com/pgjdbc/pgjdbc/pull/2641)

Vladimir Sitnikov (4):
docs: clarify we ship security fixes by default for the latest 42.x and 42.2 only [PR 2586](https://github.com/pgjdbc/pgjdbc/pull/2586)

μtkarsh (1):
Optimize png files [PR 2621](https://github.com/pgjdbc/pgjdbc/pull/2621)



7 changes: 6 additions & 1 deletion docs/data/homepagedata.toml
View file
Expand Up @@ -14,6 +14,11 @@ path = "/icons/driver-icon.svg"

# Releases Info

[[info]]
date = "21 October 2022"
url = "/changelogs/2022-11-21-42.5.1-release/"
version = "42.5.1"

[[info]]
date = "24 August 2022"
url = "/changelogs/2022-08-24-42.5.0-release/"
Expand All @@ -30,6 +35,6 @@ url = "/changelogs/2022-08-03-42.4.1-release/"
version = "42.4.1"

[[info]]
date = "09 JUne 2022"
date = "09 June 2022"
url = "/changelogs/2022-06-09-42.4.0-release/"
version = "42.4.0"
35 changes: 15 additions & 20 deletions docs/data/versions.toml
View file
Expand Up @@ -2,47 +2,42 @@

[[recent]]
j_name= "Java 8"
version= "42.5.0"
version= "42.5.1"
suffix=""
description= "If you are using Java 8 or newer then you should use the JDBC 4.2 version."
url= "/download/postgresql-42.5.0.jar"
url= "/download/postgresql-42.5.1.jar"

[[recent]]
j_name= "Java 7"
version= "42.2.26"
version= "42.2.27"
suffix="jre7"
description= "If you are using Java 7 then you should use the JDBC 4.1 version."
url= "/download/postgresql-42.2.26.jre7.jar"
url= "/download/postgresql-42.2.27.jre7.jar"

[[recent]]
j_name= "Java 6"
version= "42.2.26"
version= "42.2.27"
suffix="jre6"
description= "If you are using Java 6 then you should use the JDBC 4.0 version."
url= "/download/postgresql-42.2.26.jre6.jar"
url= "/download/postgresql-42.2.27.jre6.jar"

# Past Versions

[[past]]
v_name= "Postgresql JDBC 42.4.0"
version= "42.4.0"
v_name= "Postgresql JDBC 42.5.0"
version= "42.5.0"
suffix=""
url= "/download/postgresql-42.4.0.jar"
url= "/download/postgresql-42.5.0.jar"

[[past]]
v_name= "Postgresql JDBC 42.3.6"
version= "42.3.6"
v_name= "Postgresql JDBC 42.4.2"
version= "42.4.2"
suffix=""
url= "/download/postgresql-42.3.6.jar"
url= "/download/postgresql-42.4.2.jar"

[[past]]
v_name= "Postgresql JDBC 42.3.5"
version= "42.3.5"
v_name= "Postgresql JDBC 42.3.7"
version= "42.3.7"
suffix=""
url= "/download/postgresql-42.3.5.jar"
url= "/download/postgresql-42.3.7.jar"

[[past]]
v_name= "Postgresql JDBC 42.3.4"
version= "42.3.4"
suffix=""
url= "/download/postgresql-42.3.4.jar"
4 changes: 3 additions & 1 deletion docs/layouts/partials/home/info.html
View file
Expand Up @@ -15,7 +15,9 @@ <h2>
Latest Releases
</h2>
<p>
pgJDBC has released v42.5.0 on 24 August, 2022. Please see the release notes below.
pgJDBC has released v42.5.1 on 21 October, 2022. This is a security release which fixes CVE-2022-41946
see <a href="https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h" >Security Advisory</a>
for details
</p>
<ul role="list">
{{ range $.Site.Data.homepagedata.info }}
Expand Down
3 changes: 2 additions & 1 deletion pgjdbc/src/main/java/org/postgresql/util/StreamWrapper.java
View file
Expand Up @@ -17,6 +17,7 @@
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.file.Files;

/**
* Wrapper around a length-limited InputStream.
Expand Down Expand Up @@ -51,7 +52,7 @@ public StreamWrapper(InputStream stream) throws PSQLException {

if (memoryLength == -1) {
final int diskLength;
final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null);
final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX, null).toFile();
FileOutputStream diskOutputStream = new FileOutputStream(tempFile);
diskOutputStream.write(rawData);
try {
Expand Down

0 comments on commit 9008dc9

Please sign in to comment.