[meta-oe,hardknott] postgresql: Update to 13.5

This is a security and bugfix release. With this update, the backported
patches for CVE-2021-2314 and CVE-2021-23222 are no longer needed. Full
release notes are available at:
https://www.postgresql.org/docs/release/13.5/

Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
---
 .../files/0001-Add-support-for-RISC-V.patch   |  10 +-
 ...n-bypass-autoconf-2.69-version-check.patch |   2 +-
 .../postgresql/files/CVE-2021-23214.patch     | 116 ----------------
 .../postgresql/files/CVE-2021-23222.patch     | 131 ------------------
 ...{postgresql_13.4.bb => postgresql_13.5.bb} |   4 +-
 5 files changed, 8 insertions(+), 255 deletions(-)
 delete mode 100644 meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch
 delete mode 100644 meta-oe/recipes-dbs/postgresql/files/CVE-2021-23222.patch
 rename meta-oe/recipes-dbs/postgresql/{postgresql_13.4.bb => postgresql_13.5.bb} (67%)

Robert,

On 1/15/22 1:33 PM, Robert Joslyn wrote:
> This is a security and bugfix release. With this update, the backported
> patches for CVE-2021-2314 and CVE-2021-23222 are no longer needed. Full
> release notes are available at:
> https://www.postgresql.org/docs/release/13.5/

If a patch to update master has not been sent, please do so as it
currently has the same version as hardknott.

thanks,
Armin
>
> Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
> ---
>  .../files/0001-Add-support-for-RISC-V.patch   |  10 +-
>  ...n-bypass-autoconf-2.69-version-check.patch |   2 +-
>  .../postgresql/files/CVE-2021-23214.patch     | 116 ----------------
>  .../postgresql/files/CVE-2021-23222.patch     | 131 ------------------
>  ...{postgresql_13.4.bb => postgresql_13.5.bb} |   4 +-
>  5 files changed, 8 insertions(+), 255 deletions(-)
>  delete mode 100644 meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch
>  delete mode 100644 meta-oe/recipes-dbs/postgresql/files/CVE-2021-23222.patch
>  rename meta-oe/recipes-dbs/postgresql/{postgresql_13.4.bb => postgresql_13.5.bb} (67%)
>
> diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch
> index 0dc6ece6d..5c65e6185 100644
> --- a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch
> +++ b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch
> @@ -1,4 +1,4 @@
> -From b06a228a5fd1589fc9bed654b3288b321fc21aa1 Mon Sep 17 00:00:00 2001
> +From 0b60fe3c39b2f62f9867d955da82d9d20c42d028 Mon Sep 17 00:00:00 2001
>  From: "Richard W.M. Jones" <rjones@redhat.com>
>  Date: Sun, 20 Nov 2016 15:04:52 +0000
>  Subject: [PATCH] Add support for RISC-V.
> @@ -9,9 +9,11 @@ extending the existing aarch64 macro works.
>   src/include/storage/s_lock.h | 5 +++--
>   1 file changed, 3 insertions(+), 2 deletions(-)
>  
> +diff --git a/src/include/storage/s_lock.h b/src/include/storage/s_lock.h
> +index 6b368a5..f7d3387 100644
>  --- a/src/include/storage/s_lock.h
>  +++ b/src/include/storage/s_lock.h
> -@@ -316,11 +316,12 @@ tas(volatile slock_t *lock)
> +@@ -317,11 +317,12 @@ tas(volatile slock_t *lock)
>   
>   /*
>    * On ARM and ARM64, we use __sync_lock_test_and_set(int *, int) if available.
> @@ -25,7 +27,7 @@ extending the existing aarch64 macro works.
>   #ifdef HAVE_GCC__SYNC_INT32_TAS
>   #define HAS_TEST_AND_SET
>   
> -@@ -337,7 +338,7 @@ tas(volatile slock_t *lock)
> +@@ -338,7 +339,7 @@ tas(volatile slock_t *lock)
>   #define S_UNLOCK(lock) __sync_lock_release(lock)
>   
>   #endif	 /* HAVE_GCC__SYNC_INT32_TAS */
> @@ -33,4 +35,4 @@ extending the existing aarch64 macro works.
>  +#endif	 /* __arm__ || __arm || __aarch64__ || __aarch64 || __riscv */
>   
>   
> - /* S/390 and S/390x Linux (32- and 64-bit zSeries) */
> + /*
> diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch b/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch
> index db9769f82..17ba04b66 100644
> --- a/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch
> +++ b/meta-oe/recipes-dbs/postgresql/files/0001-configure.in-bypass-autoconf-2.69-version-check.patch
> @@ -18,7 +18,7 @@ index fb14dcc..a2b4a4f 100644
>  +++ b/configure.in
>  @@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch undefined macros
>   
> - AC_INIT([PostgreSQL], [13.4], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/])
> + AC_INIT([PostgreSQL], [13.5], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/])
>   
>  -m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required.
>  -Untested combinations of 'autoconf' and PostgreSQL versions are not
> diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch
> deleted file mode 100644
> index 58bf81062..000000000
> --- a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch
> +++ /dev/null
> @@ -1,116 +0,0 @@
> -From 24c2b9e42edb6d2f4ef2cead3b0aa1d6196adfce Mon Sep 17 00:00:00 2001
> -From: Tom Lane <tgl@sss.pgh.pa.us>
> -Date: Mon, 8 Nov 2021 11:01:43 -0500
> -Subject: [PATCH 2/2] Reject extraneous data after SSL or GSS encryption
> - handshake.
> -
> -The server collects up to a bufferload of data whenever it reads data
> -from the client socket.  When SSL or GSS encryption is requested
> -during startup, any additional data received with the initial
> -request message remained in the buffer, and would be treated as
> -already-decrypted data once the encryption handshake completed.
> -Thus, a man-in-the-middle with the ability to inject data into the 
> -TCP connection could stuff some cleartext data into the start of
> -a supposedly encryption-protected database session.
> -
> -This could be abused to send faked SQL commands to the server,
> -although that would only work if the server did not demand any 
> -authentication data.  (However, a server relying on SSL certificate
> -authentication might well not do so.)
> -
> -To fix, throw a protocol-violation error if the internal buffer
> -is not empty after the encryption handshake.
> -
> -Our thanks to Jacob Champion for reporting this problem.
> -
> -Security: CVE-2021-23214
> -
> -Upstream-Status: Backport[https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951]
> -CVE: CVE-2021-23214
> -
> -Signed-off-by: Changqing Li <changqing.li@windriver.com>
> -
> ----
> - src/backend/libpq/pqcomm.c          | 11 +++++++++++
> - src/backend/postmaster/postmaster.c | 23 ++++++++++++++++++++++-
> - src/include/libpq/libpq.h           |  1 +
> - 3 files changed, 34 insertions(+), 1 deletion(-)
> -
> -diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c
> -index ee2cd86..4dd1c02 100644
> ---- a/src/backend/libpq/pqcomm.c
> -+++ b/src/backend/libpq/pqcomm.c
> -@@ -1183,6 +1183,17 @@ pq_getstring(StringInfo s)
> - 	}
> - }
> - 
> -+/* -------------------------------
> -+ *             pq_buffer_has_data              - is any buffered data available to read?
> -+ *
> -+ * This will *not* attempt to read more data.
> -+ * --------------------------------
> -+ */
> -+bool
> -+pq_buffer_has_data(void)
> -+{
> -+	return (PqRecvPointer < PqRecvLength);
> -+}
> - 
> - /* --------------------------------
> -  *		pq_startmsgread - begin reading a message from the client.
> -diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
> -index 5775fc0..1fcc3f8 100644
> ---- a/src/backend/postmaster/postmaster.c
> -+++ b/src/backend/postmaster/postmaster.c
> -@@ -2049,6 +2049,17 @@ retry1:
> - 			return STATUS_ERROR;
> - #endif
> - 
> -+		/*
> -+		* At this point we should have no data already buffered.  If we do,
> -+		* it was received before we performed the SSL handshake, so it wasn't
> -+		* encrypted and indeed may have been injected by a man-in-the-middle.
> -+		* We report this case to the client.
> -+		*/
> -+		if (pq_buffer_has_data())
> -+			ereport(FATAL,
> -+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
> -+				errmsg("received unencrypted data after SSL request"),
> -+				errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
> - 		/*
> - 		 * regular startup packet, cancel, etc packet should follow, but not
> - 		 * another SSL negotiation request, and a GSS request should only
> -@@ -2080,7 +2091,17 @@ retry1:
> - 		if (GSSok == 'G' && secure_open_gssapi(port) == -1)
> - 			return STATUS_ERROR;
> - #endif
> --
> -+		/*
> -+		* At this point we should have no data already buffered.  If we do,
> -+		* it was received before we performed the GSS handshake, so it wasn't
> -+		* encrypted and indeed may have been injected by a man-in-the-middle.
> -+		* We report this case to the client.
> -+		*/
> -+		if (pq_buffer_has_data())
> -+			ereport(FATAL,
> -+				(errcode(ERRCODE_PROTOCOL_VIOLATION),
> -+				errmsg("received unencrypted data after GSSAPI encryption request"),
> -+				errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
> - 		/*
> - 		 * regular startup packet, cancel, etc packet should follow, but not
> - 		 * another GSS negotiation request, and an SSL request should only
> -diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
> -index b115247..9969692 100644
> ---- a/src/include/libpq/libpq.h
> -+++ b/src/include/libpq/libpq.h
> -@@ -73,6 +73,7 @@ extern int	pq_getbyte(void);
> - extern int	pq_peekbyte(void);
> - extern int	pq_getbyte_if_available(unsigned char *c);
> - extern int	pq_putbytes(const char *s, size_t len);
> -+extern bool pq_buffer_has_data(void);
> - 
> - /*
> -  * prototypes for functions in be-secure.c
> --- 
> -2.17.1
> -
> diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23222.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23222.patch
> deleted file mode 100644
> index 42b78539b..000000000
> --- a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23222.patch
> +++ /dev/null
> @@ -1,131 +0,0 @@
> -From 79125ead2a6a234086844bb42f06d49603fe6ca0 Mon Sep 17 00:00:00 2001
> -From: Tom Lane <tgl@sss.pgh.pa.us>
> -Date: Mon, 8 Nov 2021 11:14:56 -0500
> -Subject: [PATCH 1/2] libpq: reject extraneous data after SSL or GSS encryption
> - handshake.
> -
> -libpq collects up to a bufferload of data whenever it reads data from
> -the socket.  When SSL or GSS encryption is requested during startup,
> -any additional data received with the server's yes-or-no reply
> -remained in the buffer, and would be treated as already-decrypted data
> -once the encryption handshake completed.  Thus, a man-in-the-middle
> -with the ability to inject data into the TCP connection could stuff
> -some cleartext data into the start of a supposedly encryption-protected
> -database session.
> -
> -This could probably be abused to inject faked responses to the
> -client's first few queries, although other details of libpq's behavior
> -make that harder than it sounds.  A different line of attack is to
> -exfiltrate the client's password, or other sensitive data that might
> -be sent early in the session.  That has been shown to be possible with
> -a server vulnerable to CVE-2021-23214.
> -
> -To fix, throw a protocol-violation error if the internal buffer
> -is not empty after the encryption handshake.
> -
> -Our thanks to Jacob Champion for reporting this problem.
> -
> -Security: CVE-2021-23222
> -
> -Upstream-Status: Backport[https://github.com/postgres/postgres/commit/160c0258802d10b0600d7671b1bbea55d8e17d45]
> -CVE: CVE-2021-23222
> -
> -Signed-off-by: Changqing Li <changqing.li@windriver.com>
> ----
> - doc/src/sgml/protocol.sgml        | 28 ++++++++++++++++++++++++++++
> - src/interfaces/libpq/fe-connect.c | 26 ++++++++++++++++++++++++++
> - 2 files changed, 54 insertions(+)
> -
> -diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
> -index e26619e1b5..b692648fca 100644
> ---- a/doc/src/sgml/protocol.sgml
> -+++ b/doc/src/sgml/protocol.sgml
> -@@ -1471,6 +1471,20 @@ SELCT 1/0;<!-- this typo is intentional -->
> -     and proceed without requesting <acronym>SSL</acronym>.
> -    </para>
> - 
> -+   <para>
> -+    When <acronym>SSL</acronym> encryption can be performed, the server
> -+    is expected to send only the single <literal>S</literal> byte and then
> -+    wait for the frontend to initiate an <acronym>SSL</acronym> handshake.
> -+    If additional bytes are available to read at this point, it likely
> -+    means that a man-in-the-middle is attempting to perform a
> -+    buffer-stuffing attack
> -+    (<ulink url="https://www.postgresql.org/support/security/CVE-2021-23222/">CVE-2021-23222</ulink>).
> -+    Frontends should be coded either to read exactly one byte from the
> -+    socket before turning the socket over to their SSL library, or to
> -+    treat it as a protocol violation if they find they have read additional
> -+    bytes.
> -+   </para>
> -+
> -    <para>
> -     An initial SSLRequest can also be used in a connection that is being
> -     opened to send a CancelRequest message.
> -@@ -1532,6 +1546,20 @@ SELCT 1/0;<!-- this typo is intentional -->
> -     encryption.
> -    </para>
> - 
> -+   <para>
> -+    When <acronym>GSSAPI</acronym> encryption can be performed, the server
> -+    is expected to send only the single <literal>G</literal> byte and then
> -+    wait for the frontend to initiate a <acronym>GSSAPI</acronym> handshake.
> -+    If additional bytes are available to read at this point, it likely
> -+    means that a man-in-the-middle is attempting to perform a
> -+    buffer-stuffing attack
> -+    (<ulink url="https://www.postgresql.org/support/security/CVE-2021-23222/">CVE-2021-23222</ulink>).
> -+    Frontends should be coded either to read exactly one byte from the
> -+    socket before turning the socket over to their GSSAPI library, or to
> -+    treat it as a protocol violation if they find they have read additional
> -+    bytes.
> -+   </para>
> -+
> -    <para>
> -     An initial GSSENCRequest can also be used in a connection that is being
> -     opened to send a CancelRequest message.
> -diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
> -index f80f4e98d8..57aee95183 100644
> ---- a/src/interfaces/libpq/fe-connect.c
> -+++ b/src/interfaces/libpq/fe-connect.c
> -@@ -3076,6 +3076,19 @@ keep_going:						/* We will come back to here until there is
> - 				pollres = pqsecure_open_client(conn);
> - 				if (pollres == PGRES_POLLING_OK)
> - 				{
> -+					/*
> -+					 * At this point we should have no data already buffered.
> -+					 * If we do, it was received before we performed the SSL
> -+					 * handshake, so it wasn't encrypted and indeed may have
> -+					 * been injected by a man-in-the-middle.
> -+					 */
> -+					if (conn->inCursor != conn->inEnd)
> -+					{
> -+						appendPQExpBufferStr(&conn->errorMessage,
> -+											 libpq_gettext("received unencrypted data after SSL response\n"));
> -+						goto error_return;
> -+					}
> -+
> - 					/* SSL handshake done, ready to send startup packet */
> - 					conn->status = CONNECTION_MADE;
> - 					return PGRES_POLLING_WRITING;
> -@@ -3175,6 +3188,19 @@ keep_going:						/* We will come back to here until there is
> - 				pollres = pqsecure_open_gss(conn);
> - 				if (pollres == PGRES_POLLING_OK)
> - 				{
> -+					/*
> -+					 * At this point we should have no data already buffered.
> -+					 * If we do, it was received before we performed the GSS
> -+					 * handshake, so it wasn't encrypted and indeed may have
> -+					 * been injected by a man-in-the-middle.
> -+					 */
> -+					if (conn->inCursor != conn->inEnd)
> -+					{
> -+						appendPQExpBufferStr(&conn->errorMessage,
> -+											 libpq_gettext("received unencrypted data after GSSAPI encryption response\n"));
> -+						goto error_return;
> -+					}
> -+
> - 					/* All set for startup packet */
> - 					conn->status = CONNECTION_MADE;
> - 					return PGRES_POLLING_WRITING;
> --- 
> -2.17.1
> -
> diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_13.4.bb b/meta-oe/recipes-dbs/postgresql/postgresql_13.5.bb
> similarity index 67%
> rename from meta-oe/recipes-dbs/postgresql/postgresql_13.4.bb
> rename to meta-oe/recipes-dbs/postgresql/postgresql_13.5.bb
> index 2ed0fa49b..81193e30e 100644
> --- a/meta-oe/recipes-dbs/postgresql/postgresql_13.4.bb
> +++ b/meta-oe/recipes-dbs/postgresql/postgresql_13.5.bb
> @@ -7,8 +7,6 @@ SRC_URI += "\
>     file://0001-Add-support-for-RISC-V.patch \
>     file://0001-Improve-reproducibility.patch \
>     file://0001-configure.in-bypass-autoconf-2.69-version-check.patch \
> -   file://CVE-2021-23214.patch \
> -   file://CVE-2021-23222.patch \
>  "
>  
> -SRC_URI[sha256sum] = "ea93e10390245f1ce461a54eb5f99a48d8cabd3a08ce4d652ec2169a357bc0cd"
> +SRC_URI[sha256sum] = "9b81067a55edbaabc418aacef457dd8477642827499560b00615a6ea6c13f6b3"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#94874): https://lists.openembedded.org/g/openembedded-devel/message/94874
> Mute This Topic: https://lists.openembedded.org/mt/88452186/3616698
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

> On Jan 16, 2022, at 10:16 AM, Armin Kuster <akuster808@gmail.com> wrote:
> 
> Robert,
> 
> On 1/15/22 1:33 PM, Robert Joslyn wrote:
>> This is a security and bugfix release. With this update, the backported
>> patches for CVE-2021-2314 and CVE-2021-23222 are no longer needed. Full
>> release notes are available at:
>> https://www.postgresql.org/docs/release/13.5/
> 
> If a patch to update master has not been sent, please do so as it
> currently has the same version as hardknott.

I did send a patch for master to update to 14.1. Figured it wasn’t worth bumping master to 13.5 when a newer major version was available.

Thanks,
Robert