- Upgrade to 16.8:

* Improve behavior of libpq's quoting functions: The changes made for CVE-2025-1094 had one serious oversight: PQescapeLiteral() and PQescapeIdentifier() failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory. In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reduces the risk of problems if a calling application performs additional processing on the quoted string. * Fix small memory leak in pg_createsubscriber. * https://www.postgresql.org/docs/release/16.8/ * https://www.postgresql.org/about/news/p-3018/ OBS-URL: https://build.opensuse.org/package/show/server:database:postgresql/postgresql16?expand=0&rev=50
2025-02-20 16:55:21 +00:00 · 2025-02-20 16:55:21 +00:00 · f2d9242304
commit f2d9242304
parent 7afb2974d9
6 changed files with 28 additions and 5 deletions
--- a/postgresql-16.7.tar.bz2
+++ b/postgresql-16.7.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:62e02f77ebfc4a37f1700c20cc3ccd85ff797b5613766ebf949a7899bb2113fe
-size 24905167
--- a/postgresql-16.7.tar.bz2.sha256
+++ b/postgresql-16.7.tar.bz2.sha256
@ -1 +0,0 @@
-62e02f77ebfc4a37f1700c20cc3ccd85ff797b5613766ebf949a7899bb2113fe  postgresql-16.7.tar.bz2
--- a/postgresql-16.8.tar.bz2
+++ b/postgresql-16.8.tar.bz2
--- a/postgresql-16.8.tar.bz2.sha256
+++ b/postgresql-16.8.tar.bz2.sha256
@ -0,0 +1 @@
+9468083a56ce0ee7d294601b74dad3dd9fc69d87aff61f0a9fb63c813ff7efd8  postgresql-16.8.tar.bz2
--- a/postgresql16.changes
+++ b/postgresql16.changes
@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Tue Feb 18 11:36:44 UTC 2025 - Reinhard Max <max@suse.com>
+
+- Upgrade to 16.8:
+  * Improve behavior of libpq's quoting functions:
+    The changes made for CVE-2025-1094 had one serious oversight:
+    PQescapeLiteral() and PQescapeIdentifier() failed to honor
+    their string length parameter, instead always reading to the
+    input string's trailing null. This resulted in including
+    unwanted text in the output, if the caller intended to
+    truncate the string via the length parameter. With very bad
+    luck it could cause a crash due to reading off the end of
+    memory.
+    In addition, modify all these quoting functions so that when
+    invalid encoding is detected, an invalid sequence is
+    substituted for just the first byte of the presumed
+    character, not all of it. This reduces the risk of problems
+    if a calling application performs additional processing on
+    the quoted string.
+  * Fix small memory leak in pg_createsubscriber.
+  * https://www.postgresql.org/docs/release/16.8/
+  * https://www.postgresql.org/about/news/p-3018/
+
 -------------------------------------------------------------------
 Tue Feb 11 14:27:58 UTC 2025 - Reinhard Max <max@suse.com>

--- a/postgresql16.spec
+++ b/postgresql16.spec
@ -16,7 +16,7 @@
 #


-%define pgversion 16.7
+%define pgversion 16.8
 %define pgmajor 16
 %define buildlibs 0
 %define tarversion %{pgversion}
				`@ -1 +0,0 @@`
				`62e02f77ebfc4a37f1700c20cc3ccd85ff797b5613766ebf949a7899bb2113fe postgresql-16.7.tar.bz2`
				`@ -0,0 +1 @@`
				`9468083a56ce0ee7d294601b74dad3dd9fc69d87aff61f0a9fb63c813ff7efd8 postgresql-16.8.tar.bz2`