From f2d924230450ec9c5b27662bfadc225743fc9efcf92626c13574c908c5f9520e Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Thu, 20 Feb 2025 16:55:21 +0000 Subject: [PATCH] - Upgrade to 16.8: * Improve behavior of libpq's quoting functions: The changes made for CVE-2025-1094 had one serious oversight: PQescapeLiteral() and PQescapeIdentifier() failed to honor their string length parameter, instead always reading to the input string's trailing null. This resulted in including unwanted text in the output, if the caller intended to truncate the string via the length parameter. With very bad luck it could cause a crash due to reading off the end of memory. In addition, modify all these quoting functions so that when invalid encoding is detected, an invalid sequence is substituted for just the first byte of the presumed character, not all of it. This reduces the risk of problems if a calling application performs additional processing on the quoted string. * Fix small memory leak in pg_createsubscriber. * https://www.postgresql.org/docs/release/16.8/ * https://www.postgresql.org/about/news/p-3018/ OBS-URL: https://build.opensuse.org/package/show/server:database:postgresql/postgresql16?expand=0&rev=50 --- postgresql-16.7.tar.bz2 | 3 --- postgresql-16.7.tar.bz2.sha256 | 1 - postgresql-16.8.tar.bz2 | 3 +++ postgresql-16.8.tar.bz2.sha256 | 1 + postgresql16.changes | 23 +++++++++++++++++++++++ postgresql16.spec | 2 +- 6 files changed, 28 insertions(+), 5 deletions(-) delete mode 100644 postgresql-16.7.tar.bz2 delete mode 100644 postgresql-16.7.tar.bz2.sha256 create mode 100644 postgresql-16.8.tar.bz2 create mode 100644 postgresql-16.8.tar.bz2.sha256 diff --git a/postgresql-16.7.tar.bz2 b/postgresql-16.7.tar.bz2 deleted file mode 100644 index b112f4e..0000000 --- a/postgresql-16.7.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:62e02f77ebfc4a37f1700c20cc3ccd85ff797b5613766ebf949a7899bb2113fe -size 24905167 diff --git a/postgresql-16.7.tar.bz2.sha256 b/postgresql-16.7.tar.bz2.sha256 deleted file mode 100644 index d94bd8a..0000000 --- a/postgresql-16.7.tar.bz2.sha256 +++ /dev/null @@ -1 +0,0 @@ -62e02f77ebfc4a37f1700c20cc3ccd85ff797b5613766ebf949a7899bb2113fe postgresql-16.7.tar.bz2 diff --git a/postgresql-16.8.tar.bz2 b/postgresql-16.8.tar.bz2 new file mode 100644 index 0000000..04ae35a --- /dev/null +++ b/postgresql-16.8.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9468083a56ce0ee7d294601b74dad3dd9fc69d87aff61f0a9fb63c813ff7efd8 +size 24911337 diff --git a/postgresql-16.8.tar.bz2.sha256 b/postgresql-16.8.tar.bz2.sha256 new file mode 100644 index 0000000..29a8f9f --- /dev/null +++ b/postgresql-16.8.tar.bz2.sha256 @@ -0,0 +1 @@ +9468083a56ce0ee7d294601b74dad3dd9fc69d87aff61f0a9fb63c813ff7efd8 postgresql-16.8.tar.bz2 diff --git a/postgresql16.changes b/postgresql16.changes index db5e44d..fb98c72 100644 --- a/postgresql16.changes +++ b/postgresql16.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Tue Feb 18 11:36:44 UTC 2025 - Reinhard Max + +- Upgrade to 16.8: + * Improve behavior of libpq's quoting functions: + The changes made for CVE-2025-1094 had one serious oversight: + PQescapeLiteral() and PQescapeIdentifier() failed to honor + their string length parameter, instead always reading to the + input string's trailing null. This resulted in including + unwanted text in the output, if the caller intended to + truncate the string via the length parameter. With very bad + luck it could cause a crash due to reading off the end of + memory. + In addition, modify all these quoting functions so that when + invalid encoding is detected, an invalid sequence is + substituted for just the first byte of the presumed + character, not all of it. This reduces the risk of problems + if a calling application performs additional processing on + the quoted string. + * Fix small memory leak in pg_createsubscriber. + * https://www.postgresql.org/docs/release/16.8/ + * https://www.postgresql.org/about/news/p-3018/ + ------------------------------------------------------------------- Tue Feb 11 14:27:58 UTC 2025 - Reinhard Max diff --git a/postgresql16.spec b/postgresql16.spec index d3c102f..2eecc1f 100644 --- a/postgresql16.spec +++ b/postgresql16.spec @@ -16,7 +16,7 @@ # -%define pgversion 16.7 +%define pgversion 16.8 %define pgmajor 16 %define buildlibs 0 %define tarversion %{pgversion}