up to 14.8 (fixes CVE-2022-41862 CVE-2023-2454 CVE-2023-2455)

- require openssl >= 1.1.1 for X509_get_signature_info symbol
author: Jan Palus 2023-05-16 11:26:36 (GMT)
committer: Jan Palus 2023-05-16 11:26:36 (GMT)
commit: a718bd62c7e180c36afc525c9785a1d26904835b (patch)
tree: e0e59317b0f1f4b2c4fab482d29953cf7f455d0b
parent: 8ad5813932d74254a3f643213d44e485000f3225 (diff)
download: postgresql-a718bd62c7e180c36afc525c9785a1d26904835b.zip
postgresql-a718bd62c7e180c36afc525c9785a1d26904835b.tar.gz
3 files changed, 5 insertions, 202 deletions
diff --git a/ac.patch b/ac.patch
index d45b38a..b0340cf 100644
--- a/ac.patch
+++ b/ac.patch
@@ -2,7 +2,7 @@
 +++ postgresql-14.0/configure.ac	2021-11-09 09:38:45.296275820 +0100
 @@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch un
  
- AC_INIT([PostgreSQL], [14.5], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/])
+ AC_INIT([PostgreSQL], [14.8], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/])
  
 -m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required.
 -Untested combinations of 'autoconf' and PostgreSQL versions are not
diff --git a/llvm15.patch b/llvm15.patch
deleted file mode 100644
index c0c2cd2..0000000
--- a/llvm15.patch
+++ /dev/null
@@ -1,195 +0,0 @@
-From d033f8f8bea9c7b5c4ae43a95b569ceccdaddd7a Mon Sep 17 00:00:00 2001
-From: Thomas Munro <tmunro@postgresql.org>
-Date: Wed, 19 Oct 2022 22:32:14 +1300
-Subject: [PATCH] Track LLVM 15 changes.
-
-Per https://llvm.org/docs/OpaquePointers.html, support for non-opaque
-pointers still exists and we can request that on our context.  We have
-until LLVM 16 to move to opaque pointers, a much larger change.
-
-Back-patch to 11, where LLVM support arrived.
-
-Author: Thomas Munro <thomas.munro@gmail.com>
-Author: Andres Freund <andres@anarazel.de>
-Discussion: https://postgr.es/m/CAMHz58Sf_xncdyqsekoVsNeKcruKootLtVH6cYXVhhUR1oKPCg%40mail.gmail.com
----
- configure                               | 89 +++++++++++++++++++++++++
- configure.ac                            |  3 +
- src/backend/jit/llvm/llvmjit.c          | 18 +++++
- src/backend/jit/llvm/llvmjit_inline.cpp |  1 +
- 4 files changed, 111 insertions(+)
-
-diff --git a/configure b/configure
-index 57ec071cf9..a15c2253d5 100755
---- a/configure
-+++ b/configure
-@@ -7259,6 +7259,95 @@ if test x"$pgac_cv_prog_CLANGXX_cxxflags__fexcess_precision_standard" = x"yes";
- fi
- 
- 
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${CLANG} supports -Xclang -no-opaque-pointers, for BITCODE_CFLAGS" >&5
-+$as_echo_n "checking whether ${CLANG} supports -Xclang -no-opaque-pointers, for BITCODE_CFLAGS... " >&6; }
-+if ${pgac_cv_prog_CLANG_cflags__Xclang__no_opaque_pointers+:} false; then :
-+  $as_echo_n "(cached) " >&6
-+else
-+  pgac_save_CFLAGS=$CFLAGS
-+pgac_save_CC=$CC
-+CC=${CLANG}
-+CFLAGS="${BITCODE_CFLAGS} -Xclang -no-opaque-pointers"
-+ac_save_c_werror_flag=$ac_c_werror_flag
-+ac_c_werror_flag=yes
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h.  */
-+
-+int
-+main ()
-+{
-+
-+  ;
-+  return 0;
-+}
-+_ACEOF
-+if ac_fn_c_try_compile "$LINENO"; then :
-+  pgac_cv_prog_CLANG_cflags__Xclang__no_opaque_pointers=yes
-+else
-+  pgac_cv_prog_CLANG_cflags__Xclang__no_opaque_pointers=no
-+fi
-+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-+ac_c_werror_flag=$ac_save_c_werror_flag
-+CFLAGS="$pgac_save_CFLAGS"
-+CC="$pgac_save_CC"
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $pgac_cv_prog_CLANG_cflags__Xclang__no_opaque_pointers" >&5
-+$as_echo "$pgac_cv_prog_CLANG_cflags__Xclang__no_opaque_pointers" >&6; }
-+if test x"$pgac_cv_prog_CLANG_cflags__Xclang__no_opaque_pointers" = x"yes"; then
-+  BITCODE_CFLAGS="${BITCODE_CFLAGS} -Xclang -no-opaque-pointers"
-+fi
-+
-+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${CLANGXX} supports -Xclang -no-opaque-pointers, for BITCODE_CXXFLAGS" >&5
-+$as_echo_n "checking whether ${CLANGXX} supports -Xclang -no-opaque-pointers, for BITCODE_CXXFLAGS... " >&6; }
-+if ${pgac_cv_prog_CLANGXX_cxxflags__Xclang__no_opaque_pointers+:} false; then :
-+  $as_echo_n "(cached) " >&6
-+else
-+  pgac_save_CXXFLAGS=$CXXFLAGS
-+pgac_save_CXX=$CXX
-+CXX=${CLANGXX}
-+CXXFLAGS="${BITCODE_CXXFLAGS} -Xclang -no-opaque-pointers"
-+ac_save_cxx_werror_flag=$ac_cxx_werror_flag
-+ac_cxx_werror_flag=yes
-+ac_ext=cpp
-+ac_cpp='$CXXCPP $CPPFLAGS'
-+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-+
-+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h.  */
-+
-+int
-+main ()
-+{
-+
-+  ;
-+  return 0;
-+}
-+_ACEOF
-+if ac_fn_cxx_try_compile "$LINENO"; then :
-+  pgac_cv_prog_CLANGXX_cxxflags__Xclang__no_opaque_pointers=yes
-+else
-+  pgac_cv_prog_CLANGXX_cxxflags__Xclang__no_opaque_pointers=no
-+fi
-+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-+ac_ext=c
-+ac_cpp='$CPP $CPPFLAGS'
-+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-+ac_compiler_gnu=$ac_cv_c_compiler_gnu
-+
-+ac_cxx_werror_flag=$ac_save_cxx_werror_flag
-+CXXFLAGS="$pgac_save_CXXFLAGS"
-+CXX="$pgac_save_CXX"
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $pgac_cv_prog_CLANGXX_cxxflags__Xclang__no_opaque_pointers" >&5
-+$as_echo "$pgac_cv_prog_CLANGXX_cxxflags__Xclang__no_opaque_pointers" >&6; }
-+if test x"$pgac_cv_prog_CLANGXX_cxxflags__Xclang__no_opaque_pointers" = x"yes"; then
-+  BITCODE_CXXFLAGS="${BITCODE_CXXFLAGS} -Xclang -no-opaque-pointers"
-+fi
-+
-+
-   NOT_THE_CFLAGS=""
-   { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${CLANG} supports -Wunused-command-line-argument, for NOT_THE_CFLAGS" >&5
- $as_echo_n "checking whether ${CLANG} supports -Wunused-command-line-argument, for NOT_THE_CFLAGS... " >&6; }
-diff --git a/configure.ac b/configure.ac
-index 227bc896b6..6d13ae5888 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -600,6 +600,9 @@ if test "$with_llvm" = yes ; then
-   PGAC_PROG_VARCC_VARFLAGS_OPT(CLANG, BITCODE_CFLAGS, [-fexcess-precision=standard])
-   PGAC_PROG_VARCXX_VARFLAGS_OPT(CLANGXX, BITCODE_CXXFLAGS, [-fexcess-precision=standard])
- 
-+  PGAC_PROG_VARCC_VARFLAGS_OPT(CLANG, BITCODE_CFLAGS, [-Xclang -no-opaque-pointers])
-+  PGAC_PROG_VARCXX_VARFLAGS_OPT(CLANGXX, BITCODE_CXXFLAGS, [-Xclang -no-opaque-pointers])
-+
-   NOT_THE_CFLAGS=""
-   PGAC_PROG_VARCC_VARFLAGS_OPT(CLANG, NOT_THE_CFLAGS, [-Wunused-command-line-argument])
-   if test -n "$NOT_THE_CFLAGS"; then
-diff --git a/src/backend/jit/llvm/llvmjit.c b/src/backend/jit/llvm/llvmjit.c
-index fb29449573..199fff4f77 100644
---- a/src/backend/jit/llvm/llvmjit.c
-+++ b/src/backend/jit/llvm/llvmjit.c
-@@ -798,6 +798,16 @@ llvm_session_initialize(void)
- 	LLVMInitializeNativeAsmPrinter();
- 	LLVMInitializeNativeAsmParser();
- 
-+	/*
-+	 * When targeting an LLVM version with opaque pointers enabled by
-+	 * default, turn them off for the context we build our code in.  We don't
-+	 * need to do so for other contexts (e.g. llvm_ts_context).  Once the IR is
-+	 * generated, it carries the necessary information.
-+	 */
-+#if LLVM_VERSION_MAJOR > 14
-+	LLVMContextSetOpaquePointers(LLVMGetGlobalContext(), false);
-+#endif
-+
- 	/*
- 	 * Synchronize types early, as that also includes inferring the target
- 	 * triple.
-@@ -1112,7 +1122,11 @@ llvm_resolve_symbols(LLVMOrcDefinitionGeneratorRef GeneratorObj, void *Ctx,
- 					 LLVMOrcJITDylibRef JD, LLVMOrcJITDylibLookupFlags JDLookupFlags,
- 					 LLVMOrcCLookupSet LookupSet, size_t LookupSetSize)
- {
-+#if LLVM_VERSION_MAJOR > 14
-+	LLVMOrcCSymbolMapPairs symbols = palloc0(sizeof(LLVMOrcCSymbolMapPair) * LookupSetSize);
-+#else
- 	LLVMOrcCSymbolMapPairs symbols = palloc0(sizeof(LLVMJITCSymbolMapPair) * LookupSetSize);
-+#endif
- 	LLVMErrorRef error;
- 	LLVMOrcMaterializationUnitRef mu;
- 
-@@ -1230,7 +1244,11 @@ llvm_create_jit_instance(LLVMTargetMachineRef tm)
- 	 * Symbol resolution support for "special" functions, e.g. a call into an
- 	 * SQL callable function.
- 	 */
-+#if LLVM_VERSION_MAJOR > 14
-+	ref_gen = LLVMOrcCreateCustomCAPIDefinitionGenerator(llvm_resolve_symbols, NULL, NULL);
-+#else
- 	ref_gen = LLVMOrcCreateCustomCAPIDefinitionGenerator(llvm_resolve_symbols, NULL);
-+#endif
- 	LLVMOrcJITDylibAddGenerator(LLVMOrcLLJITGetMainJITDylib(lljit), ref_gen);
- 
- 	return lljit;
-diff --git a/src/backend/jit/llvm/llvmjit_inline.cpp b/src/backend/jit/llvm/llvmjit_inline.cpp
-index 9bb4b672a7..774d9e8b66 100644
---- a/src/backend/jit/llvm/llvmjit_inline.cpp
-+++ b/src/backend/jit/llvm/llvmjit_inline.cpp
-@@ -62,6 +62,7 @@ extern "C"
- #include <llvm/IR/ModuleSummaryIndex.h>
- #include <llvm/Linker/IRMover.h>
- #include <llvm/Support/ManagedStatic.h>
-+#include <llvm/Support/MemoryBuffer.h>
- 
- 
- /*
--- 
-2.30.2
-
diff --git a/postgresql.spec b/postgresql.spec
index 6a83ccd..2eba9a9 100644
--- a/postgresql.spec
+++ b/postgresql.spec
@@ -34,12 +34,12 @@ Summary(tr.UTF-8):	Veri Tabanı Yönetim Sistemi
 Summary(uk.UTF-8):	PostgreSQL - система керування базами даних
 Summary(zh_CN.UTF-8):	PostgreSQL 客户端程序和库文件
 Name:		postgresql
-Version:	%{mver}.5
+Version:	%{mver}.8
 Release:	1
 License:	BSD
 Group:		Applications/Databases
 Source0:	https://ftp.postgresql.org/pub/source/v%{version}/%{name}-%{version}.tar.bz2
-# Source0-md5:	1b319af2ece7fbf836d2d9533e91aa9b
+# Source0-md5:	d089f6f4f15f5b278252e867f3a45fd7
 Source1:	%{name}.init
 Source2:	pgsql-Database-HOWTO-html.tar.gz
 # Source2-md5:	5b656ddf1db41965761f85204a14398e
@@ -54,7 +54,6 @@ Patch3:		ac.patch
 
 Patch5:		%{name}-heimdal.patch
 Patch6:		%{name}-link.patch
-Patch7:		llvm15.patch
 URL:		https://www.postgresql.org/
 BuildRequires:	autoconf >= 2.69
 BuildRequires:	automake
@@ -78,7 +77,7 @@ BuildRequires:	libxslt-progs
 %{?with_llvm:BuildRequires: llvm-devel >= 3.9}
 BuildRequires:	ncurses-devel >= 5.0
 %{?with_ldap:BuildRequires:	openldap-devel}
-BuildRequires:	openssl-devel >= 1.0.1
+BuildRequires:	openssl-devel >= 1.1.1
 BuildRequires:	pam-devel
 %if %{with perl}
 BuildRequires:	perl-Scalar-List-Utils
@@ -494,7 +493,7 @@ Summary(pl.UTF-8):	Biblioteki dzielone programu PostgreSQL
 Summary(pt_BR.UTF-8):	Biblioteca compartilhada do PostgreSQL
 Summary(zh_CN.UTF-8):	PostgreSQL 客户所需要的共享库
 Group:		Libraries
-Requires:	openssl%{?_isa} >= 1.0.1
+Requires:	openssl%{?_isa} >= 1.1.1
 
 %description libs
 PostgreSQL shared libraries.
@@ -803,7 +802,6 @@ Różne moduły dołączone do PostgreSQL-a.
 
 %patch5 -p1
 %patch6 -p1
-%patch7 -p1
 
 # force rebuild of bison/flex files
 find src -name \*.l -o -name \*.y | xargs touch
author	Jan Palus	2023-05-16 11:26:36 (GMT)
committer	Jan Palus	2023-05-16 11:26:36 (GMT)
commit	a718bd62c7e180c36afc525c9785a1d26904835b (patch)
tree	e0e59317b0f1f4b2c4fab482d29953cf7f455d0b
parent	8ad5813932d74254a3f643213d44e485000f3225 (diff)
download	postgresql-a718bd62c7e180c36afc525c9785a1d26904835b.zip postgresql-a718bd62c7e180c36afc525c9785a1d26904835b.tar.gz