From 2ab68efbca2d6a4b0ae8f29c964a4165558dc55e Mon Sep 17 00:00:00 2001 From: zhuhongbo Date: Tue, 19 Nov 2024 21:12:22 +0800 Subject: [PATCH] cve: fix CVE-2024-7348 --- 0001-cve-fix-CVE-2024-7348.patch | 73 ++++++++++++++++++++++++++++++++ postgresql.spec | 10 ++++- 2 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 0001-cve-fix-CVE-2024-7348.patch diff --git a/0001-cve-fix-CVE-2024-7348.patch b/0001-cve-fix-CVE-2024-7348.patch new file mode 100644 index 0000000..bcc5920 --- /dev/null +++ b/0001-cve-fix-CVE-2024-7348.patch @@ -0,0 +1,73 @@ +From e52aa68fe9c4b254ae8b267422412b950b5155d8 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Tue, 19 Nov 2024 21:08:01 +0800 +Subject: [PATCH] cve: fix CVE-2024-7348 + +--- + glsa-202409-02.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 54 insertions(+) + create mode 100644 glsa-202409-02.xml + +diff --git a/glsa-202409-02.xml b/glsa-202409-02.xml +new file mode 100644 +index 0000000..a2d4256 +--- /dev/null ++++ b/glsa-202409-02.xml +@@ -0,0 +1,54 @@ ++ ++ ++ ++ PostgreSQL: Privilege Escalation ++ A vulnerability has been discovered in PostgreSQL, which can lead to privilege escalation. ++ postgresql ++ 2024-09-22 ++ 2024-09-22 ++ 937573 ++ local and remote ++ ++ ++ 12.20 ++ 13.16 ++ 14.13 ++ 15.8 ++ 16.4 ++ 12.20 ++ 13.16 ++ 14.13 ++ 15.8 ++ 16.4 ++ ++ ++ ++

PostgreSQL is an open source object-relational database management system.

++ ++ ++

A vulnerability has been discovered in PostgreSQL. Please review the CVE identifier referenced below for details.

++ ++ ++

An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.

++ ++ ++

There is no known workaround at this time.

++ ++ ++

All PostgreSQL users should upgrade to the latest version:

++ ++ ++ # emerge --sync ++ # emerge --ask --oneshot --verbose ">=dev-db/postgresql-12.20:12" ++ # emerge --ask --oneshot --verbose ">=dev-db/postgresql-13.16:13" ++ # emerge --ask --oneshot --verbose ">=dev-db/postgresql-14.13:14" ++ # emerge --ask --oneshot --verbose ">=dev-db/postgresql-15.8:15" ++ # emerge --ask --oneshot --verbose ">=dev-db/postgresql-16.4:16" ++ ++ ++ ++ CVE-2024-7348 ++ ++ graaff ++ graaff ++ +-- +2.39.3 + diff --git a/postgresql.spec b/postgresql.spec index 34bd520..e9bfd47 100644 --- a/postgresql.spec +++ b/postgresql.spec @@ -63,7 +63,7 @@ Summary: PostgreSQL client programs Name: postgresql %global majorversion 9.2 Version: 9.2.24 -Release: 9%{?dist} +Release: 9%{?dist}.1 # The PostgreSQL license is very similar to other MIT licenses, but the OSI # recognizes it as an independent license, so we do as well. @@ -167,6 +167,9 @@ Patch21: postgresql-CVE-2022-1552.patch # Upstream commit: 18b585155a891784ca8985f595ebc0dde94e0d43 # BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2247169 Patch22: postgresql-CVE-2023-5869.patch +#add by uos +Patch23: 0001-cve-fix-CVE-2024-7348.patch +#end BuildRequires: perl(ExtUtils::MakeMaker) glibc-devel bison flex gawk help2man BuildRequires: perl(ExtUtils::Embed), perl-devel @@ -414,6 +417,7 @@ benchmarks. %patch20 -p1 %patch21 -p1 %patch22 -p1 +%patch23 -p1 # We used to run autoconf here, but there's no longer any real need to, # since Postgres ships with a reasonably modern configure script. @@ -1211,6 +1215,10 @@ fi %endif %changelog +* Tue Nov 19 2024 zhuhongbo - 9.2.24-9.1 +- update to postgresql-9.2.24-9.el7_9.1 +- cve: fix CVE-2024-7348 + * Thu Nov 16 2023 Filip Janus - 9.2.24-9 - Backport fix for CVE-2023-5869 -- Gitee