Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package postgresql-jdbc for openSUSE:Factory
checked in at 2023-01-12 22:45:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/postgresql-jdbc (Old)
and /work/SRC/openSUSE:Factory/.postgresql-jdbc.new.32243 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "postgresql-jdbc"
Thu Jan 12 22:45:18 2023 rev:5 rq:1058042 version:42.2.25
Changes:
--------
--- /work/SRC/openSUSE:Factory/postgresql-jdbc/postgresql-jdbc.changes
2022-09-28 17:52:01.107264271 +0200
+++
/work/SRC/openSUSE:Factory/.postgresql-jdbc.new.32243/postgresql-jdbc.changes
2023-01-12 22:45:28.589263468 +0100
@@ -1,0 +2,6 @@
+Sun Jan 8 17:54:43 UTC 2023 - Michael Calmer <m...@suse.com>
+
+- fix createTempFile vulnerability - CVE-2022-41946 (bsc#1206921)
+ * Added: fix-createTempFile-vulnerability-CVE-2022-41946.patch
+
+-------------------------------------------------------------------
New:
----
fix-createTempFile-vulnerability-CVE-2022-41946.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ postgresql-jdbc.spec ++++++
--- /var/tmp/diff_new_pack.LuXj03/_old 2023-01-12 22:45:29.101266341 +0100
+++ /var/tmp/diff_new_pack.LuXj03/_new 2023-01-12 22:45:29.109266386 +0100
@@ -1,7 +1,7 @@
#
# spec file for package postgresql-jdbc
#
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2000-2005, JPackage Project
#
# All modifications and additions to the file contributed by third parties
@@ -26,6 +26,7 @@
Source0:
https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-jdbc-src.tar.gz
Patch1: CVE-2022-26520.patch
Patch2: fix-SQL-Injection-CVE-2022-31197.patch
+Patch3: fix-createTempFile-vulnerability-CVE-2022-41946.patch
BuildRequires: fdupes
BuildRequires: maven-local
BuildRequires: mvn(com.ongres.scram:client) >= 2.0
@@ -46,6 +47,7 @@
%setup -q -n postgresql-%{version}-jdbc-src
%patch1 -p1
%patch2 -p1
+%patch3 -p2
# Build parent POMs in the same Maven call.
%pom_xpath_remove "pom:plugin[pom:artifactId = 'maven-shade-plugin']"
++++++ fix-createTempFile-vulnerability-CVE-2022-41946.patch ++++++
diff --git a/pgjdbc/src/main/java/org/postgresql/util/StreamWrapper.java
b/pgjdbc/src/main/java/org/postgresql/util/StreamWrapper.java
index e4d48f7bce..7ff49bc402 100644
--- a/pgjdbc/src/main/java/org/postgresql/util/StreamWrapper.java
+++ b/pgjdbc/src/main/java/org/postgresql/util/StreamWrapper.java
@@ -17,6 +17,7 @@
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
+import java.nio.file.Files;
/**
* Wrapper around a length-limited InputStream.
@@ -51,7 +52,7 @@ public StreamWrapper(InputStream stream) throws PSQLException
{
if (memoryLength == -1) {
final int diskLength;
- final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null);
+ final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX,
null).toFile();
FileOutputStream diskOutputStream = new FileOutputStream(tempFile);
diskOutputStream.write(rawData);
try {
