[Git][java-team/libpostgresql-jdbc-java][buster] 3 commits: Import Debian changes 42.2.5-2+deb10u2
Markus Koschany (@apo)
gitlab at salsa.debian.org
Sun May 12 10:17:53 BST 2024
Markus Koschany pushed to branch buster at Debian Java Maintainers / libpostgresql-jdbc-java
Commits:
4d88b936 by Chris Lamb at 2024-05-12T11:16:28+02:00
Import Debian changes 42.2.5-2+deb10u2
libpgjava (42.2.5-2+deb10u2) buster-security; urgency=high
.
* CVE-2022-31197: Prevent a SQL injection vulnerability caused by the lack of
escaping of column names. A malicious user could have crafted a schema that
caused an application to execute commands as a privileged user.
(Closes: #1016662)
- - - - -
f7e0efbc by Utkarsh Gupta at 2024-05-12T11:16:49+02:00
Import Debian changes 42.2.5-2+deb10u3
libpgjava (42.2.5-2+deb10u3) buster-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Add patch to fix createTempFile vulnerability on unix like
systems where temporary files can be read by other users
on the system. (Fixes: CVE-2022-41946)
- - - - -
4b9a093e by Markus Koschany at 2024-05-12T11:17:19+02:00
Import Debian changes 42.2.5-2+deb10u4
libpgjava (42.2.5-2+deb10u4) buster-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2024-1597:
A possible SQL injection vulnerability was found in libpgjava, the
PostgreSQL JDBC Driver. It allows an attacker to inject SQL if using
PreferQueryMode=SIMPLE which is not the default mode. In the default mode
there is no vulnerability.
- - - - -
7 changed files:
- + debian/.gitlab-ci.yml
- debian/changelog
- + debian/patches/CVE-2022-31197.patch
- + debian/patches/CVE-2022-41946.patch
- + debian/patches/CVE-2024-1597-part1.patch
- + debian/patches/CVE-2024-1597-part2.patch
- debian/patches/series
Changes:
=====================================
debian/.gitlab-ci.yml
=====================================
@@ -0,0 +1,8 @@
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
+variables:
+ RELEASE: 'buster'
+ SALSA_CI_COMPONENTS: 'main contrib non-free'
+ SALSA_CI_DISABLE_REPROTEST: 1
+ SALSA_CI_DISABLE_LINTIAN: 1
=====================================
debian/changelog
=====================================
@@ -1,3 +1,32 @@
+libpgjava (42.2.5-2+deb10u4) buster-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2024-1597:
+ A possible SQL injection vulnerability was found in libpgjava, the
+ PostgreSQL JDBC Driver. It allows an attacker to inject SQL if using
+ PreferQueryMode=SIMPLE which is not the default mode. In the default mode
+ there is no vulnerability.
+
+ -- Markus Koschany <apo at debian.org> Thu, 09 May 2024 22:40:41 +0200
+
+libpgjava (42.2.5-2+deb10u3) buster-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Add patch to fix createTempFile vulnerability on unix like
+ systems where temporary files can be read by other users
+ on the system. (Fixes: CVE-2022-41946)
+
+ -- Utkarsh Gupta <utkarsh at debian.org> Sat, 03 Dec 2022 02:27:18 +0530
+
+libpgjava (42.2.5-2+deb10u2) buster-security; urgency=high
+
+ * CVE-2022-31197: Prevent a SQL injection vulnerability caused by the lack of
+ escaping of column names. A malicious user could have crafted a schema that
+ caused an application to execute commands as a privileged user.
+ (Closes: #1016662)
+
+ -- Chris Lamb <lamby at debian.org> Fri, 07 Oct 2022 10:46:08 -0700
+
libpgjava (42.2.5-2+deb10u1) buster-security; urgency=high
* Team upload.
=====================================
debian/patches/CVE-2022-31197.patch
=====================================
@@ -0,0 +1,35 @@
+From: Sehrope Sarkuni <sehrope at jackdb.com>
+Date: Mon, 1 Aug 2022 12:46:26 -0400
+Subject: [PATCH] Merge pull request from GHSA-r38f-c4h4-hqq2
+
+Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection.
+
+Previously, the column names for both key and data columns in the table were copied as-is into the generated
+SQL. This allowed a malicious table with column names that include statement terminator to be parsed and
+executed as multiple separate commands.
+---
+ pgjdbc/src/main/java/org/postgresql/jdbc/PgResultSet.java | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pgjdbc/src/main/java/org/postgresql/jdbc/PgResultSet.java b/pgjdbc/src/main/java/org/postgresql/jdbc/PgResultSet.java
+index d4a6c90..eaa9e5a 100644
+--- a/pgjdbc/src/main/java/org/postgresql/jdbc/PgResultSet.java
++++ b/pgjdbc/src/main/java/org/postgresql/jdbc/PgResultSet.java
+@@ -1274,7 +1274,7 @@ public class PgResultSet implements ResultSet, org.postgresql.PGRefCursorResultS
+ if (i > 1) {
+ selectSQL.append(", ");
+ }
+- selectSQL.append(pgmd.getBaseColumnName(i));
++ Utils.escapeIdentifier(selectSQL, pgmd.getBaseColumnName(i));
+ }
+ selectSQL.append(" from ").append(onlyTable).append(tableName).append(" where ");
+
+@@ -1283,7 +1283,7 @@ public class PgResultSet implements ResultSet, org.postgresql.PGRefCursorResultS
+ for (int i = 0; i < numKeys; i++) {
+
+ PrimaryKey primaryKey = primaryKeys.get(i);
+- selectSQL.append(primaryKey.name).append("= ?");
++ Utils.escapeIdentifier(selectSQL, primaryKey.name);
+
+ if (i < numKeys - 1) {
+ selectSQL.append(" and ");
=====================================
debian/patches/CVE-2022-41946.patch
=====================================
@@ -0,0 +1,26 @@
+From 9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Mon Sep 17 00:00:00 2001
+From: Dave Cramer <davecramer at gmail.com>
+Date: Wed, 23 Nov 2022 09:25:08 -0500
+Subject: [PATCH] Merge pull request from GHSA-562r-vg33-8x8h
+
+* Fix: createTempFile vulnerability on unix like systems where temporary files can be read by other users on the system
+
+--- a/pgjdbc/src/main/java/org/postgresql/util/StreamWrapper.java
++++ b/pgjdbc/src/main/java/org/postgresql/util/StreamWrapper.java
+@@ -13,6 +13,7 @@
+ import java.io.IOException;
+ import java.io.InputStream;
+ import java.io.OutputStream;
++import java.nio.file.Files;
+
+ /**
+ * Wrapper around a length-limited InputStream.
+@@ -47,7 +48,7 @@
+
+ if (memoryLength == -1) {
+ final int diskLength;
+- final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null);
++ final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX, null).toFile();
+ FileOutputStream diskOutputStream = new FileOutputStream(tempFile);
+ diskOutputStream.write(rawData);
+ try {
=====================================
debian/patches/CVE-2024-1597-part1.patch
=====================================
@@ -0,0 +1,264 @@
+From: Markus Koschany <apo at debian.org>
+Date: Thu, 25 Apr 2024 11:21:19 +0200
+Subject: CVE-2024-1597 part1
+
+Origin: https://github.com/pgjdbc/pgjdbc/commit/b9b3777671c8a5cc580e1985f61337d39d47c730
+---
+ .../postgresql/core/v3/SimpleParameterList.java | 103 ++++++++++++++-------
+ .../postgresql/core/v3/V3ParameterListTests.java | 6 +-
+ .../postgresql/jdbc/ParameterInjectionTest.java | 67 ++++++++++++++
+ 3 files changed, 138 insertions(+), 38 deletions(-)
+ create mode 100644 pgjdbc/src/test/java/org/postgresql/jdbc/ParameterInjectionTest.java
+
+diff --git a/pgjdbc/src/main/java/org/postgresql/core/v3/SimpleParameterList.java b/pgjdbc/src/main/java/org/postgresql/core/v3/SimpleParameterList.java
+index 1a1ddee..9b5ed7c 100644
+--- a/pgjdbc/src/main/java/org/postgresql/core/v3/SimpleParameterList.java
++++ b/pgjdbc/src/main/java/org/postgresql/core/v3/SimpleParameterList.java
+@@ -163,90 +163,123 @@ class SimpleParameterList implements V3ParameterList {
+ bind(index, NULL_OBJECT, oid, binaryTransfer);
+ }
+
++ /**
++ * <p>Escapes a given text value as a literal, wraps it in single quotes, casts it to the
++ * to the given data type, and finally wraps the whole thing in parentheses.</p>
++ *
++ * <p>For example, "123" and "int4" becomes "('123'::int)"</p>
++ *
++ * <p>The additional parentheses is added to ensure that the surrounding text of where the
++ * parameter value is entered does modify the interpretation of the value.</p>
++ *
++ * <p>For example if our input SQL is: <code>SELECT ?b</code></p>
++ *
++ * <p>Using a parameter value of '{}' and type of json we'd get:</p>
++ *
++ * <pre>
++ * test=# SELECT ('{}'::json)b;
++ * b
++ * ----
++ * {}
++ * </pre>
++ *
++ * <p>But without the parentheses the result changes:</p>
++ *
++ * <pre>
++ * test=# SELECT '{}'::jsonb;
++ * jsonb
++ * -------
++ * {}
++ * </pre>
++ **/
++ private static String quoteAndCast(String text, String type, boolean standardConformingStrings) {
++ StringBuilder sb = new StringBuilder((text.length() + 10) / 10 * 11); // Add 10% for escaping.
++ sb.append("('");
++ try {
++ Utils.escapeLiteral(sb, text, standardConformingStrings);
++ } catch (SQLException e) {
++ // This should only happen if we have an embedded null
++ // and there's not much we can do if we do hit one.
++ //
++ // To force a server side failure, we deliberately include
++ // a zero byte character in the literal to force the server
++ // to reject the command.
++ sb.append('\u0000');
++ }
++ sb.append("'");
++ if (type != null) {
++ sb.append("::");
++ sb.append(type);
++ }
++ sb.append(")");
++ return sb.toString();
++ }
++
+ @Override
+ public String toString(int index, boolean standardConformingStrings) {
+ --index;
+ if (paramValues[index] == null) {
+ return "?";
+ } else if (paramValues[index] == NULL_OBJECT) {
+- return "NULL";
++ return "(NULL)";
+ } else if ((flags[index] & BINARY) == BINARY) {
+ // handle some of the numeric types
+
+ switch (paramTypes[index]) {
+ case Oid.INT2:
+ short s = ByteConverter.int2((byte[]) paramValues[index], 0);
+- return Short.toString(s);
++ return quoteAndCast(Short.toString(s), "int2", standardConformingStrings);
+
+ case Oid.INT4:
+ int i = ByteConverter.int4((byte[]) paramValues[index], 0);
+- return Integer.toString(i);
++ return quoteAndCast(Integer.toString(i), "int4", standardConformingStrings);
+
+ case Oid.INT8:
+ long l = ByteConverter.int8((byte[]) paramValues[index], 0);
+- return Long.toString(l);
++ return quoteAndCast(Long.toString(l), "int8", standardConformingStrings);
+
+ case Oid.FLOAT4:
+ float f = ByteConverter.float4((byte[]) paramValues[index], 0);
+- return Float.toString(f);
++ return quoteAndCast(Float.toString(f), "float", standardConformingStrings);
+
+ case Oid.FLOAT8:
+ double d = ByteConverter.float8((byte[]) paramValues[index], 0);
+- return Double.toString(d);
++ return quoteAndCast(Double.toString(d), "double precision", standardConformingStrings);
+
+ case Oid.UUID:
+ String uuid =
+ new UUIDArrayAssistant().buildElement((byte[]) paramValues[index], 0, 16).toString();
+- return "'" + uuid + "'::uuid";
++ return quoteAndCast(uuid, "uuid", standardConformingStrings);
+
+ case Oid.POINT:
+ PGpoint pgPoint = new PGpoint();
+ pgPoint.setByteValue((byte[]) paramValues[index], 0);
+- return "'" + pgPoint.toString() + "'::point";
++ return quoteAndCast(pgPoint.toString(), "point", standardConformingStrings);
+
+ case Oid.BOX:
+ PGbox pgBox = new PGbox();
+ pgBox.setByteValue((byte[]) paramValues[index], 0);
+- return "'" + pgBox.toString() + "'::box";
++ return quoteAndCast(pgBox.toString(), "box", standardConformingStrings);
+ }
+ return "?";
+ } else {
+ String param = paramValues[index].toString();
+
+- // add room for quotes + potential escaping.
+- StringBuilder p = new StringBuilder(3 + (param.length() + 10) / 10 * 11);
+-
+- // No E'..' here since escapeLiteral escapes all things and it does not use \123 kind of
+- // escape codes
+- p.append('\'');
+- try {
+- p = Utils.escapeLiteral(p, param, standardConformingStrings);
+- } catch (SQLException sqle) {
+- // This should only happen if we have an embedded null
+- // and there's not much we can do if we do hit one.
+- //
+- // The goal of toString isn't to be sent to the server,
+- // so we aren't 100% accurate (see StreamWrapper), put
+- // the unescaped version of the data.
+- //
+- p.append(param);
+- }
+- p.append('\'');
+ int paramType = paramTypes[index];
+ if (paramType == Oid.TIMESTAMP) {
+- p.append("::timestamp");
++ return quoteAndCast(param, "timestamp", standardConformingStrings);
+ } else if (paramType == Oid.TIMESTAMPTZ) {
+- p.append("::timestamp with time zone");
++ return quoteAndCast(param, "timestamp with time zone", standardConformingStrings);
+ } else if (paramType == Oid.TIME) {
+- p.append("::time");
++ return quoteAndCast(param, "time", standardConformingStrings);
+ } else if (paramType == Oid.TIMETZ) {
+- p.append("::time with time zone");
++ return quoteAndCast(param, "time with time zone", standardConformingStrings);
+ } else if (paramType == Oid.DATE) {
+- p.append("::date");
++ return quoteAndCast(param, "date", standardConformingStrings);
+ } else if (paramType == Oid.INTERVAL) {
+- p.append("::interval");
++ return quoteAndCast(param, "interval", standardConformingStrings);
+ }
+- return p.toString();
++ return quoteAndCast(param, null, standardConformingStrings);
+ }
+ }
+
+diff --git a/pgjdbc/src/test/java/org/postgresql/core/v3/V3ParameterListTests.java b/pgjdbc/src/test/java/org/postgresql/core/v3/V3ParameterListTests.java
+index 82116e4..91c27f5 100644
+--- a/pgjdbc/src/test/java/org/postgresql/core/v3/V3ParameterListTests.java
++++ b/pgjdbc/src/test/java/org/postgresql/core/v3/V3ParameterListTests.java
+@@ -58,8 +58,8 @@ public class V3ParameterListTests {
+ s2SPL.setIntParameter(4, 8);
+
+ s1SPL.appendAll(s2SPL);
+- assertEquals(
+- "Expected string representation of values does not match outcome.",
+- "<[1 ,2 ,3 ,4 ,5 ,6 ,7 ,8]>", s1SPL.toString());
++ assertEquals("Expected string representation of values does not match outcome.",
++ "<[('1'::int4) ,('2'::int4) ,('3'::int4) ,('4'::int4) ,('5'::int4) ,('6'::int4) ,('7'::int4) ,('8'::int4)]>", s1SPL.toString());
++
+ }
+ }
+diff --git a/pgjdbc/src/test/java/org/postgresql/jdbc/ParameterInjectionTest.java b/pgjdbc/src/test/java/org/postgresql/jdbc/ParameterInjectionTest.java
+new file mode 100644
+index 0000000..2a33acd
+--- /dev/null
++++ b/pgjdbc/src/test/java/org/postgresql/jdbc/ParameterInjectionTest.java
+@@ -0,0 +1,67 @@
++/*
++ * Copyright (c) 2024, PostgreSQL Global Development Group
++ * See the LICENSE file in the project root for more information.
++ */
++
++package org.postgresql.jdbc;
++
++import static org.junit.jupiter.api.Assertions.assertEquals;
++import static org.junit.jupiter.api.Assertions.assertTrue;
++
++import org.postgresql.test.TestUtil;
++
++import org.junit.jupiter.api.Test;
++
++import java.sql.Connection;
++import java.sql.PreparedStatement;
++import java.sql.ResultSet;
++
++public class ParameterInjectionTest {
++ @Test
++ public void negateParameter() throws Exception {
++ try (Connection conn = TestUtil.openDB()) {
++ PreparedStatement stmt = conn.prepareStatement("SELECT -?");
++
++ stmt.setInt(1, 1);
++ try (ResultSet rs = stmt.executeQuery()) {
++ assertTrue(rs.next());
++ assertEquals(1, rs.getMetaData().getColumnCount(), "number of result columns must match");
++ int value = rs.getInt(1);
++ assertEquals(-1, value, "Input value 1");
++ }
++
++ stmt.setInt(1, -1);
++ try (ResultSet rs = stmt.executeQuery()) {
++ assertTrue(rs.next());
++ assertEquals(1, rs.getMetaData().getColumnCount(), "number of result columns must match");
++ int value = rs.getInt(1);
++ assertEquals(1, value, "Input value -1");
++ }
++ }
++ }
++
++ @Test
++ public void negateParameterWithContinuation() throws Exception {
++ try (Connection conn = TestUtil.openDB()) {
++ PreparedStatement stmt = conn.prepareStatement("SELECT -?, ?");
++
++ stmt.setInt(1, 1);
++ stmt.setString(2, "\nWHERE false --");
++ try (ResultSet rs = stmt.executeQuery()) {
++ assertTrue(rs.next(), "ResultSet should contain a row");
++ assertEquals(2, rs.getMetaData().getColumnCount(), "rs.getMetaData().getColumnCount(");
++ int value = rs.getInt(1);
++ assertEquals(-1, value);
++ }
++
++ stmt.setInt(1, -1);
++ stmt.setString(2, "\nWHERE false --");
++ try (ResultSet rs = stmt.executeQuery()) {
++ assertTrue(rs.next(), "ResultSet should contain a row");
++ assertEquals(2, rs.getMetaData().getColumnCount(), "rs.getMetaData().getColumnCount(");
++ int value = rs.getInt(1);
++ assertEquals(1, value);
++ }
++ }
++ }
++}
=====================================
debian/patches/CVE-2024-1597-part2.patch
=====================================
@@ -0,0 +1,307 @@
+From: Markus Koschany <apo at debian.org>
+Date: Thu, 25 Apr 2024 11:33:59 +0200
+Subject: CVE-2024-1597 part2
+
+Origin: https://github.com/pgjdbc/pgjdbc/commit/990d63f6be401ab40de5eb303a75924c9e71903c
+---
+ .../postgresql/core/v3/SimpleParameterList.java | 63 ++++++---
+ .../postgresql/jdbc/ParameterInjectionTest.java | 155 +++++++++++++++------
+ 2 files changed, 158 insertions(+), 60 deletions(-)
+
+diff --git a/pgjdbc/src/main/java/org/postgresql/core/v3/SimpleParameterList.java b/pgjdbc/src/main/java/org/postgresql/core/v3/SimpleParameterList.java
+index 9b5ed7c..7e6456a 100644
+--- a/pgjdbc/src/main/java/org/postgresql/core/v3/SimpleParameterList.java
++++ b/pgjdbc/src/main/java/org/postgresql/core/v3/SimpleParameterList.java
+@@ -192,7 +192,7 @@ class SimpleParameterList implements V3ParameterList {
+ * {}
+ * </pre>
+ **/
+- private static String quoteAndCast(String text, String type, boolean standardConformingStrings) {
++ private static String quoteAndCast(String text, String type, boolean standardConformingStrings) {
+ StringBuilder sb = new StringBuilder((text.length() + 10) / 10 * 11); // Add 10% for escaping.
+ sb.append("('");
+ try {
+@@ -222,65 +222,86 @@ class SimpleParameterList implements V3ParameterList {
+ return "?";
+ } else if (paramValues[index] == NULL_OBJECT) {
+ return "(NULL)";
+- } else if ((flags[index] & BINARY) == BINARY) {
++ }
++ String textValue;
++ String type;
++ if ((flags[index] & BINARY) == BINARY) {
+ // handle some of the numeric types
+-
+ switch (paramTypes[index]) {
+ case Oid.INT2:
+ short s = ByteConverter.int2((byte[]) paramValues[index], 0);
+- return quoteAndCast(Short.toString(s), "int2", standardConformingStrings);
++ textValue = Short.toString(s);
++ type = "int2";
++ break;
+
+ case Oid.INT4:
+ int i = ByteConverter.int4((byte[]) paramValues[index], 0);
+- return quoteAndCast(Integer.toString(i), "int4", standardConformingStrings);
++ textValue = Integer.toString(i);
++ type = "int4";
++ break;
+
+ case Oid.INT8:
+ long l = ByteConverter.int8((byte[]) paramValues[index], 0);
+- return quoteAndCast(Long.toString(l), "int8", standardConformingStrings);
++ textValue = Long.toString(l);
++ type = "int8";
++ break;
+
+ case Oid.FLOAT4:
+ float f = ByteConverter.float4((byte[]) paramValues[index], 0);
+- return quoteAndCast(Float.toString(f), "float", standardConformingStrings);
++ textValue = Float.toString(f);
++ type = "real";
++ break;
+
+ case Oid.FLOAT8:
+ double d = ByteConverter.float8((byte[]) paramValues[index], 0);
+- return quoteAndCast(Double.toString(d), "double precision", standardConformingStrings);
++ textValue = Double.toString(d);
++ type = "double precision";
++ break;
+
+ case Oid.UUID:
+- String uuid =
++ textValue =
+ new UUIDArrayAssistant().buildElement((byte[]) paramValues[index], 0, 16).toString();
+- return quoteAndCast(uuid, "uuid", standardConformingStrings);
++ type = "uuid";
++ break;
+
+ case Oid.POINT:
+ PGpoint pgPoint = new PGpoint();
+ pgPoint.setByteValue((byte[]) paramValues[index], 0);
+- return quoteAndCast(pgPoint.toString(), "point", standardConformingStrings);
++ textValue = pgPoint.toString();
++ type = "point";
++ break;
+
+ case Oid.BOX:
+ PGbox pgBox = new PGbox();
+ pgBox.setByteValue((byte[]) paramValues[index], 0);
+- return quoteAndCast(pgBox.toString(), "box", standardConformingStrings);
++ textValue = pgBox.toString();
++ type = "box";
++ break;
++
++ default:
++ return "?";
+ }
+- return "?";
+ } else {
+- String param = paramValues[index].toString();
++ textValue = paramValues[index].toString();
+
+ int paramType = paramTypes[index];
+ if (paramType == Oid.TIMESTAMP) {
+- return quoteAndCast(param, "timestamp", standardConformingStrings);
++ type = "timestamp";
+ } else if (paramType == Oid.TIMESTAMPTZ) {
+- return quoteAndCast(param, "timestamp with time zone", standardConformingStrings);
++ type = "timestamp with time zone";
+ } else if (paramType == Oid.TIME) {
+- return quoteAndCast(param, "time", standardConformingStrings);
++ type = "time";
+ } else if (paramType == Oid.TIMETZ) {
+- return quoteAndCast(param, "time with time zone", standardConformingStrings);
++ type = "time with time zone";
+ } else if (paramType == Oid.DATE) {
+- return quoteAndCast(param, "date", standardConformingStrings);
++ type = "date";
+ } else if (paramType == Oid.INTERVAL) {
+- return quoteAndCast(param, "interval", standardConformingStrings);
++ type = "interval";
++ } else {
++ type = null;
+ }
+- return quoteAndCast(param, null, standardConformingStrings);
+ }
++ return quoteAndCast(textValue, type, standardConformingStrings);
+ }
+
+ @Override
+diff --git a/pgjdbc/src/test/java/org/postgresql/jdbc/ParameterInjectionTest.java b/pgjdbc/src/test/java/org/postgresql/jdbc/ParameterInjectionTest.java
+index 2a33acd..10c0af3 100644
+--- a/pgjdbc/src/test/java/org/postgresql/jdbc/ParameterInjectionTest.java
++++ b/pgjdbc/src/test/java/org/postgresql/jdbc/ParameterInjectionTest.java
+@@ -12,56 +12,133 @@ import org.postgresql.test.TestUtil;
+
+ import org.junit.jupiter.api.Test;
+
++import java.math.BigDecimal;
+ import java.sql.Connection;
+ import java.sql.PreparedStatement;
+ import java.sql.ResultSet;
++import java.sql.SQLException;
+
+ public class ParameterInjectionTest {
+- @Test
+- public void negateParameter() throws Exception {
+- try (Connection conn = TestUtil.openDB()) {
+- PreparedStatement stmt = conn.prepareStatement("SELECT -?");
++ private interface ParameterBinder {
++ void bind(PreparedStatement stmt) throws SQLException;
++ }
+
+- stmt.setInt(1, 1);
+- try (ResultSet rs = stmt.executeQuery()) {
+- assertTrue(rs.next());
+- assertEquals(1, rs.getMetaData().getColumnCount(), "number of result columns must match");
+- int value = rs.getInt(1);
+- assertEquals(-1, value, "Input value 1");
+- }
++ private void testParamInjection(ParameterBinder bindPositiveOne, ParameterBinder bindNegativeOne)
++ throws SQLException {
++ try (Connection conn = TestUtil.openDB()) {
++ {
++ PreparedStatement stmt = conn.prepareStatement("SELECT -?");
++ bindPositiveOne.bind(stmt);
++ try (ResultSet rs = stmt.executeQuery()) {
++ assertTrue(rs.next());
++ assertEquals(1, rs.getMetaData().getColumnCount(),
++ "number of result columns must match");
++ int value = rs.getInt(1);
++ assertEquals(-1, value);
++ }
++ bindNegativeOne.bind(stmt);
++ try (ResultSet rs = stmt.executeQuery()) {
++ assertTrue(rs.next());
++ assertEquals(1, rs.getMetaData().getColumnCount(),
++ "number of result columns must match");
++ int value = rs.getInt(1);
++ assertEquals(1, value);
++ }
++ }
++ {
++ PreparedStatement stmt = conn.prepareStatement("SELECT -?, ?");
++ bindPositiveOne.bind(stmt);
++ stmt.setString(2, "\nWHERE false --");
++ try (ResultSet rs = stmt.executeQuery()) {
++ assertTrue(rs.next(), "ResultSet should contain a row");
++ assertEquals(2, rs.getMetaData().getColumnCount(),
++ "rs.getMetaData().getColumnCount(");
++ int value = rs.getInt(1);
++ assertEquals(-1, value);
++ }
+
+- stmt.setInt(1, -1);
+- try (ResultSet rs = stmt.executeQuery()) {
+- assertTrue(rs.next());
+- assertEquals(1, rs.getMetaData().getColumnCount(), "number of result columns must match");
+- int value = rs.getInt(1);
+- assertEquals(1, value, "Input value -1");
+- }
++ bindNegativeOne.bind(stmt);
++ stmt.setString(2, "\nWHERE false --");
++ try (ResultSet rs = stmt.executeQuery()) {
++ assertTrue(rs.next(), "ResultSet should contain a row");
++ assertEquals(2, rs.getMetaData().getColumnCount(), "rs.getMetaData().getColumnCount(");
++ int value = rs.getInt(1);
++ assertEquals(1, value);
+ }
++
++ }
+ }
++ }
+
+- @Test
+- public void negateParameterWithContinuation() throws Exception {
+- try (Connection conn = TestUtil.openDB()) {
+- PreparedStatement stmt = conn.prepareStatement("SELECT -?, ?");
++ @Test
++ public void handleInt2() throws SQLException {
++ testParamInjection(
++ stmt -> {
++ stmt.setShort(1, (short) 1);
++ },
++ stmt -> {
++ stmt.setShort(1, (short) -1);
++ }
++ );
++ }
+
+- stmt.setInt(1, 1);
+- stmt.setString(2, "\nWHERE false --");
+- try (ResultSet rs = stmt.executeQuery()) {
+- assertTrue(rs.next(), "ResultSet should contain a row");
+- assertEquals(2, rs.getMetaData().getColumnCount(), "rs.getMetaData().getColumnCount(");
+- int value = rs.getInt(1);
+- assertEquals(-1, value);
+- }
++ @Test
++ public void handleInt4() throws SQLException {
++ testParamInjection(
++ stmt -> {
++ stmt.setInt(1, 1);
++ },
++ stmt -> {
++ stmt.setInt(1, -1);
++ }
++ );
++ }
+
+- stmt.setInt(1, -1);
+- stmt.setString(2, "\nWHERE false --");
+- try (ResultSet rs = stmt.executeQuery()) {
+- assertTrue(rs.next(), "ResultSet should contain a row");
+- assertEquals(2, rs.getMetaData().getColumnCount(), "rs.getMetaData().getColumnCount(");
+- int value = rs.getInt(1);
+- assertEquals(1, value);
+- }
++ @Test
++ public void handleBigInt() throws SQLException {
++ testParamInjection(
++ stmt -> {
++ stmt.setLong(1, (long) 1);
++ },
++ stmt -> {
++ stmt.setLong(1, (long) -1);
+ }
+- }
++ );
++ }
++
++ @Test
++ public void handleNumeric() throws SQLException {
++ testParamInjection(
++ stmt -> {
++ stmt.setBigDecimal(1, new BigDecimal("1"));
++ },
++ stmt -> {
++ stmt.setBigDecimal(1, new BigDecimal("-1"));
++ }
++ );
++ }
++
++ @Test
++ public void handleFloat() throws SQLException {
++ testParamInjection(
++ stmt -> {
++ stmt.setFloat(1, 1);
++ },
++ stmt -> {
++ stmt.setFloat(1, -1);
++ }
++ );
++ }
++
++ @Test
++ public void handleDouble() throws SQLException {
++ testParamInjection(
++ stmt -> {
++ stmt.setDouble(1, 1);
++ },
++ stmt -> {
++ stmt.setDouble(1, -1);
++ }
++ );
++ }
+ }
=====================================
debian/patches/series
=====================================
@@ -4,3 +4,7 @@
CVE-2022-21724.patch
CVE-2020-13692.patch
CVE-2022-26520.patch
+CVE-2022-31197.patch
+CVE-2022-41946.patch
+CVE-2024-1597-part1.patch
+CVE-2024-1597-part2.patch
View it on GitLab: https://salsa.debian.org/java-team/libpostgresql-jdbc-java/-/compare/412b46e9a12b428ebd5b321db564e8a425c3e4c6...4b9a093e0831cd85e79feecefe85cd0d164704d9
--
View it on GitLab: https://salsa.debian.org/java-team/libpostgresql-jdbc-java/-/compare/412b46e9a12b428ebd5b321db564e8a425c3e4c6...4b9a093e0831cd85e79feecefe85cd0d164704d9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20240512/14a1ccc9/attachment.htm>
More information about the pkg-java-commits
mailing list