Re: [Buildroot] [PATCH 2025.02.x] package/postgresql: security bump to v17.10

From: Baruch Siach via buildroot <buildroot@buildroot.org>
To: Thomas Perale via buildroot <buildroot@buildroot.org>
Cc: Thomas Perale <thomas.perale@mind.be>
Subject: Re: [Buildroot] [PATCH 2025.02.x] package/postgresql: security bump to v17.10
Date: Fri, 29 May 2026 17:00:44 +0300	[thread overview]
Message-ID: <87a4til3hv.fsf@tarshish> (raw)
In-Reply-To: <20260529082924.57567-1-thomas.perale@mind.be> (Thomas Perale via buildroot's message of "Fri, 29 May 2026 10:29:24 +0200")

Hi Thomas,

On Fri, May 29 2026, Thomas Perale via buildroot wrote:
> In reply of:
>> For more information about the release, see:
>>   - https://www.postgresql.org/docs/17/release-17-9.html
>>   - https://www.postgresql.org/docs/17/release-17-10.html
>> 
>> Fixes the following vulnerabilities:
>> 
>> - CVE-2026-6479:
>> 
>>  Prevent unbounded recursion while processing startup packets
>>  A malicious client could crash the connected backend by alternating
>>  rejected SSL and GSS encryption requests indefinitely.
>> 
>> - CVE-2026-6473
>> 
>>  Fix assorted integer overflows in memory-allocation calculations
>>  Various places were incautious about the possibility of integer overflow
>>  in calculations of how much memory to allocate. Overflow would lead to
>>  allocating a too-small buffer which the caller would then write past the
>>  end of. This would at least trigger server crashes, and probably could
>>  be exploited for arbitrary code execution. In many but by no means all
>>  cases, the hazard exists only in 32-bit builds.
>> 
>> - CVE-2026-6476
>>  Properly quote subscription names in pg_createsubscriber
>> 
>>  The given subscription name was inserted into SQL commands without
>>  quoting, so that SQL injection could be achieved in the (perhaps
>>  unlikely) case that the subscription name comes from an untrusted
>>  source.
>> 
>> - CVE-2026-6638
>> 
>>  Properly quote object names in logical replication origin checks
>>  ALTER SUBSCRIPTION ... REFRESH PUBLICATION interpolated schema and
>>  relation names into SQL commands without quoting them, allowing
>>  execution of arbitrary SQL on the publisher.
>> 
>> - CVE-2026-6473
>> 
>>  Reject over-length options in ts_headline()
>>  The StartSel, StopSel and FragmentDelimiter strings must not exceed 32Kb
>>  in length, but this was not checked for. An over-length value would
>>  typically crash the server.
>> 
>> - CVE-2026-6474
>> 
>>  Guard against malicious time zone names in timeofday() and pg_strftime()
>>  A crafted time zone setting could pass % sequences to snprintf(),
>>  potentially causing crashes or disclosure of server memory. Another path
>>  to similar results was to overflow the limited-size output buffer used
>>  by pg_strftime().
>> 
>> - CVE-2026-6472
>> 
>>  When creating a multirange type, ensure the user has CREATE privilege on
>>  the schema specified for the multirange type.
>> 
>>  The multirange type can be put into a different schema than its parent
>>  range type, but we neglected to apply the required privilege check when
>>  doing so.
>> 
>> - CVE-2026-6478
>> 
>>  Use timing-safe string comparisons in authentication code.
>> 
>>  Use timingsafe_bcmp() instead of memcpy() or strcmp() when checking
>>  passwords, hashes, etc. It is not known whether the data dependency of
>>  those functions is usefully exploitable in any of these places, but in
>>  the interests of safety, replace them.
>> 
>> - CVE-2026-6477
>> 
>>  Mark PQfn() as unsafe, and avoid using it within libpq
>> 
>>  For a non-integral result type, PQfn() is not passed the size of the
>>  output buffer, so it cannot check that the data returned by the server
>>  will fit. A malicious server could therefore overwrite client memory.
>>  This is unfixable without an API change, so mark the function as
>>  deprecated. Internally to libpq, use a variant version that can apply
>>  the missing check.
>> 
>> - CVE-2026-6475
>> 
>>  Prevent path traversal in pg_basebackup and pg_rewind
>> 
>>  These applications failed to validate output file paths read from their
>>  input, so that a malicious source could overwrite any file writable by
>>  these applications. Constrain where data can be written by rejecting
>>  paths that are absolute or contain parent-directory references.
>> 
>> - CVE-2026-6473
>> 
>>  Guard against field overflow within contrib/intarray's query_int type
>>  and contrib/ltree's ltxtquery type.
>> 
>>  Parsing of these query structures did not check for overflow of 16-bit
>>  fields, so that construction of an invalid query tree was possible.
>>  This can crash the server when executing the query.
>> 
>> - CVE-2026-6473
>> 
>>  Guard against overly long values of contrib/ltree's lquery type.
>> 
>>  Values with more than 64K items caused internal overflows, potentially
>>  resulting in stack smashes or wrong answers.
>> 
>> - CVE-2026-6637
>> 
>>  Prevent SQL injection and buffer overruns in contrib/spi.
>> 
>>  check_foreign_key() was insufficiently careful about quoting key
>>  values, and also used fixed-length buffers for constructing queries.
>>  While this module is only meant as example code, it still shouldn't
>>  contain such dangerous errors.
>> 
>> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
>
> Applied to 2025.02.x. Thanks

Not in 2025.02.x as of commit d2eda853cac ("{linux, linux-headers}: bump
6.12.x, 6.6.x, 6.1.x, 5.15.x, 5.10.x series").

baruch

>
>> ---
>>  package/postgresql/postgresql.hash | 4 ++--
>>  package/postgresql/postgresql.mk   | 2 +-
>>  2 files changed, 3 insertions(+), 3 deletions(-)
>> 
>> diff --git a/package/postgresql/postgresql.hash b/package/postgresql/postgresql.hash
>> index b7a2397f8f..48bbbd2443 100644
>> --- a/package/postgresql/postgresql.hash
>> +++ b/package/postgresql/postgresql.hash
>> @@ -1,4 +1,4 @@
>> -# From https://ftp.postgresql.org/pub/source/v17.8/postgresql-17.8.tar.bz2.sha256
>> -sha256  a88d195dd93730452d0cfa1a11896720d6d1ba084bc2be7d7fc557fa4e4158a0  postgresql-17.8.tar.bz2
>> +# From https://ftp.postgresql.org/pub/source/v17.10/postgresql-17.10.tar.bz2.sha256
>> +sha256  078a03516dcdbdb705fecaf415ea3d13a956c589e46f09fed68a06fb00598c90  postgresql-17.10.tar.bz2
>>  # License file, Locally calculated
>>  sha256  3d6af92ff8a4c2cdf69afb1cf44edea727922f5cd0cf8b5f72b11cdecac8fdfd  COPYRIGHT
>> diff --git a/package/postgresql/postgresql.mk b/package/postgresql/postgresql.mk
>> index 9856d6423b..6f6f36702f 100644
>> --- a/package/postgresql/postgresql.mk
>> +++ b/package/postgresql/postgresql.mk
>> @@ -4,7 +4,7 @@
>>  #
>>  ################################################################################
>>  
>> -POSTGRESQL_VERSION = 17.8
>> +POSTGRESQL_VERSION = 17.10
>>  POSTGRESQL_SOURCE = postgresql-$(POSTGRESQL_VERSION).tar.bz2
>>  POSTGRESQL_SITE = https://ftp.postgresql.org/pub/source/v$(POSTGRESQL_VERSION)
>>  POSTGRESQL_LICENSE = PostgreSQL
>> -- 
>> 2.54.0
>> 
>> _______________________________________________
>> buildroot mailing list
>> buildroot@buildroot.org
>> https://lists.buildroot.org/mailman/listinfo/buildroot
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
                                                     ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot