Opened 19 months ago

Closed 19 months ago

Last modified 19 months ago

#5210 closed defect (fixed)

PostGIS upgrade from 2.5.5 to 3.2.2 fails with CVE-2022-2625

Reported by: robe Owned by: strk
Priority: blocker Milestone: PostGIS 2.5.8
Component: build Version: 3.2.x
Keywords: Cc:

Description

Similar issue to topology because of the CVEE patch:

https://lists.osgeo.org/pipermail/postgis-users/2022-August/045605.html

I've now upgraded to 3.2.2 and the issue remains.  When building and running make installcheck-upgrade against a 14.5 postgres cluster it fails with:

  NOTICE:  Packaging extension postgis
  ERROR:  function _postgis_deprecate(text,text,text) is not a member of extension "postgis"
  DETAIL:  An extension is not allowed to replace an object that it does not own.
  CONTEXT:  SQL statement "CREATE EXTENSION postgis SCHEMA public VERSION unpackaged;ALTER EXTENSION postgis UPDATE TO "3.2.2""
  PL/pgSQL function postgis_extensions_upgrade() line 71 at EXECUTE

Am I doing something wrong or is this a fallout from CVE-2022-2625?

To clarify from my previous email, I'm not upgrading from 2.5.5, I'm bulding
3.2.2 in isolation and running its tests.

Change History (3)

comment:1 by robe, 19 months ago

Summary: PostGIS upgrade from 2.5.5 to 3.2.2 failsPostGIS upgrade from 2.5.5 to 3.2.2 fails with CVE-2022-2625

comment:2 by Sandro Santilli <strk@…>, 19 months ago

Resolution: fixed
Status: newclosed

In 8c63bb6/git:

Package objects before upgrading (only those which exist)

We don't need to upgrade before packaging because objects
created during extension upgrade are automatically packaged.

Packaging upfront fixes creating PostGIS extension from
unpackaged on PostgreSQL versions 10.22, 11.17+, 12.12+, 13.8+
and 14.5+ addressing CVE-2022-2625, see:

https://www.postgresql.org/support/security/CVE-2022-2625/

Closes #5209 in 2.5 branch (2.5.8dev)
Closes #5210 in 2.5 branch (2.5.8dev)

This is a backport of cb65cd8973 which landed in master branch
on July 12 2022.

comment:3 by robe, 19 months ago

Milestone: PostGIS 3.0.7PostGIS 2.5.8
Note: See TracTickets for help on using tickets.