Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tSSgQ-00Gh6N-9k for pgsql-hackers@arkaria.postgresql.org; Tue, 31 Dec 2024 03:12:38 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tSSgP-00HANC-58 for pgsql-hackers@arkaria.postgresql.org; Tue, 31 Dec 2024 03:12:36 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tSSgO-00HAN4-QK for pgsql-hackers@lists.postgresql.org; Tue, 31 Dec 2024 03:12:36 +0000 Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tSSgM-002RQE-1M for pgsql-hackers@lists.postgresql.org; Tue, 31 Dec 2024 03:12:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:In-Reply-To:Content-Transfer-Encoding: Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date:Reply-To :Cc:Content-ID:Content-Description; bh=bxq4U4RTL6uXAT7dROoyK1phvt2/CCV6iNNuZJTzeO8=; b=JuHOe2MqW5zw+QIHfIps5dQqTv DBRAV4FA6UBihFFmVZmorXN6OF3sQOephj6hk8O4PTGQhan+GnxXAkWVyG6erWcMAvaoichtxjkCJ B99mHNqzvTVmQfaqSPeV+K23MOGBrVN5k7JfYD0iwZnO1Nwy/2g34T/YTFc+t7plq0Z1LLaq6E3oH WkD86AMQvY+MBomWxh9kUmSfkPezFQDsjsBGWxusydUhG6vlddakOiN9ABj/YMOD6DVqcKZ/a+EQr gQ1YF+fJEJmlXVDYjQMWcEwoPuZNqtKuVnvPfHWfBKFpSixLbFMFS+ZG6dSJVJ7b9q+B/G0UCjKVH o9aoOCrw==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1tSSgK-006UvV-Lx for pgsql-hackers@lists.postgresql.org; Tue, 31 Dec 2024 03:12:33 +0000 Received: from localhost (localhost [127.0.0.1]) by bogota.connexer.com (Postfix) with ESMTP id 2CB3B120368 for ; Mon, 30 Dec 2024 22:12:31 -0500 (EST) X-Virus-Scanned: Debian amavis at bogota.connexer.com Received: from node01.connexer.com ([127.0.0.1]) by localhost (bogota.connexer.com [127.0.0.1]) (amavis, port 10024) with ESMTP id pajh4lu7wwo1 for ; Tue, 31 Dec 2024 03:12:30 +0000 (UTC) Received: from miami.connexer.com (unknown [172.56.79.60]) by bogota.connexer.com (Postfix) with ESMTPSA id 971051202A8 for ; Tue, 31 Dec 2024 03:12:30 +0000 (UTC) Date: Mon, 30 Dec 2024 22:12:28 -0500 From: Roberto =?iso-8859-1?Q?C=2E_S=E1nchez?= To: pgsql-hackers@lists.postgresql.org Subject: Re: Backport of CVE-2024-10978 fix to older pgsql versions (11, 9.6, and 9.4) Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Debian-User: roberto List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, Dec 31, 2024 at 10:23:29AM +0900, Michael Paquier wrote: > On Mon, Dec 30, 2024 at 04:58:26PM -0500, Bruce Momjian wrote: > > I saw your question and was kind of stumped about how to answer. We > > rarely look at back branches for backpatch analysis, so I think we are > > kind of confused on how to answer. Under what circumstances are you > > supported versions of Postgres that we don't support? Is this part of > > Debian policy? > > So am I (I'd say that you are on your own for this one, still..). > It is the first time I hear about that on the lists, but perhaps > Christoph Berg would know better? Adding him in CC for comments. > > Applying patches to older branches is a speciality in itself, and > requires a lot of work and analysis (not planning to do that here for > this specific CVE). The good thing is that 5a2fed911a85 has some > regression tests, so you could be more confident that what you are > doing is rather right. Now the code in this area has changed slightly > because of the introduction of parallel workers in 9.6, so that could > be tricky. I'd suggest to *not* bypass the work across multiple > branches at once as it can help in dealing with conflicts in a more > granular way, even if it may increase the analysis burden quite a bit. > Ack. I worked my way one branch at a time, specifically for the reason you cited. > While on it, note also 73c9f91a1b6d by the way, which is a follow up > of 5a2fed911a85 for CVE-2024-10978 related to parallel workers, it > would not apply to 9.4, for sure. > Definitely. That was relatively straightforward to figure out and confirm. Thanks for the hints. Regards, -Roberto -- Roberto C. Sánchez