[postgis-users] Errors with upgrading due to CVE CVE-2022-2625

[Daniel Gustafsson]

When building packages today for the new postgres releases I ran into the below
error for the PostGIS package when running tests:

ALTER EXTENSION
ERROR: function layertrigger() is not a member of extension "postgis_topology"
DETAIL: An extension is not allowed to replace an object that it does not own.

It seems that it's related to the CVE which was fixed in the new postgres
releases today. Am I doing something wrong, or are is this a legitimate issue
with the postgis upgrade?

--
Daniel Gustafsson https://vmware.com/

_______________________________________________
postgis-users mailing list
postgi...@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/postgis-users

[Regina Obe]

> From: postgis-users [mailto:postgis-us...@lists.osgeo.org] On
Behalf
> Of Daniel Gustafsson
> Sent: Thursday, August 11, 2022 12:11 PM
> To: postgi...@lists.osgeo.org
> Subject: [postgis-users] Errors with upgrading due to CVE CVE-2022-2625

>
> When building packages today for the new postgres releases I ran into the
> below error for the PostGIS package when running tests:
>
> ALTER EXTENSION
> ERROR: function layertrigger() is not a member of extension
> "postgis_topology"
> DETAIL: An extension is not allowed to replace an object that it does
not
> own.
>
> It seems that it's related to the CVE which was fixed in the new postgres
> releases today. Am I doing something wrong, or are is this a legitimate
issue
> with the postgis upgrade?
>
> --
> Daniel Gustafsson https://vmware.com/
>

Looks like a legitimate issue.
I've ticketed. https://trac.osgeo.org/postgis/ticket/5209

What version of postgis_topology are you running and which version are you
upgrading from?

[Daniel Gustafsson]

> On 11 Aug 2022, at 18:26, Regina Obe <l...@pcorp.us> wrote:

> What version of postgis_topology are you running and which version are you
> upgrading from?

This happens when running the tests for postgis 2.5.5 and 3.2.1.

--
Daniel Gustafsson https://vmware.com/

[Regina Obe]

> This happens when running the tests for postgis 2.5.5 and 3.2.1.
>
> --
> Daniel Gustafsson https://vmware.com/
>

Is there a reason you are not using 3.2.2 ?
https://postgis.net/2022/07/23/postgis-3.2.2/

[Daniel Gustafsson]

> On 11 Aug 2022, at 18:39, Regina Obe <l...@pcorp.us> wrote:
>
>> This happens when running the tests for postgis 2.5.5 and 3.2.1.

> Is there a reason you are not using 3.2.2 ?
> https://postgis.net/2022/07/23/postgis-3.2.2/

Not really other than 3.2.2 hadn't yet shipped when the packaging specs were
updated and then summer vacations happened. I will upgrade the packages to
3.2.2 and see if that solves the issue. Sorry for the potential noise.

--
Daniel Gustafsson https://vmware.com/

[Daniel Gustafsson]

> On 11 Aug 2022, at 18:39, Regina Obe <l...@pcorp.us> wrote:
>

>> This happens when running the tests for postgis 2.5.5 and 3.2.1.

> Is there a reason you are not using 3.2.2 ?
> https://postgis.net/2022/07/23/postgis-3.2.2/

I've now upgraded to 3.2.2 and the issue remains. When building and running
make installcheck-upgrade against a 14.5 postgres cluster it fails with:

NOTICE: Packaging extension postgis
ERROR: function _postgis_deprecate(text,text,text) is not a member of extension "postgis"

DETAIL: An extension is not allowed to replace an object that it does not own.

CONTEXT: SQL statement "CREATE EXTENSION postgis SCHEMA public VERSION unpackaged;ALTER EXTENSION postgis UPDATE TO "3.2.2""
PL/pgSQL function postgis_extensions_upgrade() line 71 at EXECUTE

Am I doing something wrong or is this a fallout from CVE-2022-2625?

To clarify from my previous email, I'm not upgrading from 2.5.5, I'm bulding
3.2.2 in isolation and running its tests.

--
Daniel Gustafsson https://vmware.com/

[Regina Obe]

> From: postgis-users [mailto:postgis-us...@lists.osgeo.org] On
Behalf
> Of Daniel Gustafsson

> Sent: Thursday, August 11, 2022 3:45 PM
> To: PostGIS Users Discussion <postgi...@lists.osgeo.org>
> Subject: Re: [postgis-users] Errors with upgrading due to CVE
CVE-2022-2625
>

> > On 11 Aug 2022, at 18:39, Regina Obe <l...@pcorp.us> wrote:
> >
> >> This happens when running the tests for postgis 2.5.5 and 3.2.1.
>
> > Is there a reason you are not using 3.2.2 ?
> > https://postgis.net/2022/07/23/postgis-3.2.2/
>
> I've now upgraded to 3.2.2 and the issue remains. When building and
> running make installcheck-upgrade against a 14.5 postgres cluster it fails
with:
>
> NOTICE: Packaging extension postgis
> ERROR: function _postgis_deprecate(text,text,text) is not a member of
> extension "postgis"
> DETAIL: An extension is not allowed to replace an object that it does
not
> own.
> CONTEXT: SQL statement "CREATE EXTENSION postgis SCHEMA public
> VERSION unpackaged;ALTER EXTENSION postgis UPDATE TO "3.2.2""
> PL/pgSQL function postgis_extensions_upgrade() line 71 at EXECUTE
>
> Am I doing something wrong or is this a fallout from CVE-2022-2625?
>
> To clarify from my previous email, I'm not upgrading from 2.5.5, I'm
bulding
> 3.2.2 in isolation and running its tests.
>
> --
> Daniel Gustafsson https://vmware.com/
>

Thanks for the report. Yes this is a fallout.

Thanks,
Regina

[Regina Obe]

> > > On 11 Aug 2022, at 18:39, Regina Obe <l...@pcorp.us> wrote:
> > >
> > >> This happens when running the tests for postgis 2.5.5 and 3.2.1.
> >
> > > Is there a reason you are not using 3.2.2 ?
> > > https://postgis.net/2022/07/23/postgis-3.2.2/
> >
> > I've now upgraded to 3.2.2 and the issue remains. When building and
> > running make installcheck-upgrade against a 14.5 postgres cluster it
fails
> with:
> >
> > NOTICE: Packaging extension postgis
> > ERROR: function _postgis_deprecate(text,text,text) is not a member
> > of extension "postgis"
> > DETAIL: An extension is not allowed to replace an object that it
> > does not own.
> > CONTEXT: SQL statement "CREATE EXTENSION postgis SCHEMA public
> > VERSION unpackaged;ALTER EXTENSION postgis UPDATE TO "3.2.2""
> > PL/pgSQL function postgis_extensions_upgrade() line 71 at EXECUTE
> >
> > Am I doing something wrong or is this a fallout from CVE-2022-2625?
> >
> > To clarify from my previous email, I'm not upgrading from 2.5.5, I'm
> > bulding
> > 3.2.2 in isolation and running its tests.
> >
> > --
> > Daniel Gustafsson https://vmware.com/
> >

I've ticketed both of these:

https://trac.osgeo.org/postgis/ticket/5209

https://trac.osgeo.org/postgis/ticket/5210

I think Sandro was working on a fix for these, but guess it didn't make it
into the last micro.
I'm going to double check to confirm it's handled in our latest stable
branches and if it is we can push out a new micro shortly.

Thanks,
Regina

[Sandro Santilli]

On Thu, Aug 11, 2022 at 09:44:52PM +0200, Daniel Gustafsson wrote:
>
> I've now upgraded to 3.2.2 and the issue remains. When building and running
> make installcheck-upgrade against a 14.5 postgres cluster it fails with:
>
> NOTICE: Packaging extension postgis
> ERROR: function _postgis_deprecate(text,text,text) is not a member of extension "postgis"
> DETAIL: An extension is not allowed to replace an object that it does not own.
> CONTEXT: SQL statement "CREATE EXTENSION postgis SCHEMA public VERSION unpackaged;ALTER EXTENSION postgis UPDATE TO "3.2.2""

Daniel could you please confirm the issue is resolved as of
commit 9ceb6968ef780bc7d56e4e46ecf5747f95c2e619 in stable-3.2 branch ?

Thanks for reporting this!


--strk;

[Daniel Gustafsson]

> On 12 Aug 2022, at 18:29, Sandro Santilli <st...@kbt.io> wrote:
>
> On Thu, Aug 11, 2022 at 09:44:52PM +0200, Daniel Gustafsson wrote:
>>
>> I've now upgraded to 3.2.2 and the issue remains. When building and running
>> make installcheck-upgrade against a 14.5 postgres cluster it fails with:
>>
>> NOTICE: Packaging extension postgis
>> ERROR: function _postgis_deprecate(text,text,text) is not a member of extension "postgis"
>> DETAIL: An extension is not allowed to replace an object that it does not own.
>> CONTEXT: SQL statement "CREATE EXTENSION postgis SCHEMA public VERSION unpackaged;ALTER EXTENSION postgis UPDATE TO "3.2.2""
>
> Daniel could you please confirm the issue is resolved as of
> commit 9ceb6968ef780bc7d56e4e46ecf5747f95c2e619 in stable-3.2 branch ?

The upgrade tests seem to work now when building stable-3.2 from a completely
clean tree with a fresh build and install of PostgreSQL 14.

--
Daniel Gustafsson https://vmware.com/

[Sandro Santilli]

On Mon, Aug 15, 2022 at 10:50:27AM +0200, Daniel Gustafsson wrote:
> > On 12 Aug 2022, at 18:29, Sandro Santilli <st...@kbt.io> wrote:
> > On Thu, Aug 11, 2022 at 09:44:52PM +0200, Daniel Gustafsson wrote:
> >>
> >> I've now upgraded to 3.2.2 and the issue remains. When building and running
> >> make installcheck-upgrade against a 14.5 postgres cluster it fails with:
> >>
> >> NOTICE: Packaging extension postgis
> >> ERROR: function _postgis_deprecate(text,text,text) is not a member of extension "postgis"
>

> > Daniel could you please confirm the issue is resolved as of
> > commit 9ceb6968ef780bc7d56e4e46ecf5747f95c2e619 in stable-3.2 branch ?
>
> The upgrade tests seem to work now when building stable-3.2 from a completely
> clean tree with a fresh build and install of PostgreSQL 14.

Thanks for confirmation.

--strk;

Libre GIS consultant/developer
https://strk.kbt.io/services.html