20/34: gnu: postgresql-15: Update to 16.4. [security fixes]

[guix-commits]

apteryx pushed a commit to branch master
in repository guix.

commit 09bbdc3eadeeec4ffd8ff24a6fb2a07471d2f361
Author: Nicolas Graves <ngraves@ngraves.fr>
AuthorDate: Sun Oct 27 00:47:24 2024 +0200

    gnu: postgresql-15: Update to 16.4. [security fixes]
    
    This fixes CVE-2024-7348.
    
    * /gnu/packages/databases.scm
    (postgresql-15): Move from here...
    (postgresql-16): ... to here.
    [version]: Update to 16.4.
    [source]: Adapt source and add patch.
    [native-inputs]: Add pkg-config.
    [inputs]: Add icu4c.
    * gnu/packages/patches/postgresql-disable-normalize_exec_path.patch: New 
file.
    * gnu/local.mk (dist_patch_DATA): Register it.
    
    Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
    Change-Id: I57771ebcf462bdeca73eda157274db089816fd12
---
 gnu/local.mk                                       |  1 +
 gnu/packages/databases.scm                         | 34 ++++++++++++++++++----
 .../postgresql-disable-normalize_exec_path.patch   | 22 ++++++++++++++
 3 files changed, 51 insertions(+), 6 deletions(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 7e31095070..1792ed8c78 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1988,6 +1988,7 @@ dist_patch_DATA =                                         
\
   %D%/packages/patches/portaudio-audacity-compat.patch         \
   %D%/packages/patches/portmidi-modular-build.patch            \
   %D%/packages/patches/postgresql-disable-resolve_symlinks.patch       \
+  %D%/packages/patches/postgresql-disable-normalize_exec_path.patch    \
   %D%/packages/patches/procmail-ambiguous-getline-debian.patch  \
   %D%/packages/patches/procmail-CVE-2014-3618.patch            \
   %D%/packages/patches/procmail-CVE-2017-16844.patch           \
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 17b7a97f87..96eb4b99b5 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -1289,18 +1289,19 @@ and high-availability (HA).")
     (license license:gpl2)))                  ;'COPYING' says "version 2" only
 
 ;; Don't forget to update the other postgresql packages when upgrading this 
one.
-(define-public postgresql-15
+(define-public postgresql-16
   (package
     (name "postgresql")
-    (version "15.7")
+    (version "16.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://ftp.postgresql.org/pub/source/v";
                                   version "/postgresql-" version ".tar.bz2"))
               (sha256
                (base32
-                "1xwq1592k1r64ki9bmkcyw39416kymabdfxbkpiqaqxbhnaf8vx4"))
-              (patches (search-patches 
"postgresql-disable-resolve_symlinks.patch"))))
+                "0vvd73rzj0sl294v15bh8yslakqv412bxqzlkqxyjwxa8pb6c5wp"))
+              (patches (search-patches
+                        "postgresql-disable-normalize_exec_path.patch"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -1338,8 +1339,10 @@ and high-availability (HA).")
                 (invoke "make" "postgres.info")
                 (install-file "postgres.info"
                               (string-append #$output "/share/info"))))))))
-    (native-inputs (list docbook-xml-4.5 docbook2x libxml2 perl texinfo))
-    (inputs (list readline `(,util-linux "lib") openssl zlib))
+    (native-inputs
+     (list docbook-xml-4.5 docbook2x libxml2 perl pkg-config texinfo))
+    (inputs
+     (list icu4c readline `(,util-linux "lib") openssl zlib))
     (home-page "https://www.postgresql.org/";)
     (synopsis "Powerful object-relational database system")
     (description
@@ -1351,6 +1354,25 @@ TIMESTAMP.  It also supports storage of binary large 
objects, including
 pictures, sounds, or video.")
     (license (license:x11-style "file://COPYRIGHT"))))
 
+(define-public postgresql-15
+  (package
+    (inherit postgresql-16)
+    (name "postgresql")
+    (version "15.8")
+    (source (origin
+              (inherit (package-source postgresql-16))
+              (uri (string-append "https://ftp.postgresql.org/pub/source/v";
+                                  version "/postgresql-" version ".tar.bz2"))
+              (sha256
+               (base32
+                "0snbxmlygf7m4cxjpscmz3yjn4lnqsw313y9xgpv7vk9k9gm20s4"))
+              (patches (search-patches
+                        "postgresql-disable-resolve_symlinks.patch"))))
+    (native-inputs (modify-inputs (package-native-inputs postgresql-16)
+                     (delete "pkg-config")))
+    (inputs (modify-inputs (package-inputs postgresql-16)
+              (delete "icu4c")))))
+
 (define-public postgresql-14
   (package
     (inherit postgresql-15)
diff --git a/gnu/packages/patches/postgresql-disable-normalize_exec_path.patch 
b/gnu/packages/patches/postgresql-disable-normalize_exec_path.patch
new file mode 100644
index 0000000000..0397bd5a35
--- /dev/null
+++ b/gnu/packages/patches/postgresql-disable-normalize_exec_path.patch
@@ -0,0 +1,22 @@
+diff --git a/src/common/exec.c b/src/common/exec.c
+index f209b93..ed42202 100644
+--- a/src/common/exec.c
++++ b/src/common/exec.c
+@@ -238,6 +238,14 @@ find_my_exec(const char *argv0, char *retpath)
+ static int
+ normalize_exec_path(char *path)
+ {
++      /*
++       * Guix specific patch: postgresql extensions need to be located in the
++       * same directory as postgresql.
++       * In Guix we currently use directory-unions to create extended 
postgresql
++       * packages. Directory unions use symlinks, that's why we need to be 
able
++       * to use symlinks.
++       */
++      return 0;
+       /*
+        * We used to do a lot of work ourselves here, but now we just let
+        * realpath(3) do all the heavy lifting.
+-- 
+2.46.0
+