From 9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 Mon Sep 17 00:00:00 2001
From: Dave Cramer <davecramer@gmail.com>
Date: Wed, 23 Nov 2022 09:25:08 -0500
Subject: [PATCH] Merge pull request from GHSA-562r-vg33-8x8h

* Fix: createTempFile vulnerability on unix like systems where temporary files can be read by other users on the system

* Update site with change logs and new version information
---
 CHANGELOG.md                                  | 16 ++++-
 contributors.json                             |  7 +-
 .../changelogs/2022-11-21-42.5.1-release.md   | 64 +++++++++++++++++++
 docs/data/homepagedata.toml                   |  7 +-
 docs/data/versions.toml                       | 35 +++++-----
 docs/layouts/partials/home/info.html          |  4 +-
 .../org/postgresql/util/StreamWrapper.java    |  3 +-
 7 files changed, 111 insertions(+), 25 deletions(-)
 create mode 100644 docs/content/changelogs/2022-11-21-42.5.1-release.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 27317f09e4..d83169e299 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,19 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 ### Fixed
 
+[42.5.1] (2022-11-21 15:21:59 -0500)
+### Security
+- security: StreamWrapper spills to disk if setText, or setBytea sends very large Strings or arrays to the server. createTempFile creates a file which can be read by other users on unix like systems (Not macos).
+This has been fixed in this version fixes CVE-2022-41946 see the [security advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h) for more details. Reported by [Jonathan Leitschuh](https://github.com/JLLeitschuh) This has been fixed in versions 42.5.1, 42.4.3 42.3.8, 42.2.27.jre7. Note there is no fix for 42.2.26.jre6. See the security advisory for work arounds.
+
+### Fixed
+
+- fix: make sure we select array_in from pg_catalog to avoid duplicate array_in functions fixes [#Issue 2548](https://github.com/pgjdbc/pgjdbc/issues/2548) [PR #2552](https://github.com/pgjdbc/pgjdbc/issues/2552)
+- fix: binary decoding of bool values [PR #2640](https://github.com/pgjdbc/pgjdbc/pull/2640)
+- perf: improve performance of PgResultSet getByte/getShort/getInt/getLong for float-typed columns [PR #2634](https://github.com/pgjdbc/pgjdbc/pull/2634)
+- chore: fix various spelling errors [PR #2592](https://github.com/pgjdbc/pgjdbc/pull/2592)
+- chore: Feature/urlparser improve URLParser [PR #2641](https://github.com/pgjdbc/pgjdbc/pull/2592)
+
 ## [42.5.0] (2022-08-23 11:20:11 -0400)
 ### Changed
 - fix: revert change in [PR #1986](https://github.com/pgjdbc/pgjdbc/pull/1986) where float was aliased to float4 from float8. 
@@ -743,4 +756,5 @@ thrown to caller to be dealt with so no need to log at this verbosity by pgjdbc
 [42.4.1]: https://github.com/pgjdbc/pgjdbc/compare/REL42.4.0...REL42.4.1
 [42.4.2]: https://github.com/pgjdbc/pgjdbc/compare/REL42.4.1...REL42.4.2
 [42.5.0]: https://github.com/pgjdbc/pgjdbc/compare/REL42.4.2...REL42.5.0
-[Unreleased]: https://github.com/pgjdbc/pgjdbc/compare/REL42.5.0...HEAD
+[42.5.0]: https://github.com/pgjdbc/pgjdbc/compare/REL42.5.0...REL42.5.1
+[Unreleased]: https://github.com/pgjdbc/pgjdbc/compare/REL42.5.1...HEAD
diff --git a/contributors.json b/contributors.json
index 33b94f1606..a56736e486 100644
--- a/contributors.json
+++ b/contributors.json
@@ -198,5 +198,10 @@
    "Olivier Bourgain" : "olivierbourgain02@gmail.com",
    "Andrei Lurie" : "alurie@users.noreply.github.com",
    "Sven Diedrichsen" : "sven.diedrichsen@gmail.com",
-   "Sasa Vilic" : "sasavilic@gmail.com"
+   "Sasa Vilic" : "sasavilic@gmail.com",
+   "Evgeniy Devyatykh" : "devyatyh@gmail.com",
+   "Josh Soref" : "2119212+jsoref@users.noreply.github.com",
+   "Kevin222004" : "kevinpatel222004@gmail.com",
+   "Knut Olav Løite" : "koloite@gmail.com",
+   "μtkarsh" : "61664827+utkar-sh-ukla@users.noreply.github.com"
 }
diff --git a/docs/content/changelogs/2022-11-21-42.5.1-release.md b/docs/content/changelogs/2022-11-21-42.5.1-release.md
new file mode 100644
index 0000000000..bbf527790e
--- /dev/null
+++ b/docs/content/changelogs/2022-11-21-42.5.1-release.md
@@ -0,0 +1,64 @@
+---
+title:  PostgreSQL JDBC Driver 42.5.1 Released
+date:   2022-11-21 15:21:47 -0500
+categories:
+    - new_release
+version: 42.5.1
+---
+**Notable changes**
+
+### Security
+- security: StreamWrapper spills to disk if setText, or setBytea sends very large Strings or arrays to the server. createTempFile creates a file which can be read by other users on unix like systems (Not macos).\
+This has been fixed in this version fixes CVE-2022-41946 see the [security advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h) for more details.\
+Reported by [Jonathan Leitschuh](https://github.com/JLLeitschuh)\
+This has been fixed in versions 42.5.1, 42.4.3 42.3.8, 42.2.27.jre7.\
+**Note** there is no fix for 42.2.26.jre6. See the security advisory for work arounds.
+
+### Fixed
+
+- fix: make sure we select array_in from pg_catalog to avoid duplicate array_in functions fixes [#Issue 2548](https://github.com/pgjdbc/pgjdbc/issues/2548) [PR #2552](https://github.com/pgjdbc/pgjdbc/issues/2552)
+- fix: binary decoding of bool values [PR #2640](https://github.com/pgjdbc/pgjdbc/pull/2640)
+- perf: improve performance of PgResultSet getByte/getShort/getInt/getLong for float-typed columns [PR #2634](https://github.com/pgjdbc/pgjdbc/pull/2634)
+- chore: fix various spelling errors [PR #2592](https://github.com/pgjdbc/pgjdbc/pull/2592)
+- chore: Feature/urlparser improve URLParser [PR #2641](https://github.com/pgjdbc/pgjdbc/pull/2592)
+
+
+<!--more-->
+
+**Commits by author**
+
+Dave Cramer (13):
+  Update README.md [PR 2609](https://github.com/pgjdbc/pgjdbc/pull/2609)\
+  Ignore simplequery for postgresql 8.4 [PR 2614](https://github.com/pgjdbc/pgjdbc/pull/2614)\
+  Single commit to move newdocs into master [PR 2618](https://github.com/pgjdbc/pgjdbc/pull/2618)\
+  update versions [PR 2619](https://github.com/pgjdbc/pgjdbc/pull/2619)\
+  fix grammar, fix downloads, minor edits [PR 2626](https://github.com/pgjdbc/pgjdbc/pull/2626)\
+  fix: make sure we select array_in from pg_catalog to avoid duplicate array_in functions fixes #Issue 2548 [PR 2552](https://github.com/pgjdbc/pgjdbc/pull/2552)\
+  clarify prepared statement usage [PR 2629](https://github.com/pgjdbc/pgjdbc/pull/2629)\
+  fix maven coordinates [PR 2631](https://github.com/pgjdbc/pgjdbc/pull/2631)\
+  remove javadoc links for java 17 and above [PR 2637](https://github.com/pgjdbc/pgjdbc/pull/2637)\
+  revert change to PGProperty.get() to keep the API the same [PR 2644](https://github.com/pgjdbc/pgjdbc/pull/2644)\
+  exclude ArrayTest versions less than 9.1 [PR 2645](https://github.com/pgjdbc/pgjdbc/pull/2645)\
+
+Evgeniy Devyatykh (1):
+      perf: improve performance of PgResultSet getByte/getShort/getInt/getLong for float-typed columns [PR 2634](https://github.com/pgjdbc/pgjdbc/pull/2634)
+
+Josh Soref (1):
+      chore: fix various spelling errors [PR 2592](https://github.com/pgjdbc/pgjdbc/pull/2592)
+
+Kevin222004 (1):
+
+Knut Olav Løite (1):
+      fix: binary decoding of bool values [PR 2640](https://github.com/pgjdbc/pgjdbc/pull/2640)
+
+Marek Läll (1):
+      Feature/urlparser improve3 pr1 [PR 2641](https://github.com/pgjdbc/pgjdbc/pull/2641)
+
+Vladimir Sitnikov (4):
+      docs: clarify we ship security fixes by default for the latest 42.x and 42.2 only [PR 2586](https://github.com/pgjdbc/pgjdbc/pull/2586)
+
+μtkarsh (1):
+      Optimize png files [PR 2621](https://github.com/pgjdbc/pgjdbc/pull/2621)
+
+
+    
\ No newline at end of file
diff --git a/docs/data/homepagedata.toml b/docs/data/homepagedata.toml
index 486b546f57..ca6f7c323b 100644
--- a/docs/data/homepagedata.toml
+++ b/docs/data/homepagedata.toml
@@ -14,6 +14,11 @@ path = "/icons/driver-icon.svg"
 
 # Releases Info
 
+[[info]]
+date = "21 October 2022"
+url = "/changelogs/2022-11-21-42.5.1-release/"
+version = "42.5.1"
+
 [[info]]
 date = "24 August 2022"
 url = "/changelogs/2022-08-24-42.5.0-release/"
@@ -30,6 +35,6 @@ url = "/changelogs/2022-08-03-42.4.1-release/"
 version = "42.4.1"
 
 [[info]]
-date = "09 JUne 2022"
+date = "09 June 2022"
 url = "/changelogs/2022-06-09-42.4.0-release/"
 version = "42.4.0"
diff --git a/docs/data/versions.toml b/docs/data/versions.toml
index eb0b54949a..6b38202efe 100644
--- a/docs/data/versions.toml
+++ b/docs/data/versions.toml
@@ -2,47 +2,42 @@
 
 [[recent]]
 j_name= "Java 8"
-version= "42.5.0"
+version= "42.5.1"
 suffix=""
 description= "If you are using Java 8 or newer then you should use the  JDBC 4.2 version."
-url= "/download/postgresql-42.5.0.jar"
+url= "/download/postgresql-42.5.1.jar"
 
 [[recent]]
 j_name= "Java 7"
-version= "42.2.26"
+version= "42.2.27"
 suffix="jre7"
 description= "If you are using Java 7  then you should use the  JDBC 4.1 version."
-url= "/download/postgresql-42.2.26.jre7.jar"
+url= "/download/postgresql-42.2.27.jre7.jar"
 
 [[recent]]
 j_name= "Java 6"
-version= "42.2.26"
+version= "42.2.27"
 suffix="jre6"
 description= "If you are using Java 6  then you should use the  JDBC 4.0 version."
-url= "/download/postgresql-42.2.26.jre6.jar"
+url= "/download/postgresql-42.2.27.jre6.jar"
 
 # Past Versions
 
 [[past]]
-v_name= "Postgresql JDBC 42.4.0"
-version= "42.4.0"
+v_name= "Postgresql JDBC 42.5.0"
+version= "42.5.0"
 suffix=""
-url= "/download/postgresql-42.4.0.jar"
+url= "/download/postgresql-42.5.0.jar"
 
 [[past]]
-v_name= "Postgresql JDBC 42.3.6"
-version= "42.3.6"
+v_name= "Postgresql JDBC 42.4.2"
+version= "42.4.2"
 suffix=""
-url= "/download/postgresql-42.3.6.jar"
+url= "/download/postgresql-42.4.2.jar"
 
 [[past]]
-v_name= "Postgresql JDBC 42.3.5"
-version= "42.3.5"
+v_name= "Postgresql JDBC 42.3.7"
+version= "42.3.7"
 suffix=""
-url= "/download/postgresql-42.3.5.jar"
+url= "/download/postgresql-42.3.7.jar"
 
-[[past]]
-v_name= "Postgresql JDBC 42.3.4"
-version= "42.3.4"
-suffix=""
-url= "/download/postgresql-42.3.4.jar"
diff --git a/docs/layouts/partials/home/info.html b/docs/layouts/partials/home/info.html
index dc29eef859..6c763b4544 100644
--- a/docs/layouts/partials/home/info.html
+++ b/docs/layouts/partials/home/info.html
@@ -15,7 +15,9 @@ <h2>
             Latest Releases
         </h2>
         <p>
-            pgJDBC has released v42.5.0 on 24 August, 2022. Please see the release notes below.
+            pgJDBC has released v42.5.1 on 21 October, 2022. This is a security release which fixes CVE-2022-41946 
+            see <a href="https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h" >Security Advisory</a>
+            for details
         </p>
         <ul role="list">
             {{ range $.Site.Data.homepagedata.info }}
diff --git a/pgjdbc/src/main/java/org/postgresql/util/StreamWrapper.java b/pgjdbc/src/main/java/org/postgresql/util/StreamWrapper.java
index e4d48f7bce..7ff49bc402 100644
--- a/pgjdbc/src/main/java/org/postgresql/util/StreamWrapper.java
+++ b/pgjdbc/src/main/java/org/postgresql/util/StreamWrapper.java
@@ -17,6 +17,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.nio.file.Files;
 
 /**
  * Wrapper around a length-limited InputStream.
@@ -51,7 +52,7 @@ public StreamWrapper(InputStream stream) throws PSQLException {
 
       if (memoryLength == -1) {
         final int diskLength;
-        final File tempFile = File.createTempFile(TEMP_FILE_PREFIX, null);
+        final File tempFile = Files.createTempFile(TEMP_FILE_PREFIX, null).toFile();
         FileOutputStream diskOutputStream = new FileOutputStream(tempFile);
         diskOutputStream.write(rawData);
         try {