Re: Backport of CVE-2024-10978 fix to older pgsql versions (11, 9.6, and 9.4)

On Mon, Dec 30, 2024 at 04:58:26PM -0500, Bruce Momjian wrote:
> I saw your question and was kind of stumped about how to answer. We
> rarely look at back branches for backpatch analysis, so I think we are
> kind of confused on how to answer. Under what circumstances are you
> supported versions of Postgres that we don't support? Is this part of
> Debian policy?

So am I (I'd say that you are on your own for this one, still..).
It is the first time I hear about that on the lists, but perhaps
Christoph Berg would know better? Adding him in CC for comments.

Applying patches to older branches is a speciality in itself, and
requires a lot of work and analysis (not planning to do that here for
this specific CVE). The good thing is that 5a2fed911a85 has some
regression tests, so you could be more confident that what you are
doing is rather right. Now the code in this area has changed slightly
because of the introduction of parallel workers in 9.6, so that could
be tricky. I'd suggest to *not* bypass the work across multiple
branches at once as it can help in dealing with conflicts in a more
granular way, even if it may increase the analysis burden quite a bit.

While on it, note also 73c9f91a1b6d by the way, which is a follow up
of 5a2fed911a85 for CVE-2024-10978 related to parallel workers, it
would not apply to 9.4, for sure.

> Is our five-year insufficient?

FWIW, I'm already on the side that five-year support is quite good and
I'd side with not extending that, even argue about reducing it
(anti-tomato armor is now on). Backporting patches across up to 7
branches can be really tedious depending on what you are dealing with
in the backend.
--
Michael