Date   

[meta-oe][PATCH] perfetto: build libperfetto

Markus Volk
 

- Mesa has support for perfetto, but the libperfetto library is needed
- Only v27 seems to be supported for now. Update perfetto accordingly
- Make sure perfetto and libperfetto share the same codebase
- Patch meson.build to allow shared build
- Add a version number to avoid having a non symlink so file packaged int=
o dev package.
- Create a PC file for libperfetto to allow mesa to find it using pkgconf=
ig.
- Add nobranch=3D1 for the git repos to silence warnings about missing de=
fault branch

Signed-off-by: Markus Volk <f_l_k@...>
---
...1-meson-add-pc-file-for-lib_perfetto.patch | 38 +++++++++++++++++++
.../recipes-devtools/perfetto/libperfetto.bb | 11 ++++++
meta-oe/recipes-devtools/perfetto/perfetto.bb | 14 +++----
.../recipes-devtools/perfetto/perfetto.inc | 9 +++++
4 files changed, 65 insertions(+), 7 deletions(-)
create mode 100644 meta-oe/recipes-devtools/perfetto/files/0001-meson-ad=
d-pc-file-for-lib_perfetto.patch
create mode 100644 meta-oe/recipes-devtools/perfetto/libperfetto.bb
create mode 100644 meta-oe/recipes-devtools/perfetto/perfetto.inc

diff --git a/meta-oe/recipes-devtools/perfetto/files/0001-meson-add-pc-fi=
le-for-lib_perfetto.patch b/meta-oe/recipes-devtools/perfetto/files/0001-=
meson-add-pc-file-for-lib_perfetto.patch
new file mode 100644
index 000000000..056382156
--- /dev/null
+++ b/meta-oe/recipes-devtools/perfetto/files/0001-meson-add-pc-file-for-=
lib_perfetto.patch
@@ -0,0 +1,38 @@
+From 4712b1252ecf6270b5bb2931358b4a368351eaa3 Mon Sep 17 00:00:00 2001
+From: Markus Volk <f_l_k@...>
+Date: Mon, 17 Oct 2022 15:39:26 +0200
+Subject: [PATCH] meson: add PC file for lib_perfetto
+
+---
+ meson.build | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index 06015141c..c67358cae 100644
+--- a/meson.build
++++ b/meson.build
+@@ -30,8 +30,9 @@ endif
+=20
+ dep_threads =3D dependency('threads')
+=20
+-lib_perfetto =3D static_library(
++lib_perfetto =3D shared_library(
+ 'perfetto',
++ version: '27.1',
+ sources: 'sdk/perfetto.cc',
+ dependencies: dep_threads,
+ install: true,
+@@ -39,6 +40,10 @@ lib_perfetto =3D static_library(
+=20
+ inc_perfetto =3D include_directories('sdk')
+=20
++install_headers('sdk/perfetto.h')
++pkg =3D import('pkgconfig')
++pkg.generate(lib_perfetto)
++
+ dep_perfetto =3D declare_dependency(
+ link_with: lib_perfetto,
+ include_directories: inc_perfetto,
+--=20
+2.34.1
+
diff --git a/meta-oe/recipes-devtools/perfetto/libperfetto.bb b/meta-oe/r=
ecipes-devtools/perfetto/libperfetto.bb
new file mode 100644
index 000000000..d58e31414
--- /dev/null
+++ b/meta-oe/recipes-devtools/perfetto/libperfetto.bb
@@ -0,0 +1,11 @@
+LICENSE =3D "Apache-2.0"
+LIC_FILES_CHKSUM =3D "file://LICENSE;md5=3Df87516e0b698007e9e75a1fe1012b=
390"
+
+require perfetto.inc
+
+inherit meson
+
+SRC_URI:append =3D " file://0001-meson-add-pc-file-for-lib_perfetto.patc=
h"
+
+FILES:${PN} +=3D "${datadir}"
+BBCLASSEXTEND =3D "native nativesdk"
diff --git a/meta-oe/recipes-devtools/perfetto/perfetto.bb b/meta-oe/reci=
pes-devtools/perfetto/perfetto.bb
index 94c39e9cc..c1b099430 100644
--- a/meta-oe/recipes-devtools/perfetto/perfetto.bb
+++ b/meta-oe/recipes-devtools/perfetto/perfetto.bb
@@ -10,16 +10,15 @@ LIC_FILES_CHKSUM =3D "file://LICENSE;md5=3Df87516e0b6=
98007e9e75a1fe1012b390 \
file://debian/copyright;md5=3D4e08364c82141f181de69d=
0a2b89d612 \
file://python/LICENSE;md5=3Dc602a632c34ade9c78a97673=
4077bce7"
=20
-SRC_URI =3D "git://github.com/google/perfetto.git;protocol=3Dhttps;name=3D=
perfetto \
+SRC_URI:append =3D " \
git://github.com/protocolbuffers/protobuf.git;branch=3D3.9.x;=
protocol=3Dhttps;destsuffix=3Dgit/buildtools/protobuf;name=3Dprotobuf \
- git://chromium.googlesource.com/external/github.com/llvm/llvm=
-project/libcxx.git;protocol=3Dhttps;destsuffix=3Dgit/buildtools/libcxx;n=
ame=3Dlibcxx \
- git://chromium.googlesource.com/external/github.com/llvm/llvm=
-project/libcxxabi.git;protocol=3Dhttps;destsuffix=3Dgit/buildtools/libcx=
xabi;name=3Dlibcxxabi \
- git://chromium.googlesource.com/external/github.com/llvm/llvm=
-project/libunwind.git;protocol=3Dhttps;destsuffix=3Dgit/buildtools/libun=
wind;name=3Dlibunwind \
- git://android.googlesource.com/platform/external/zlib.git;bra=
nch=3Dmaster;protocol=3Dhttps;destsuffix=3Dgit/buildtools/zlib;name=3Dzli=
b \
+ git://chromium.googlesource.com/external/github.com/llvm/llvm=
-project/libcxx.git;protocol=3Dhttps;destsuffix=3Dgit/buildtools/libcxx;n=
ame=3Dlibcxx;nobranch=3D1 \
+ git://chromium.googlesource.com/external/github.com/llvm/llvm=
-project/libcxxabi.git;protocol=3Dhttps;destsuffix=3Dgit/buildtools/libcx=
xabi;name=3Dlibcxxabi;nobranch=3D1 \
+ git://chromium.googlesource.com/external/github.com/llvm/llvm=
-project/libunwind.git;protocol=3Dhttps;destsuffix=3Dgit/buildtools/libun=
wind;name=3Dlibunwind;nobranch=3D1 \
+ git://android.googlesource.com/platform/external/zlib.git;bra=
nch=3Dmaster;protocol=3Dhttps;destsuffix=3Dgit/buildtools/zlib;name=3Dzli=
b;nobranch=3D1 \
https://storage.googleapis.com/perfetto/gn-linux64-1968-0725d=
782;subdir=3Dgit/buildtools/;name=3Dgn \
file://0001-Remove-check_build_deps-build-steps.patch "
=20
-SRCREV_perfetto =3D "5bd3f582c075d0d026c5fe0b5e291d34dee0d976"
SRCREV_protobuf =3D "6a59a2ad1f61d9696092f79b6d74368b4d7970a3"
SRCREV_libcxx =3D "d9040c75cfea5928c804ab7c235fed06a63f743a"
SRCREV_libcxxabi =3D "196ba1aaa8ac285d94f4ea8d9836390a45360533"
@@ -27,6 +26,8 @@ SRCREV_libunwind =3D "d999d54f4bca789543a2eb6c995af2d9b=
5a1f3ed"
SRCREV_zlib =3D "5c85a2da4c13eda07f69d81a1579a5afddd35f59"
SRC_URI[gn.sha256sum] =3D "f706aaa0676e3e22f5fc9ca482295d7caee8535d1869f=
99efa2358177b64f5cd"
=20
+require perfetto.inc
+
DEPENDS +=3D " ninja-native"
=20
COMPATIBLE_HOST =3D "(i.86|x86_64|aarch64|arm).*-linux*"
@@ -35,7 +36,6 @@ FILES:${PN}:append =3D " \
${bindir}/tracebox \
"
=20
-S =3D "${WORKDIR}/git"
B =3D "${WORKDIR}/build"
=20
CXXFLAGS:append:arm =3D "${@bb.utils.contains('TUNE_FEATURES', 'callconv=
ention-hard', ' -mfloat-abi=3Dhard', '', d)}"
diff --git a/meta-oe/recipes-devtools/perfetto/perfetto.inc b/meta-oe/rec=
ipes-devtools/perfetto/perfetto.inc
new file mode 100644
index 000000000..5cb6f8bb3
--- /dev/null
+++ b/meta-oe/recipes-devtools/perfetto/perfetto.inc
@@ -0,0 +1,9 @@
+SUMMARY =3D "Perfetto - System profiling, app tracing and trace analysis=
."
+HOMEPAGE =3D "https://github.com/google/perfetto"
+
+SRC_URI =3D "git://github.com/google/perfetto.git;protocol=3Dhttps;name=3D=
perfetto;nobranch=3D1"
+
+SRCREV_perfetto =3D "1c52b5e132312aeb007ed180d4ba1d8d66227923"
+PV =3D "27.1"
+
+S =3D "${WORKDIR}/git"
--=20
2.34.1


Re: [meta-oe][dunfell][PATCH] postgresql: Fix CVE-2022-2625

Armin Kuster
 

On 10/17/22 12:18 AM, Hitendra Prajapati wrote:
Upstream-Status: Backport from https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=5579726bd60a6e7afb04a3548bced348cd5ffd89
Description:
CVE-2022-2625 postgresql: Extension scripts replace objects not belonging to the extension.
As mentioned earlier, Postgres 12.12 has been released and if this package was updated to that version, this patch would have been unnecessary.

I am rejecting this patch as a package update is a cleaner way to go.

-armin

Signed-off-by: Hitendra Prajapati <hprajapati@...>
---
.../postgresql/files/CVE-2022-2625.patch | 904 ++++++++++++++++++
.../recipes-dbs/postgresql/postgresql_12.9.bb | 1 +
2 files changed, 905 insertions(+)
create mode 100644 meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch

diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch
new file mode 100644
index 0000000000..6417d8a2b7
--- /dev/null
+++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch
@@ -0,0 +1,904 @@
+From 84375c1db25ef650902cf80712495fc514b0ff63 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@...>
+Date: Thu, 13 Oct 2022 10:35:32 +0530
+Subject: [PATCH] CVE-2022-2625
+
+Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=5579726bd60a6e7afb04a3548bced348cd5ffd89]
+CVE: CVE-2022-2625
+Signed-off-by: Hitendra Prajapati <hprajapati@...>
+---
+ doc/src/sgml/extend.sgml | 11 --
+ src/backend/catalog/pg_collation.c | 49 ++++--
+ src/backend/catalog/pg_depend.c | 74 ++++++++-
+ src/backend/catalog/pg_operator.c | 2 +-
+ src/backend/catalog/pg_type.c | 7 +-
+ src/backend/commands/createas.c | 18 ++-
+ src/backend/commands/foreigncmds.c | 19 ++-
+ src/backend/commands/schemacmds.c | 25 ++-
+ src/backend/commands/sequence.c | 8 +
+ src/backend/commands/statscmds.c | 4 +
+ src/backend/commands/view.c | 16 +-
+ src/backend/parser/parse_utilcmd.c | 10 ++
+ src/include/catalog/dependency.h | 2 +
+ src/test/modules/test_extensions/Makefile | 5 +-
+ .../expected/test_extensions.out | 153 ++++++++++++++++++
+ .../test_extensions/sql/test_extensions.sql | 110 +++++++++++++
+ .../test_ext_cine--1.0--1.1.sql | 26 +++
+ .../test_extensions/test_ext_cine--1.0.sql | 25 +++
+ .../test_extensions/test_ext_cine.control | 3 +
+ .../test_extensions/test_ext_cor--1.0.sql | 20 +++
+ .../test_extensions/test_ext_cor.control | 3 +
+ 21 files changed, 540 insertions(+), 50 deletions(-)
+ create mode 100644 src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql
+ create mode 100644 src/test/modules/test_extensions/test_ext_cine--1.0.sql
+ create mode 100644 src/test/modules/test_extensions/test_ext_cine.control
+ create mode 100644 src/test/modules/test_extensions/test_ext_cor--1.0.sql
+ create mode 100644 src/test/modules/test_extensions/test_ext_cor.control
+
+diff --git a/doc/src/sgml/extend.sgml b/doc/src/sgml/extend.sgml
+index 53f2638..bcc7a80 100644
+--- a/doc/src/sgml/extend.sgml
++++ b/doc/src/sgml/extend.sgml
+@@ -1109,17 +1109,6 @@ SELECT * FROM pg_extension_update_paths('<replaceable>extension_name</replaceabl
+ <varname>search_path</varname>. However, no mechanism currently exists
+ to require that.
+ </para>
+-
+- <para>
+- Do <emphasis>not</emphasis> use <command>CREATE OR REPLACE
+- FUNCTION</command>, except in an update script that must change the
+- definition of a function that is known to be an extension member
+- already. (Likewise for other <literal>OR REPLACE</literal> options.)
+- Using <literal>OR REPLACE</literal> unnecessarily not only has a risk
+- of accidentally overwriting someone else's function, but it creates a
+- security hazard since the overwritten function would still be owned by
+- its original owner, who could modify it.
+- </para>
+ </sect3>
+ </sect2>
+
+diff --git a/src/backend/catalog/pg_collation.c b/src/backend/catalog/pg_collation.c
+index dd99d53..ba4c3ef 100644
+--- a/src/backend/catalog/pg_collation.c
++++ b/src/backend/catalog/pg_collation.c
+@@ -78,15 +78,25 @@ CollationCreate(const char *collname, Oid collnamespace,
+ * friendlier error message. The unique index provides a backstop against
+ * race conditions.
+ */
+- if (SearchSysCacheExists3(COLLNAMEENCNSP,
+- PointerGetDatum(collname),
+- Int32GetDatum(collencoding),
+- ObjectIdGetDatum(collnamespace)))
++ oid = GetSysCacheOid3(COLLNAMEENCNSP,
++ Anum_pg_collation_oid,
++ PointerGetDatum(collname),
++ Int32GetDatum(collencoding),
++ ObjectIdGetDatum(collnamespace));
++ if (OidIsValid(oid))
+ {
+ if (quiet)
+ return InvalidOid;
+ else if (if_not_exists)
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(myself, CollationRelationId, oid);
++ checkMembershipInCurrentExtension(&myself);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+ collencoding == -1
+@@ -116,16 +126,19 @@ CollationCreate(const char *collname, Oid collnamespace,
+ * so we take a ShareRowExclusiveLock earlier, to protect against
+ * concurrent changes fooling this check.
+ */
+- if ((collencoding == -1 &&
+- SearchSysCacheExists3(COLLNAMEENCNSP,
+- PointerGetDatum(collname),
+- Int32GetDatum(GetDatabaseEncoding()),
+- ObjectIdGetDatum(collnamespace))) ||
+- (collencoding != -1 &&
+- SearchSysCacheExists3(COLLNAMEENCNSP,
+- PointerGetDatum(collname),
+- Int32GetDatum(-1),
+- ObjectIdGetDatum(collnamespace))))
++ if (collencoding == -1)
++ oid = GetSysCacheOid3(COLLNAMEENCNSP,
++ Anum_pg_collation_oid,
++ PointerGetDatum(collname),
++ Int32GetDatum(GetDatabaseEncoding()),
++ ObjectIdGetDatum(collnamespace));
++ else
++ oid = GetSysCacheOid3(COLLNAMEENCNSP,
++ Anum_pg_collation_oid,
++ PointerGetDatum(collname),
++ Int32GetDatum(-1),
++ ObjectIdGetDatum(collnamespace));
++ if (OidIsValid(oid))
+ {
+ if (quiet)
+ {
+@@ -134,6 +147,14 @@ CollationCreate(const char *collname, Oid collnamespace,
+ }
+ else if (if_not_exists)
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(myself, CollationRelationId, oid);
++ checkMembershipInCurrentExtension(&myself);
++
++ /* OK to skip */
+ table_close(rel, NoLock);
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+diff --git a/src/backend/catalog/pg_depend.c b/src/backend/catalog/pg_depend.c
+index 9ffadbb..71c7cef 100644
+--- a/src/backend/catalog/pg_depend.c
++++ b/src/backend/catalog/pg_depend.c
+@@ -124,15 +124,23 @@ recordMultipleDependencies(const ObjectAddress *depender,
+
+ /*
+ * If we are executing a CREATE EXTENSION operation, mark the given object
+- * as being a member of the extension. Otherwise, do nothing.
++ * as being a member of the extension, or check that it already is one.
++ * Otherwise, do nothing.
+ *
+ * This must be called during creation of any user-definable object type
+ * that could be a member of an extension.
+ *
+- * If isReplace is true, the object already existed (or might have already
+- * existed), so we must check for a pre-existing extension membership entry.
+- * Passing false is a guarantee that the object is newly created, and so
+- * could not already be a member of any extension.
++ * isReplace must be true if the object already existed, and false if it is
++ * newly created. In the former case we insist that it already be a member
++ * of the current extension. In the latter case we can skip checking whether
++ * it is already a member of any extension.
++ *
++ * Note: isReplace = true is typically used when updating a object in
++ * CREATE OR REPLACE and similar commands. We used to allow the target
++ * object to not already be an extension member, instead silently absorbing
++ * it into the current extension. However, this was both error-prone
++ * (extensions might accidentally overwrite free-standing objects) and
++ * a security hazard (since the object would retain its previous ownership).
+ */
+ void
+ recordDependencyOnCurrentExtension(const ObjectAddress *object,
+@@ -150,6 +158,12 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object,
+ {
+ Oid oldext;
+
++ /*
++ * Side note: these catalog lookups are safe only because the
++ * object is a pre-existing one. In the not-isReplace case, the
++ * caller has most likely not yet done a CommandCounterIncrement
++ * that would make the new object visible.
++ */
+ oldext = getExtensionOfObject(object->classId, object->objectId);
+ if (OidIsValid(oldext))
+ {
+@@ -163,6 +177,13 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object,
+ getObjectDescription(object),
+ get_extension_name(oldext))));
+ }
++ /* It's a free-standing object, so reject */
++ ereport(ERROR,
++ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
++ errmsg("%s is not a member of extension \"%s\"",
++ getObjectDescription(object),
++ get_extension_name(CurrentExtensionObject)),
++ errdetail("An extension is not allowed to replace an object that it does not own.")));
+ }
+
+ /* OK, record it as a member of CurrentExtensionObject */
+@@ -174,6 +195,49 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object,
+ }
+ }
+
++/*
++ * If we are executing a CREATE EXTENSION operation, check that the given
++ * object is a member of the extension, and throw an error if it isn't.
++ * Otherwise, do nothing.
++ *
++ * This must be called whenever a CREATE IF NOT EXISTS operation (for an
++ * object type that can be an extension member) has found that an object of
++ * the desired name already exists. It is insecure for an extension to use
++ * IF NOT EXISTS except when the conflicting object is already an extension
++ * member; otherwise a hostile user could substitute an object with arbitrary
++ * properties.
++ */
++void
++checkMembershipInCurrentExtension(const ObjectAddress *object)
++{
++ /*
++ * This is actually the same condition tested in
++ * recordDependencyOnCurrentExtension; but we want to issue a
++ * differently-worded error, and anyway it would be pretty confusing to
++ * call recordDependencyOnCurrentExtension in these circumstances.
++ */
++
++ /* Only whole objects can be extension members */
++ Assert(object->objectSubId == 0);
++
++ if (creating_extension)
++ {
++ Oid oldext;
++
++ oldext = getExtensionOfObject(object->classId, object->objectId);
++ /* If already a member of this extension, OK */
++ if (oldext == CurrentExtensionObject)
++ return;
++ /* Else complain */
++ ereport(ERROR,
++ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
++ errmsg("%s is not a member of extension \"%s\"",
++ getObjectDescription(object),
++ get_extension_name(CurrentExtensionObject)),
++ errdetail("An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.")));
++ }
++}
++
+ /*
+ * deleteDependencyRecordsFor -- delete all records with given depender
+ * classId/objectId. Returns the number of records deleted.
+diff --git a/src/backend/catalog/pg_operator.c b/src/backend/catalog/pg_operator.c
+index bcaa26c..84784e6 100644
+--- a/src/backend/catalog/pg_operator.c
++++ b/src/backend/catalog/pg_operator.c
+@@ -867,7 +867,7 @@ makeOperatorDependencies(HeapTuple tuple, bool isUpdate)
+ oper->oprowner);
+
+ /* Dependency on extension */
+- recordDependencyOnCurrentExtension(&myself, true);
++ recordDependencyOnCurrentExtension(&myself, isUpdate);
+
+ return myself;
+ }
+diff --git a/src/backend/catalog/pg_type.c b/src/backend/catalog/pg_type.c
+index 2a51501..3ff017f 100644
+--- a/src/backend/catalog/pg_type.c
++++ b/src/backend/catalog/pg_type.c
+@@ -528,10 +528,9 @@ TypeCreate(Oid newTypeOid,
+ * If rebuild is true, we remove existing dependencies and rebuild them
+ * from scratch. This is needed for ALTER TYPE, and also when replacing
+ * a shell type. We don't remove an existing extension dependency, though.
+- * (That means an extension can't absorb a shell type created in another
+- * extension, nor ALTER a type created by another extension. Also, if it
+- * replaces a free-standing shell type or ALTERs a free-standing type,
+- * that type will become a member of the extension.)
++ * That means an extension can't absorb a shell type that is free-standing
++ * or belongs to another extension, nor ALTER a type that is free-standing or
++ * belongs to another extension.
+ */
+ void
+ GenerateTypeDependencies(Oid typeObjectId,
+diff --git a/src/backend/commands/createas.c b/src/backend/commands/createas.c
+index 4c1d909..a68d945 100644
+--- a/src/backend/commands/createas.c
++++ b/src/backend/commands/createas.c
+@@ -243,15 +243,27 @@ ExecCreateTableAs(CreateTableAsStmt *stmt, const char *queryString,
+ if (stmt->if_not_exists)
+ {
+ Oid nspid;
++ Oid oldrelid;
+
+- nspid = RangeVarGetCreationNamespace(stmt->into->rel);
++ nspid = RangeVarGetCreationNamespace(into->rel);
+
+- if (get_relname_relid(stmt->into->rel->relname, nspid))
++ oldrelid = get_relname_relid(into->rel->relname, nspid);
++ if (OidIsValid(oldrelid))
+ {
++ /*
++ * The relation exists and IF NOT EXISTS has been specified.
++ *
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(address, RelationRelationId, oldrelid);
++ checkMembershipInCurrentExtension(&address);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_TABLE),
+ errmsg("relation \"%s\" already exists, skipping",
+- stmt->into->rel->relname)));
++ into->rel->relname)));
+ return InvalidObjectAddress;
+ }
+ }
+diff --git a/src/backend/commands/foreigncmds.c b/src/backend/commands/foreigncmds.c
+index d7bc6e3..bc583c6 100644
+--- a/src/backend/commands/foreigncmds.c
++++ b/src/backend/commands/foreigncmds.c
+@@ -887,13 +887,22 @@ CreateForeignServer(CreateForeignServerStmt *stmt)
+ ownerId = GetUserId();
+
+ /*
+- * Check that there is no other foreign server by this name. Do nothing if
+- * IF NOT EXISTS was enforced.
++ * Check that there is no other foreign server by this name. If there is
++ * one, do nothing if IF NOT EXISTS was specified.
+ */
+- if (GetForeignServerByName(stmt->servername, true) != NULL)
++ srvId = get_foreign_server_oid(stmt->servername, true);
++ if (OidIsValid(srvId))
+ {
+ if (stmt->if_not_exists)
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(myself, ForeignServerRelationId, srvId);
++ checkMembershipInCurrentExtension(&myself);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+ errmsg("server \"%s\" already exists, skipping",
+@@ -1182,6 +1191,10 @@ CreateUserMapping(CreateUserMappingStmt *stmt)
+ {
+ if (stmt->if_not_exists)
+ {
++ /*
++ * Since user mappings aren't members of extensions (see comments
++ * below), no need for checkMembershipInCurrentExtension here.
++ */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+ errmsg("user mapping for \"%s\" already exists for server \"%s\", skipping",
+diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
+index 6cf94a3..6bc4edc 100644
+--- a/src/backend/commands/schemacmds.c
++++ b/src/backend/commands/schemacmds.c
+@@ -113,14 +113,25 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
+ * the permissions checks, but since CREATE TABLE IF NOT EXISTS makes its
+ * creation-permission check first, we do likewise.
+ */
+- if (stmt->if_not_exists &&
+- SearchSysCacheExists1(NAMESPACENAME, PointerGetDatum(schemaName)))
++ if (stmt->if_not_exists)
+ {
+- ereport(NOTICE,
+- (errcode(ERRCODE_DUPLICATE_SCHEMA),
+- errmsg("schema \"%s\" already exists, skipping",
+- schemaName)));
+- return InvalidOid;
++ namespaceId = get_namespace_oid(schemaName, true);
++ if (OidIsValid(namespaceId))
++ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(address, NamespaceRelationId, namespaceId);
++ checkMembershipInCurrentExtension(&address);
++
++ /* OK to skip */
++ ereport(NOTICE,
++ (errcode(ERRCODE_DUPLICATE_SCHEMA),
++ errmsg("schema \"%s\" already exists, skipping",
++ schemaName)));
++ return InvalidOid;
++ }
+ }
+
+ /*
+diff --git a/src/backend/commands/sequence.c b/src/backend/commands/sequence.c
+index 0960b33..0577184 100644
+--- a/src/backend/commands/sequence.c
++++ b/src/backend/commands/sequence.c
+@@ -149,6 +149,14 @@ DefineSequence(ParseState *pstate, CreateSeqStmt *seq)
+ RangeVarGetAndCheckCreationNamespace(seq->sequence, NoLock, &seqoid);
+ if (OidIsValid(seqoid))
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(address, RelationRelationId, seqoid);
++ checkMembershipInCurrentExtension(&address);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_TABLE),
+ errmsg("relation \"%s\" already exists, skipping",
+diff --git a/src/backend/commands/statscmds.c b/src/backend/commands/statscmds.c
+index 5678d31..409cf28 100644
+--- a/src/backend/commands/statscmds.c
++++ b/src/backend/commands/statscmds.c
+@@ -173,6 +173,10 @@ CreateStatistics(CreateStatsStmt *stmt)
+ {
+ if (stmt->if_not_exists)
+ {
++ /*
++ * Since stats objects aren't members of extensions (see comments
++ * below), no need for checkMembershipInCurrentExtension here.
++ */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+ errmsg("statistics object \"%s\" already exists, skipping",
+diff --git a/src/backend/commands/view.c b/src/backend/commands/view.c
+index 87ed453..dd7cc97 100644
+--- a/src/backend/commands/view.c
++++ b/src/backend/commands/view.c
+@@ -205,7 +205,7 @@ DefineVirtualRelation(RangeVar *relation, List *tlist, bool replace,
+ CommandCounterIncrement();
+
+ /*
+- * Finally update the view options.
++ * Update the view's options.
+ *
+ * The new options list replaces the existing options list, even if
+ * it's empty.
+@@ -218,8 +218,22 @@ DefineVirtualRelation(RangeVar *relation, List *tlist, bool replace,
+ /* EventTriggerAlterTableStart called by ProcessUtilitySlow */
+ AlterTableInternal(viewOid, atcmds, true);
+
++ /*
++ * There is very little to do here to update the view's dependencies.
++ * Most view-level dependency relationships, such as those on the
++ * owner, schema, and associated composite type, aren't changing.
++ * Because we don't allow changing type or collation of an existing
++ * view column, those dependencies of the existing columns don't
++ * change either, while the AT_AddColumnToView machinery took care of
++ * adding such dependencies for new view columns. The dependencies of
++ * the view's query could have changed arbitrarily, but that was dealt
++ * with inside StoreViewQuery. What remains is only to check that
++ * view replacement is allowed when we're creating an extension.
++ */
+ ObjectAddressSet(address, RelationRelationId, viewOid);
+
++ recordDependencyOnCurrentExtension(&address, true);
++
+ /*
+ * Seems okay, so return the OID of the pre-existing view.
+ */
+diff --git a/src/backend/parser/parse_utilcmd.c b/src/backend/parser/parse_utilcmd.c
+index 44aa38a..8f4d940 100644
+--- a/src/backend/parser/parse_utilcmd.c
++++ b/src/backend/parser/parse_utilcmd.c
+@@ -206,6 +206,16 @@ transformCreateStmt(CreateStmt *stmt, const char *queryString)
+ */
+ if (stmt->if_not_exists && OidIsValid(existing_relid))
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddress address;
++
++ ObjectAddressSet(address, RelationRelationId, existing_relid);
++ checkMembershipInCurrentExtension(&address);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_TABLE),
+ errmsg("relation \"%s\" already exists, skipping",
+diff --git a/src/include/catalog/dependency.h b/src/include/catalog/dependency.h
+index 8b1e3aa..27c7509 100644
+--- a/src/include/catalog/dependency.h
++++ b/src/include/catalog/dependency.h
+@@ -201,6 +201,8 @@ extern void recordMultipleDependencies(const ObjectAddress *depender,
+ extern void recordDependencyOnCurrentExtension(const ObjectAddress *object,
+ bool isReplace);
+
++extern void checkMembershipInCurrentExtension(const ObjectAddress *object);
++
+ extern long deleteDependencyRecordsFor(Oid classId, Oid objectId,
+ bool skipExtensionDeps);
+
+diff --git a/src/test/modules/test_extensions/Makefile b/src/test/modules/test_extensions/Makefile
+index d18108e..7428f15 100644
+--- a/src/test/modules/test_extensions/Makefile
++++ b/src/test/modules/test_extensions/Makefile
+@@ -4,10 +4,13 @@ MODULE = test_extensions
+ PGFILEDESC = "test_extensions - regression testing for EXTENSION support"
+
+ EXTENSION = test_ext1 test_ext2 test_ext3 test_ext4 test_ext5 test_ext6 \
+- test_ext7 test_ext8 test_ext_cyclic1 test_ext_cyclic2
++ test_ext7 test_ext8 test_ext_cine test_ext_cor \
++ test_ext_cyclic1 test_ext_cyclic2
+ DATA = test_ext1--1.0.sql test_ext2--1.0.sql test_ext3--1.0.sql \
+ test_ext4--1.0.sql test_ext5--1.0.sql test_ext6--1.0.sql \
+ test_ext7--1.0.sql test_ext7--1.0--2.0.sql test_ext8--1.0.sql \
++ test_ext_cine--1.0.sql test_ext_cine--1.0--1.1.sql \
++ test_ext_cor--1.0.sql \
+ test_ext_cyclic1--1.0.sql test_ext_cyclic2--1.0.sql
+
+ REGRESS = test_extensions test_extdepend
+diff --git a/src/test/modules/test_extensions/expected/test_extensions.out b/src/test/modules/test_extensions/expected/test_extensions.out
+index b5cbdfc..1e91640 100644
+--- a/src/test/modules/test_extensions/expected/test_extensions.out
++++ b/src/test/modules/test_extensions/expected/test_extensions.out
+@@ -154,3 +154,156 @@ DROP TABLE test_ext4_tab;
+ DROP FUNCTION create_extension_with_temp_schema();
+ RESET client_min_messages;
+ \unset SHOW_CONTEXT
++-- It's generally bad style to use CREATE OR REPLACE unnecessarily.
++-- Test what happens if an extension does it anyway.
++-- Replacing a shell type or operator is sort of like CREATE OR REPLACE;
++-- check that too.
++CREATE FUNCTION ext_cor_func() RETURNS text
++ AS $$ SELECT 'ext_cor_func: original'::text $$ LANGUAGE sql;
++CREATE EXTENSION test_ext_cor; -- fail
++ERROR: function ext_cor_func() is not a member of extension "test_ext_cor"
++DETAIL: An extension is not allowed to replace an object that it does not own.
++SELECT ext_cor_func();
++ ext_cor_func
++------------------------
++ ext_cor_func: original
++(1 row)
++
++DROP FUNCTION ext_cor_func();
++CREATE VIEW ext_cor_view AS
++ SELECT 'ext_cor_view: original'::text AS col;
++CREATE EXTENSION test_ext_cor; -- fail
++ERROR: view ext_cor_view is not a member of extension "test_ext_cor"
++DETAIL: An extension is not allowed to replace an object that it does not own.
++SELECT ext_cor_func();
++ERROR: function ext_cor_func() does not exist
++LINE 1: SELECT ext_cor_func();
++ ^
++HINT: No function matches the given name and argument types. You might need to add explicit type casts.
++SELECT * FROM ext_cor_view;
++ col
++------------------------
++ ext_cor_view: original
++(1 row)
++
++DROP VIEW ext_cor_view;
++CREATE TYPE test_ext_type;
++CREATE EXTENSION test_ext_cor; -- fail
++ERROR: type test_ext_type is not a member of extension "test_ext_cor"
++DETAIL: An extension is not allowed to replace an object that it does not own.
++DROP TYPE test_ext_type;
++-- this makes a shell "point <<@@ polygon" operator too
++CREATE OPERATOR @@>> ( PROCEDURE = poly_contain_pt,
++ LEFTARG = polygon, RIGHTARG = point,
++ COMMUTATOR = <<@@ );
++CREATE EXTENSION test_ext_cor; -- fail
++ERROR: operator <<@@(point,polygon) is not a member of extension "test_ext_cor"
++DETAIL: An extension is not allowed to replace an object that it does not own.
++DROP OPERATOR <<@@ (point, polygon);
++CREATE EXTENSION test_ext_cor; -- now it should work
++SELECT ext_cor_func();
++ ext_cor_func
++------------------------------
++ ext_cor_func: from extension
++(1 row)
++
++SELECT * FROM ext_cor_view;
++ col
++------------------------------
++ ext_cor_view: from extension
++(1 row)
++
++SELECT 'x'::test_ext_type;
++ test_ext_type
++---------------
++ x
++(1 row)
++
++SELECT point(0,0) <<@@ polygon(circle(point(0,0),1));
++ ?column?
++----------
++ t
++(1 row)
++
++\dx+ test_ext_cor
++Objects in extension "test_ext_cor"
++ Object description
++------------------------------
++ function ext_cor_func()
++ operator <<@@(point,polygon)
++ type test_ext_type
++ view ext_cor_view
++(4 rows)
++
++--
++-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension
++-- to be doing, but let's at least plug the major security hole in it.
++--
++CREATE COLLATION ext_cine_coll
++ ( LC_COLLATE = "C", LC_CTYPE = "C" );
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: collation ext_cine_coll is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP COLLATION ext_cine_coll;
++CREATE MATERIALIZED VIEW ext_cine_mv AS SELECT 11 AS f1;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: materialized view ext_cine_mv is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP MATERIALIZED VIEW ext_cine_mv;
++CREATE FOREIGN DATA WRAPPER dummy;
++CREATE SERVER ext_cine_srv FOREIGN DATA WRAPPER dummy;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: server ext_cine_srv is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP SERVER ext_cine_srv;
++CREATE SCHEMA ext_cine_schema;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: schema ext_cine_schema is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP SCHEMA ext_cine_schema;
++CREATE SEQUENCE ext_cine_seq;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: sequence ext_cine_seq is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP SEQUENCE ext_cine_seq;
++CREATE TABLE ext_cine_tab1 (x int);
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: table ext_cine_tab1 is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP TABLE ext_cine_tab1;
++CREATE TABLE ext_cine_tab2 AS SELECT 42 AS y;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: table ext_cine_tab2 is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP TABLE ext_cine_tab2;
++CREATE EXTENSION test_ext_cine;
++\dx+ test_ext_cine
++Objects in extension "test_ext_cine"
++ Object description
++-----------------------------------
++ collation ext_cine_coll
++ foreign-data wrapper ext_cine_fdw
++ materialized view ext_cine_mv
++ schema ext_cine_schema
++ sequence ext_cine_seq
++ server ext_cine_srv
++ table ext_cine_tab1
++ table ext_cine_tab2
++(8 rows)
++
++ALTER EXTENSION test_ext_cine UPDATE TO '1.1';
++\dx+ test_ext_cine
++Objects in extension "test_ext_cine"
++ Object description
++-----------------------------------
++ collation ext_cine_coll
++ foreign-data wrapper ext_cine_fdw
++ materialized view ext_cine_mv
++ schema ext_cine_schema
++ sequence ext_cine_seq
++ server ext_cine_srv
++ table ext_cine_tab1
++ table ext_cine_tab2
++ table ext_cine_tab3
++(9 rows)
++
+diff --git a/src/test/modules/test_extensions/sql/test_extensions.sql b/src/test/modules/test_extensions/sql/test_extensions.sql
+index f505466..b3d4579 100644
+--- a/src/test/modules/test_extensions/sql/test_extensions.sql
++++ b/src/test/modules/test_extensions/sql/test_extensions.sql
+@@ -93,3 +93,113 @@ DROP TABLE test_ext4_tab;
+ DROP FUNCTION create_extension_with_temp_schema();
+ RESET client_min_messages;
+ \unset SHOW_CONTEXT
++
++-- It's generally bad style to use CREATE OR REPLACE unnecessarily.
++-- Test what happens if an extension does it anyway.
++-- Replacing a shell type or operator is sort of like CREATE OR REPLACE;
++-- check that too.
++
++CREATE FUNCTION ext_cor_func() RETURNS text
++ AS $$ SELECT 'ext_cor_func: original'::text $$ LANGUAGE sql;
++
++CREATE EXTENSION test_ext_cor; -- fail
++
++SELECT ext_cor_func();
++
++DROP FUNCTION ext_cor_func();
++
++CREATE VIEW ext_cor_view AS
++ SELECT 'ext_cor_view: original'::text AS col;
++
++CREATE EXTENSION test_ext_cor; -- fail
++
++SELECT ext_cor_func();
++
++SELECT * FROM ext_cor_view;
++
++DROP VIEW ext_cor_view;
++
++CREATE TYPE test_ext_type;
++
++CREATE EXTENSION test_ext_cor; -- fail
++
++DROP TYPE test_ext_type;
++
++-- this makes a shell "point <<@@ polygon" operator too
++CREATE OPERATOR @@>> ( PROCEDURE = poly_contain_pt,
++ LEFTARG = polygon, RIGHTARG = point,
++ COMMUTATOR = <<@@ );
++
++CREATE EXTENSION test_ext_cor; -- fail
++
++DROP OPERATOR <<@@ (point, polygon);
++
++CREATE EXTENSION test_ext_cor; -- now it should work
++
++SELECT ext_cor_func();
++
++SELECT * FROM ext_cor_view;
++
++SELECT 'x'::test_ext_type;
++
++SELECT point(0,0) <<@@ polygon(circle(point(0,0),1));
++
++\dx+ test_ext_cor
++
++--
++-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension
++-- to be doing, but let's at least plug the major security hole in it.
++--
++
++CREATE COLLATION ext_cine_coll
++ ( LC_COLLATE = "C", LC_CTYPE = "C" );
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP COLLATION ext_cine_coll;
++
++CREATE MATERIALIZED VIEW ext_cine_mv AS SELECT 11 AS f1;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP MATERIALIZED VIEW ext_cine_mv;
++
++CREATE FOREIGN DATA WRAPPER dummy;
++
++CREATE SERVER ext_cine_srv FOREIGN DATA WRAPPER dummy;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP SERVER ext_cine_srv;
++
++CREATE SCHEMA ext_cine_schema;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP SCHEMA ext_cine_schema;
++
++CREATE SEQUENCE ext_cine_seq;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP SEQUENCE ext_cine_seq;
++
++CREATE TABLE ext_cine_tab1 (x int);
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP TABLE ext_cine_tab1;
++
++CREATE TABLE ext_cine_tab2 AS SELECT 42 AS y;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP TABLE ext_cine_tab2;
++
++CREATE EXTENSION test_ext_cine;
++
++\dx+ test_ext_cine
++
++ALTER EXTENSION test_ext_cine UPDATE TO '1.1';
++
++\dx+ test_ext_cine
+diff --git a/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql b/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql
+new file mode 100644
+index 0000000..6dadfd2
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql
+@@ -0,0 +1,26 @@
++/* src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql */
++-- complain if script is sourced in psql, rather than via ALTER EXTENSION
++\echo Use "ALTER EXTENSION test_ext_cine UPDATE TO '1.1'" to load this file. \quit
++
++--
++-- These are the same commands as in the 1.0 script; we expect them
++-- to do nothing.
++--
++
++CREATE COLLATION IF NOT EXISTS ext_cine_coll
++ ( LC_COLLATE = "POSIX", LC_CTYPE = "POSIX" );
++
++CREATE MATERIALIZED VIEW IF NOT EXISTS ext_cine_mv AS SELECT 42 AS f1;
++
++CREATE SERVER IF NOT EXISTS ext_cine_srv FOREIGN DATA WRAPPER ext_cine_fdw;
++
++CREATE SCHEMA IF NOT EXISTS ext_cine_schema;
++
++CREATE SEQUENCE IF NOT EXISTS ext_cine_seq;
++
++CREATE TABLE IF NOT EXISTS ext_cine_tab1 (x int);
++
++CREATE TABLE IF NOT EXISTS ext_cine_tab2 AS SELECT 42 AS y;
++
++-- just to verify the script ran
++CREATE TABLE ext_cine_tab3 (z int);
+diff --git a/src/test/modules/test_extensions/test_ext_cine--1.0.sql b/src/test/modules/test_extensions/test_ext_cine--1.0.sql
+new file mode 100644
+index 0000000..01408ff
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cine--1.0.sql
+@@ -0,0 +1,25 @@
++/* src/test/modules/test_extensions/test_ext_cine--1.0.sql */
++-- complain if script is sourced in psql, rather than via CREATE EXTENSION
++\echo Use "CREATE EXTENSION test_ext_cine" to load this file. \quit
++
++--
++-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension
++-- to be doing, but let's at least plug the major security hole in it.
++--
++
++CREATE COLLATION IF NOT EXISTS ext_cine_coll
++ ( LC_COLLATE = "POSIX", LC_CTYPE = "POSIX" );
++
++CREATE MATERIALIZED VIEW IF NOT EXISTS ext_cine_mv AS SELECT 42 AS f1;
++
++CREATE FOREIGN DATA WRAPPER ext_cine_fdw;
++
++CREATE SERVER IF NOT EXISTS ext_cine_srv FOREIGN DATA WRAPPER ext_cine_fdw;
++
++CREATE SCHEMA IF NOT EXISTS ext_cine_schema;
++
++CREATE SEQUENCE IF NOT EXISTS ext_cine_seq;
++
++CREATE TABLE IF NOT EXISTS ext_cine_tab1 (x int);
++
++CREATE TABLE IF NOT EXISTS ext_cine_tab2 AS SELECT 42 AS y;
+diff --git a/src/test/modules/test_extensions/test_ext_cine.control b/src/test/modules/test_extensions/test_ext_cine.control
+new file mode 100644
+index 0000000..ced713b
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cine.control
+@@ -0,0 +1,3 @@
++comment = 'Test extension using CREATE IF NOT EXISTS'
++default_version = '1.0'
++relocatable = true
+diff --git a/src/test/modules/test_extensions/test_ext_cor--1.0.sql b/src/test/modules/test_extensions/test_ext_cor--1.0.sql
+new file mode 100644
+index 0000000..2e8d89c
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cor--1.0.sql
+@@ -0,0 +1,20 @@
++/* src/test/modules/test_extensions/test_ext_cor--1.0.sql */
++-- complain if script is sourced in psql, rather than via CREATE EXTENSION
++\echo Use "CREATE EXTENSION test_ext_cor" to load this file. \quit
++
++-- It's generally bad style to use CREATE OR REPLACE unnecessarily.
++-- Test what happens if an extension does it anyway.
++
++CREATE OR REPLACE FUNCTION ext_cor_func() RETURNS text
++ AS $$ SELECT 'ext_cor_func: from extension'::text $$ LANGUAGE sql;
++
++CREATE OR REPLACE VIEW ext_cor_view AS
++ SELECT 'ext_cor_view: from extension'::text AS col;
++
++-- These are for testing replacement of a shell type/operator, which works
++-- enough like an implicit OR REPLACE to be important to check.
++
++CREATE TYPE test_ext_type AS ENUM('x', 'y');
++
++CREATE OPERATOR <<@@ ( PROCEDURE = pt_contained_poly,
++ LEFTARG = point, RIGHTARG = polygon );
+diff --git a/src/test/modules/test_extensions/test_ext_cor.control b/src/test/modules/test_extensions/test_ext_cor.control
+new file mode 100644
+index 0000000..0e972e5
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cor.control
+@@ -0,0 +1,3 @@
++comment = 'Test extension using CREATE OR REPLACE'
++default_version = '1.0'
++relocatable = true
+--
+2.25.1
+
diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
index 67bf2b9604..4b7c1d69fc 100644
--- a/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
+++ b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
@@ -7,6 +7,7 @@ SRC_URI += "\
file://0001-Add-support-for-RISC-V.patch \
file://0001-Improve-reproducibility.patch \
file://remove_duplicate.patch \
+ file://CVE-2022-2625.patch \
"
SRC_URI[sha256sum] = "89fda2de33ed04a98548e43f3ee5f15b882be17505d631fe0dd1a540a2b56dce"


kirkstone merge request

Armin Kuster
 

The following changes since commit bd2d8fba766f912bd1bc5cde7d6f0e72152f1547:

  minicoredumper: retry elf parsing as long as needed (2022-09-25 11:03:26 -0400)

are available in the Git repository at:

  https://git.openembedded.org/meta-openembedded kirkstone-next

for you to fetch changes up to 744a4b6eda88b9a9ca1cf0df6e18be384d9054e3:

  frr: Security fix CVE-2022-37032 (2022-10-13 10:59:41 -0400)

----------------------------------------------------------------
Chen Qi (1):
      polkit: refresh patch

Hitendra Prajapati (1):
      wireshark: CVE-2022-3190 Infinite loop in legacy style dissector

Hitomi Hasegawa (1):
      libsdl: add CVE-2019-14906 to allowlist

Ovidiu Panait (1):
      net-snmp: upgrade 5.9.1 -> 5.9.3

Wang Mingyu (1):
      tcpreplay: upgrade 4.4.1 -> 4.4.2

Yi Zhao (2):
      open-vm-tools: Security fix CVE-2022-31676
      frr: Security fix CVE-2022-37032

wangmy (1):
      dnsmasq: upgrade 2.86 -> 2.87

 meta-networking/recipes-protocols/frr/frr/CVE-2022-37032.patch  | 42 ++++++
 meta-networking/recipes-protocols/frr/frr_8.2.2.bb              | 1 +
 ...01-ac_add_search_path.m4-keep-consistent-between-32bit.patch | 11 +-
 .../net-snmp/net-snmp/0001-config_os_headers-Error-Fix.patch    | 4 +-
 .../net-snmp/0001-get_pid_from_inode-Include-limit.h.patch      | 6 +-
 .../0001-snmpd-always-exit-after-displaying-usage.patch         | 55 --------
 ...1-snmplib-keytools.c-Don-t-check-for-return-from-EVP_M.patch | 4 +-
 .../net-snmp/net-snmp/0002-configure-fix-a-cc-check-issue.patch | 28 ----
 .../net-snmp/0004-configure-fix-incorrect-variable.patch        | 6 +-
 .../net-snmp/net-snmp/fix-libtool-finish.patch                  | 6 +-
 .../net-snmp-5.7.2-fix-engineBoots-value-on-SIGHUP.patch        | 26 ++--
 .../net-snmp-add-knob-whether-nlist.h-are-checked.patch         | 4 +-
 .../net-snmp/net-snmp/net-snmp-fix-for-disable-des.patch        | 4 +-
 .../net-snmp-testing-add-the-output-format-for-ptest.patch      | 2 +-
 .../net-snmp/net-snmp/reproducibility-have-printcap.patch       | 4 +-
 .../net-snmp/{net-snmp_5.9.1.bb => net-snmp_5.9.3.bb} |   4 +-
 meta-networking/recipes-support/dnsmasq/dnsmasq.inc             | 5 +-
 .../recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch         | 191 ----------------------------
 meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb         | 8 --
 meta-networking/recipes-support/dnsmasq/dnsmasq_2.87.bb         | 7 +
 ...1-Properly-check-authorization-on-incoming-guestOps-re.patch | 43 +++++++
 .../recipes-support/open-vm-tools/open-vm-tools_11.3.5.bb       | 1 +
 .../tcpreplay/{tcpreplay_4.4.1.bb => tcpreplay_4.4.2.bb} |   2 +-
 .../recipes-support/wireshark/files/CVE-2022-3190.patch         | 145 +++++++++++++++++++++
 meta-networking/recipes-support/wireshark/wireshark_3.4.12.bb   | 1 +
 .../polkit/polkit/0004-Make-netgroup-support-optional.patch     | 20 +--
 meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb                | 3 +
 27 files changed, 295 insertions(+), 338 deletions(-)
 create mode 100644 meta-networking/recipes-protocols/frr/frr/CVE-2022-37032.patch
 delete mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/0001-snmpd-always-exit-after-displaying-usage.patch
 delete mode 100644 meta-networking/recipes-protocols/net-snmp/net-snmp/0002-configure-fix-a-cc-check-issue.patch
 rename meta-networking/recipes-protocols/net-snmp/{net-snmp_5.9.1.bb => net-snmp_5.9.3.bb} (98%)
 delete mode 100644 meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch
 delete mode 100644 meta-networking/recipes-support/dnsmasq/dnsmasq_2.86.bb
 create mode 100644 meta-networking/recipes-support/dnsmasq/dnsmasq_2.87.bb
 create mode 100644 meta-networking/recipes-support/open-vm-tools/open-vm-tools/0001-Properly-check-authorization-on-incoming-guestOps-re.patch
 rename meta-networking/recipes-support/tcpreplay/{tcpreplay_4.4.1.bb => tcpreplay_4.4.2.bb} (85%)
 create mode 100644 meta-networking/recipes-support/wireshark/files/CVE-2022-3190.patch


[meta-oe][PATCH] md4c: added md4c lib

Sebastian Suesens
 

MD4C is Markdown parser implementation in C.

Signed-off-by: Sebastian Suesens <sebastian.suesens@...>
---
meta-oe/recipes-support/md4c/md4c_0.4.8.bb | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
create mode 100644 meta-oe/recipes-support/md4c/md4c_0.4.8.bb

diff --git a/meta-oe/recipes-support/md4c/md4c_0.4.8.bb b/meta-oe/recipes-support/md4c/md4c_0.4.8.bb
new file mode 100644
index 000000000..fc3dbb3ae
--- /dev/null
+++ b/meta-oe/recipes-support/md4c/md4c_0.4.8.bb
@@ -0,0 +1,17 @@
+SUMMARY = "Markdown for C"
+DESCRIPTION = "MD4C is Markdown parser implementation in C."
+HOMEPAGE = "http://github.com/mity/md4c"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=7e0fbcf3701aad22f2d2e0624a703795"
+
+
+S = "${WORKDIR}/git"
+
+SRC_URI = " \
+ git://github.com/mity/md4c.git;protocol=https;branch=master \
+"
+
+SRCREV = "c3340b480e5232711858108be07460a9836c8ab5"
+
+inherit cmake
--
2.25.1


[meta-oe][PATCH] md4c: added md4c lib

Sebastian Suesens
 

MD4C is Markdown parser implementation in C.

Signed-off-by: Sebastian Suesens <sebastian.suesens@...>
---
meta-oe/recipes-support/md4c/md4c_0.4.8.bb | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
create mode 100644 meta-oe/recipes-support/md4c/md4c_0.4.8.bb

diff --git a/meta-oe/recipes-support/md4c/md4c_0.4.8.bb b/meta-oe/recipes-support/md4c/md4c_0.4.8.bb
new file mode 100644
index 000000000..fc3dbb3ae
--- /dev/null
+++ b/meta-oe/recipes-support/md4c/md4c_0.4.8.bb
@@ -0,0 +1,17 @@
+SUMMARY = "Markdown for C"
+DESCRIPTION = "MD4C is Markdown parser implementation in C."
+HOMEPAGE = "http://github.com/mity/md4c"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=7e0fbcf3701aad22f2d2e0624a703795"
+
+
+S = "${WORKDIR}/git"
+
+SRC_URI = " \
+ git://github.com/mity/md4c.git;protocol=https;branch=master \
+"
+
+SRCREV = "c3340b480e5232711858108be07460a9836c8ab5"
+
+inherit cmake
--
2.25.1


[meta-oe][PATCH] md4c: added md4c lib

Sebastian Suesens
 

MD4C is Markdown parser implementation in C.

Signed-off-by: Sebastian Suesens <sebastian.suesens@...>
---
meta-oe/recipes-support/md4c/md4c_0.4.8.bb | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
create mode 100644 meta-oe/recipes-support/md4c/md4c_0.4.8.bb

diff --git a/meta-oe/recipes-support/md4c/md4c_0.4.8.bb b/meta-oe/recipes-support/md4c/md4c_0.4.8.bb
new file mode 100644
index 000000000..fc3dbb3ae
--- /dev/null
+++ b/meta-oe/recipes-support/md4c/md4c_0.4.8.bb
@@ -0,0 +1,17 @@
+SUMMARY = "Markdown for C"
+DESCRIPTION = "MD4C is Markdown parser implementation in C."
+HOMEPAGE = "http://github.com/mity/md4c"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=7e0fbcf3701aad22f2d2e0624a703795"
+
+
+S = "${WORKDIR}/git"
+
+SRC_URI = " \
+ git://github.com/mity/md4c.git;protocol=https;branch=master \
+"
+
+SRCREV = "c3340b480e5232711858108be07460a9836c8ab5"
+
+inherit cmake
--
2.25.1


[meta-oe][PATCH] md4c: added md4c lib

Sebastian Suesens
 

MD4C is Markdown parser implementation in C.

Signed-off-by: Sebastian Suesens <sebastian.suesens@...>
---
meta-oe/recipes-support/md4c/md4c_0.4.8.bb | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
create mode 100644 meta-oe/recipes-support/md4c/md4c_0.4.8.bb

diff --git a/meta-oe/recipes-support/md4c/md4c_0.4.8.bb b/meta-oe/recipes-support/md4c/md4c_0.4.8.bb
new file mode 100644
index 000000000..fc3dbb3ae
--- /dev/null
+++ b/meta-oe/recipes-support/md4c/md4c_0.4.8.bb
@@ -0,0 +1,17 @@
+SUMMARY = "Markdown for C"
+DESCRIPTION = "MD4C is Markdown parser implementation in C."
+HOMEPAGE = "http://github.com/mity/md4c"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=7e0fbcf3701aad22f2d2e0624a703795"
+
+
+S = "${WORKDIR}/git"
+
+SRC_URI = " \
+ git://github.com/mity/md4c.git;protocol=https;branch=master \
+"
+
+SRCREV = "c3340b480e5232711858108be07460a9836c8ab5"
+
+inherit cmake
--
2.25.1


[meta-python][PATCH 2/2] python3-distro: Upgrade 1.7.0 -> 1.8.0

Leon Anavi
 

Upgrade to release 1.8.0:

- Replace setup.py with build
- Lowered LinuxDistribution._distro_release_info method complexity
- Added official support for Buildroot distribution
- Added official support for Guix distribution
- Added support for /etc/debian_version
- Fixed a typography in CONTRIBUTING.md
- Improved README.md "Usage" code block

Signed-off-by: Leon Anavi <leon.anavi@...>
---
.../{python3-distro_1.7.0.bb => python3-distro_1.8.0.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-python/recipes-devtools/python/{python3-distro_1.7.0.bb => python3-distro_1.8.0.bb} (72%)

diff --git a/meta-python/recipes-devtools/python/python3-distro_1.7.0.bb b/meta-python/recipes-devtools/python/python3-distro_1.8.0.bb
similarity index 72%
rename from meta-python/recipes-devtools/python/python3-distro_1.7.0.bb
rename to meta-python/recipes-devtools/python/python3-distro_1.8.0.bb
index f069234d1..f7616e473 100644
--- a/meta-python/recipes-devtools/python/python3-distro_1.7.0.bb
+++ b/meta-python/recipes-devtools/python/python3-distro_1.8.0.bb
@@ -5,9 +5,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=d2794c0df5b907fdace235a619d80314"

PYPI_PACKAGE = "distro"

-SRC_URI[sha256sum] = "151aeccf60c216402932b52e40ee477a939f8d58898927378a02abbe852c1c39"
+SRC_URI[sha256sum] = "02e111d1dc6a50abb8eed6bf31c3e48ed8b0830d1ea2a1b78c61765c2513fdd8"

-inherit pypi setuptools3
+inherit pypi python_setuptools_build_meta

RDEPENDS:${PN} = "\
${PYTHON_PN}-core \
--
2.30.2


[meta-python][PATCH 1/2] python3-imageio: Upgrade 2.22.1 -> 2.22.2

Leon Anavi
 

Upgrade to release 2.22.2:

- Make legacy FormatManager skip uninstalled plugins
- Remove unneeded image_mode references
- Remove xcode reference (dead link)

Signed-off-by: Leon Anavi <leon.anavi@...>
---
.../{python3-imageio_2.22.1.bb => python3-imageio_2.22.2.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta-python/recipes-devtools/python/{python3-imageio_2.22.1.bb => python3-imageio_2.22.2.bb} (81%)

diff --git a/meta-python/recipes-devtools/python/python3-imageio_2.22.1.bb b/meta-python/recipes-devtools/python/python3-imageio_2.22.2.bb
similarity index 81%
rename from meta-python/recipes-devtools/python/python3-imageio_2.22.1.bb
rename to meta-python/recipes-devtools/python/python3-imageio_2.22.2.bb
index 9e187bb13..272ec4b61 100644
--- a/meta-python/recipes-devtools/python/python3-imageio_2.22.1.bb
+++ b/meta-python/recipes-devtools/python/python3-imageio_2.22.2.bb
@@ -5,7 +5,7 @@ SECTION = "devel/python"
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=24cb9a367a9e641b459a01c4d15256ba"

-SRC_URI[sha256sum] = "465ec35f919d538906d3023b61ccec766d8e7575fe55fcbd7669ece55afb97ca"
+SRC_URI[sha256sum] = "db7010cd10712518819a4187baf61b05988361ea20c23e829918727b27acb977"

inherit pypi setuptools3

--
2.30.2


[meta-oe][PATCH] double-conversion: added double-conversion lib

Sebastian Suesens
 

This provides binary-decimal and decimal-binary routines for IEEE doubles.

Signed-off-by: Sebastian Suesens <sebastian.suesens@...>
---
.../dc/double-conversion_3.2.1.bb | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
create mode 100644 meta-oe/recipes-support/dc/double-conversion_3.2.1.bb

diff --git a/meta-oe/recipes-support/dc/double-conversion_3.2.1.bb b/meta-oe/recipes-support/dc/double-conversion_3.2.1.bb
new file mode 100644
index 000000000..cc54dc648
--- /dev/null
+++ b/meta-oe/recipes-support/dc/double-conversion_3.2.1.bb
@@ -0,0 +1,18 @@
+SUMMARY = "Double conversion libraries"
+DESCRIPTION = "This provides binary-decimal and decimal-binary routines for IEEE doubles."
+HOMEPAGE = "https://github.com/google/double-conversion.git"
+
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=1ea35644f0ec0d9767897115667e901f"
+
+
+S = "${WORKDIR}/git"
+
+SRC_URI = " \
+ git://github.com/google/double-conversion.git;protocol=https;branch=master \
+"
+SRCREV = "af09fd65fcf24eee95dc62813ba9123414635428"
+
+inherit cmake
+
+EXTRA_OECMAKE = "-DBUILD_SHARED_LIBS=ON"
--
2.25.1


[meta-oe][PATCH] md4c: added md4c lib

Sebastian Suesens
 

MD4C is Markdown parser implementation in C.

Signed-off-by: Sebastian Suesens <sebastian.suesens@...>
---
meta-oe/recipes-support/md4c/md4c_0.4.8.bb | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
create mode 100644 meta-oe/recipes-support/md4c/md4c_0.4.8.bb

diff --git a/meta-oe/recipes-support/md4c/md4c_0.4.8.bb b/meta-oe/recipes-support/md4c/md4c_0.4.8.bb
new file mode 100644
index 000000000..fc3dbb3ae
--- /dev/null
+++ b/meta-oe/recipes-support/md4c/md4c_0.4.8.bb
@@ -0,0 +1,17 @@
+SUMMARY = "Markdown for C"
+DESCRIPTION = "MD4C is Markdown parser implementation in C."
+HOMEPAGE = "http://github.com/mity/md4c"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=7e0fbcf3701aad22f2d2e0624a703795"
+
+
+S = "${WORKDIR}/git"
+
+SRC_URI = " \
+ git://github.com/mity/md4c.git;protocol=https;branch=master \
+"
+
+SRCREV = "c3340b480e5232711858108be07460a9836c8ab5"
+
+inherit cmake
--
2.25.1


Re: [meta-oe][kirkstone][PATCH] mariadb: not use qemu to run cross-compiled binaries

Yu, Mingli
 

Ping.

Thanks,

On 9/26/22 12:37, Yu, Mingli wrote:
From: Mingli Yu <mingli.yu@...>
The build fails when use qemu to run build for amd64 as below:
| make -f libmariadb/libmariadb/CMakeFiles/mariadbclient.dir/build.make libmariadb/libmariadb/CMakeFiles/mariadbclient.dir/depend
| make -f libmariadb/libmariadb/CMakeFiles/libmariadb.dir/build.make libmariadb/libmariadb/CMakeFiles/libmariadb.dir/depend
| make[2]: Entering directory '/build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/build'
| cd /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/build && /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/recipe-sysroot-native/usr/bin/cmake -E cmake_depends "Unix Makefiles" /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/mariadb-10.7.4 /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/mariadb-10.7.4/libmariadb/libmariadb /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/build /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/build/libmariadb/libmariadb /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/build/libmariadb/libmariadb/CMakeFiles/mariadbclient.dir/DependInfo.cmake --color=
| make[2]: Leaving directory '/build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/build'
| make -f libmariadb/libmariadb/CMakeFiles/mariadbclient.dir/build.make libmariadb/libmariadb/CMakeFiles/mariadbclient.dir/build
| Illegal instruction (core dumped)
| make[2]: *** [sql/CMakeFiles/GenServerSource.dir/build.make:76: sql/lex_hash.h] Error 132
| make[2]: *** Deleting file 'sql/lex_hash.h'
| make[2]: Entering directory '/build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/build'
| [ 8%] Linking C static library libmariadbclient.a
| cd /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/build/libmariadb/libmariadb && /build/tmp-glibc/work/dbfp5-wrs-linux/mariadb/10.7.4-r0/recipe-sysroot-native/usr/bin/cmake -P CMakeFiles/mariadbclient.dir/cmake_clean_target.cmake
| Illegal instruction (core dumped)
| Illegal instruction (core dumped)
| make[2]: *** [scripts/CMakeFiles/GenFixPrivs.dir/build.make:78: scripts/mysql_fix_privilege_tables_sql.c] Error 132
So don't use qemu to run cross-compiled binaries.
Signed-off-by: Mingli Yu <mingli.yu@...>
---
.../mysql/mariadb-native_10.7.4.bb | 4 +-
meta-oe/recipes-dbs/mysql/mariadb.inc | 20 +++---
...Lists.txt-fix-gen_lex_hash-not-found.patch | 69 +++++++++++++++++++
.../mysql/mariadb/cross-compiling.patch | 34 +++++++++
meta-oe/recipes-dbs/mysql/mariadb_10.7.4.bb | 4 +-
5 files changed, 116 insertions(+), 15 deletions(-)
create mode 100644 meta-oe/recipes-dbs/mysql/mariadb/0001-sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch
create mode 100644 meta-oe/recipes-dbs/mysql/mariadb/cross-compiling.patch
diff --git a/meta-oe/recipes-dbs/mysql/mariadb-native_10.7.4.bb b/meta-oe/recipes-dbs/mysql/mariadb-native_10.7.4.bb
index e38726d3f..17a06349b 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb-native_10.7.4.bb
+++ b/meta-oe/recipes-dbs/mysql/mariadb-native_10.7.4.bb
@@ -2,7 +2,9 @@ require mariadb.inc
inherit native
PROVIDES += "mysql5-native"
-DEPENDS = "ncurses-native zlib-native bison-native libpcre2-native"
+DEPENDS = "ncurses-native zlib-native bison-native libpcre2-native \
+gnutls-native fmt-native \
+"
RDEPENDS:${PN} = ""
PACKAGES = ""
diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc
index 922373b63..23322cf74 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb.inc
+++ b/meta-oe/recipes-dbs/mysql/mariadb.inc
@@ -20,6 +20,8 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \
file://mm_malloc.patch \
file://sys_futex.patch \
file://mariadb-openssl3.patch \
+ file://cross-compiling.patch \
+ file://0001-sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \
"
SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch"
@@ -61,6 +63,8 @@ FILES:${PN}-setupdb = "${sysconfdir}/init.d/install_db \
${bindir}/mysql-systemd-start \
"
+EXTRA_OEMAKE = "'GEN_LEX_HASH=${STAGING_BINDIR_NATIVE}/gen_lex_hash'"
+
PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} openssl"
PACKAGECONFIG:class-native = ""
PACKAGECONFIG[pam] = ",-DWITHOUT_AUTH_PAM=TRUE,libpam"
@@ -95,9 +99,9 @@ EXTRA_OECMAKE = "-DWITH_EMBEDDED_SERVER=ON \
-DINSTALL_SYSCONFDIR:PATH=${sysconfdir} \
-DMYSQL_DATADIR:PATH=/var/mysql \
-DCAT_EXECUTABLE=`which cat` \
+ -DSTACK_DIRECTION=1 \
-DCMAKE_AR:FILEPATH=${AR}"
-EXTRA_OECMAKE:prepend:class-target = "-DCMAKE_CROSSCOMPILING_EMULATOR=${WORKDIR}/qemuwrapper "
# With Ninja it fails with:
# make: *** No rule to make target `install'. Stop.
@@ -121,18 +125,12 @@ do_generate_toolchain_file:append:class-native () {
sed -i "/set( CMAKE_SYSTEM_PROCESSOR/d" ${WORKDIR}/toolchain.cmake
}
-do_configure:prepend:class-target () {
- # Write out a qemu wrapper that will be used by cmake
- # so that it can run target helper binaries through that.
- qemu_binary="${@qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST'), [d.expand('${STAGING_DIR_HOST}${libdir}'),d.expand('${STAGING_DIR_HOST}${base_libdir}')])}"
- cat > ${WORKDIR}/qemuwrapper << EOF
-#!/bin/sh
-$qemu_binary "\$@"
-EOF
- chmod +x ${WORKDIR}/qemuwrapper
-}
do_compile:prepend:class-target () {
+ # These need to be in-tree or make will think they need to be built,
+ # and since we're cross-compiling that is disabled
+ cp ${STAGING_BINDIR_NATIVE}/comp_err ${S}/extra
+ cp ${STAGING_BINDIR_NATIVE}/comp_sql ${S}/scripts
if [ "${@bb.utils.contains('PACKAGECONFIG', 'krb5', 'yes', 'no', d)}" = "no" ]; then
if ! [ -e ${B}/include/openssl/kssl.h ] ; then
mkdir -p ${B}/include/openssl
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch
new file mode 100644
index 000000000..456a2bad6
--- /dev/null
+++ b/meta-oe/recipes-dbs/mysql/mariadb/0001-sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch
@@ -0,0 +1,69 @@
+From f92f657973997df30afdb0032c88ad3a14ead46b Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@...>
+Date: Fri, 23 Sep 2022 15:48:21 +0800
+Subject: [PATCH] sql/CMakeLists.txt: fix gen_lex_hash not found
+
+Fix the below do_compile issue in cross-compiling env.
+| make[2]: *** No rule to make target '/build/tmp/work/aarch64-poky-linux/mariadb/10.3.13-r0/mariadb-10.3.13/sql/gen_lex_hash', needed by 'sql/lex_hash.h'. Stop.
+| make[2]: *** No rule to make target '/build/tmp/work/aarch64-poky-linux/mariadb/10.3.13-r0/mariadb-10.3.13/sql/gen_lex_token', needed by 'sql/lex_token.h'. Stop.
+
+Upstream-Status: Inappropriate [oe build specific]
+
+Signed-off-by: Mingli Yu <mingli.yu@...>
+---
+ sql/CMakeLists.txt | 30 ++++++++++++++++++++++--------
+ 1 file changed, 22 insertions(+), 8 deletions(-)
+
+diff --git a/sql/CMakeLists.txt b/sql/CMakeLists.txt
+index 241b482..27a3991 100644
+--- a/sql/CMakeLists.txt
++++ b/sql/CMakeLists.txt
+@@ -60,11 +60,18 @@ ${CMAKE_BINARY_DIR}/sql
+ ${CMAKE_SOURCE_DIR}/tpool
+ )
+
+-ADD_CUSTOM_COMMAND(
+- OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/lex_token.h
+- COMMAND gen_lex_token > lex_token.h
+- DEPENDS gen_lex_token
++IF(NOT CMAKE_CROSSCOMPILING)
++ ADD_CUSTOM_COMMAND(
++ OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/lex_token.h
++ COMMAND gen_lex_token > lex_token.h
++ DEPENDS gen_lex_token
++)
++ELSE()
++ ADD_CUSTOM_COMMAND(
++ OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/lex_token.h
++ COMMAND gen_lex_token > lex_token.h
+ )
++ENDIF()
+
+ FIND_PACKAGE(BISON 2.4)
+
+@@ -372,11 +379,18 @@ IF(NOT CMAKE_CROSSCOMPILING OR DEFINED CMAKE_CROSSCOMPILING_EMULATOR)
+ ADD_EXECUTABLE(gen_lex_hash gen_lex_hash.cc)
+ ENDIF()
+
+-ADD_CUSTOM_COMMAND(
+- OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/lex_hash.h
+- COMMAND gen_lex_hash > lex_hash.h
+- DEPENDS gen_lex_hash
++IF(NOT CMAKE_CROSSCOMPILING)
++ ADD_CUSTOM_COMMAND(
++ OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/lex_hash.h
++ COMMAND gen_lex_hash > lex_hash.h
++ DEPENDS gen_lex_hash
++)
++ELSE()
++ ADD_CUSTOM_COMMAND(
++ OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/lex_hash.h
++ COMMAND gen_lex_hash > lex_hash.h
+ )
++ENDIF()
+
+ MYSQL_ADD_EXECUTABLE(mariadb-tzinfo-to-sql tztime.cc)
+ SET_TARGET_PROPERTIES(mariadb-tzinfo-to-sql PROPERTIES COMPILE_FLAGS "-DTZINFO2SQL")
+--
+2.25.1
+
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/cross-compiling.patch b/meta-oe/recipes-dbs/mysql/mariadb/cross-compiling.patch
new file mode 100644
index 000000000..d0d6e3c73
--- /dev/null
+++ b/meta-oe/recipes-dbs/mysql/mariadb/cross-compiling.patch
@@ -0,0 +1,34 @@
+From 80be37351d995654f86b838f6b5ed47e8a90261b Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@...>
+Date: Fri, 23 Sep 2022 12:05:17 +0800
+Subject: [PATCH] CMakeLists.txt: not include import_executables.cmake
+
+building failed since native does not generate import_executables.cmake
+In fact, our building system will export the needed commands.
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Mingli Yu <mingli.yu@...>
+---
+ CMakeLists.txt | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index f9e2b1b..34924ba 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -394,11 +394,6 @@ CHECK_LIBFMT()
+ ADD_SUBDIRECTORY(tpool)
+ CHECK_SYSTEMD()
+
+-IF(CMAKE_CROSSCOMPILING AND NOT DEFINED CMAKE_CROSSCOMPILING_EMULATOR)
+- SET(IMPORT_EXECUTABLES "IMPORTFILE-NOTFOUND" CACHE FILEPATH "Path to import_executables.cmake from a native build")
+- INCLUDE(${IMPORT_EXECUTABLES})
+-ENDIF()
+-
+ #
+ # Setup maintainer mode options. Platform checks are
+ # not run with the warning options as to not perturb fragile checks
+--
+2.25.1
+
diff --git a/meta-oe/recipes-dbs/mysql/mariadb_10.7.4.bb b/meta-oe/recipes-dbs/mysql/mariadb_10.7.4.bb
index c800c4c56..8dba5c858 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb_10.7.4.bb
+++ b/meta-oe/recipes-dbs/mysql/mariadb_10.7.4.bb
@@ -1,8 +1,6 @@
require mariadb.inc
-inherit qemu
-
-DEPENDS += "qemu-native bison-native boost libpcre2 curl ncurses \
+DEPENDS += "mariadb-native bison-native boost libpcre2 curl ncurses \
zlib libaio libedit libevent libxml2 gnutls fmt lzo"
PROVIDES += "mysql5 libmysqlclient"


[meta-oe][dunfell][PATCH] postgresql: Fix CVE-2022-2625

Hitendra Prajapati
 

Upstream-Status: Backport from https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=5579726bd60a6e7afb04a3548bced348cd5ffd89
Description:
CVE-2022-2625 postgresql: Extension scripts replace objects not belonging to the extension.

Signed-off-by: Hitendra Prajapati <hprajapati@...>
---
.../postgresql/files/CVE-2022-2625.patch | 904 ++++++++++++++++++
.../recipes-dbs/postgresql/postgresql_12.9.bb | 1 +
2 files changed, 905 insertions(+)
create mode 100644 meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch

diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch
new file mode 100644
index 0000000000..6417d8a2b7
--- /dev/null
+++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch
@@ -0,0 +1,904 @@
+From 84375c1db25ef650902cf80712495fc514b0ff63 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@...>
+Date: Thu, 13 Oct 2022 10:35:32 +0530
+Subject: [PATCH] CVE-2022-2625
+
+Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=5579726bd60a6e7afb04a3548bced348cd5ffd89]
+CVE: CVE-2022-2625
+Signed-off-by: Hitendra Prajapati <hprajapati@...>
+---
+ doc/src/sgml/extend.sgml | 11 --
+ src/backend/catalog/pg_collation.c | 49 ++++--
+ src/backend/catalog/pg_depend.c | 74 ++++++++-
+ src/backend/catalog/pg_operator.c | 2 +-
+ src/backend/catalog/pg_type.c | 7 +-
+ src/backend/commands/createas.c | 18 ++-
+ src/backend/commands/foreigncmds.c | 19 ++-
+ src/backend/commands/schemacmds.c | 25 ++-
+ src/backend/commands/sequence.c | 8 +
+ src/backend/commands/statscmds.c | 4 +
+ src/backend/commands/view.c | 16 +-
+ src/backend/parser/parse_utilcmd.c | 10 ++
+ src/include/catalog/dependency.h | 2 +
+ src/test/modules/test_extensions/Makefile | 5 +-
+ .../expected/test_extensions.out | 153 ++++++++++++++++++
+ .../test_extensions/sql/test_extensions.sql | 110 +++++++++++++
+ .../test_ext_cine--1.0--1.1.sql | 26 +++
+ .../test_extensions/test_ext_cine--1.0.sql | 25 +++
+ .../test_extensions/test_ext_cine.control | 3 +
+ .../test_extensions/test_ext_cor--1.0.sql | 20 +++
+ .../test_extensions/test_ext_cor.control | 3 +
+ 21 files changed, 540 insertions(+), 50 deletions(-)
+ create mode 100644 src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql
+ create mode 100644 src/test/modules/test_extensions/test_ext_cine--1.0.sql
+ create mode 100644 src/test/modules/test_extensions/test_ext_cine.control
+ create mode 100644 src/test/modules/test_extensions/test_ext_cor--1.0.sql
+ create mode 100644 src/test/modules/test_extensions/test_ext_cor.control
+
+diff --git a/doc/src/sgml/extend.sgml b/doc/src/sgml/extend.sgml
+index 53f2638..bcc7a80 100644
+--- a/doc/src/sgml/extend.sgml
++++ b/doc/src/sgml/extend.sgml
+@@ -1109,17 +1109,6 @@ SELECT * FROM pg_extension_update_paths('<replaceable>extension_name</replaceabl
+ <varname>search_path</varname>. However, no mechanism currently exists
+ to require that.
+ </para>
+-
+- <para>
+- Do <emphasis>not</emphasis> use <command>CREATE OR REPLACE
+- FUNCTION</command>, except in an update script that must change the
+- definition of a function that is known to be an extension member
+- already. (Likewise for other <literal>OR REPLACE</literal> options.)
+- Using <literal>OR REPLACE</literal> unnecessarily not only has a risk
+- of accidentally overwriting someone else's function, but it creates a
+- security hazard since the overwritten function would still be owned by
+- its original owner, who could modify it.
+- </para>
+ </sect3>
+ </sect2>
+
+diff --git a/src/backend/catalog/pg_collation.c b/src/backend/catalog/pg_collation.c
+index dd99d53..ba4c3ef 100644
+--- a/src/backend/catalog/pg_collation.c
++++ b/src/backend/catalog/pg_collation.c
+@@ -78,15 +78,25 @@ CollationCreate(const char *collname, Oid collnamespace,
+ * friendlier error message. The unique index provides a backstop against
+ * race conditions.
+ */
+- if (SearchSysCacheExists3(COLLNAMEENCNSP,
+- PointerGetDatum(collname),
+- Int32GetDatum(collencoding),
+- ObjectIdGetDatum(collnamespace)))
++ oid = GetSysCacheOid3(COLLNAMEENCNSP,
++ Anum_pg_collation_oid,
++ PointerGetDatum(collname),
++ Int32GetDatum(collencoding),
++ ObjectIdGetDatum(collnamespace));
++ if (OidIsValid(oid))
+ {
+ if (quiet)
+ return InvalidOid;
+ else if (if_not_exists)
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(myself, CollationRelationId, oid);
++ checkMembershipInCurrentExtension(&myself);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+ collencoding == -1
+@@ -116,16 +126,19 @@ CollationCreate(const char *collname, Oid collnamespace,
+ * so we take a ShareRowExclusiveLock earlier, to protect against
+ * concurrent changes fooling this check.
+ */
+- if ((collencoding == -1 &&
+- SearchSysCacheExists3(COLLNAMEENCNSP,
+- PointerGetDatum(collname),
+- Int32GetDatum(GetDatabaseEncoding()),
+- ObjectIdGetDatum(collnamespace))) ||
+- (collencoding != -1 &&
+- SearchSysCacheExists3(COLLNAMEENCNSP,
+- PointerGetDatum(collname),
+- Int32GetDatum(-1),
+- ObjectIdGetDatum(collnamespace))))
++ if (collencoding == -1)
++ oid = GetSysCacheOid3(COLLNAMEENCNSP,
++ Anum_pg_collation_oid,
++ PointerGetDatum(collname),
++ Int32GetDatum(GetDatabaseEncoding()),
++ ObjectIdGetDatum(collnamespace));
++ else
++ oid = GetSysCacheOid3(COLLNAMEENCNSP,
++ Anum_pg_collation_oid,
++ PointerGetDatum(collname),
++ Int32GetDatum(-1),
++ ObjectIdGetDatum(collnamespace));
++ if (OidIsValid(oid))
+ {
+ if (quiet)
+ {
+@@ -134,6 +147,14 @@ CollationCreate(const char *collname, Oid collnamespace,
+ }
+ else if (if_not_exists)
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(myself, CollationRelationId, oid);
++ checkMembershipInCurrentExtension(&myself);
++
++ /* OK to skip */
+ table_close(rel, NoLock);
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+diff --git a/src/backend/catalog/pg_depend.c b/src/backend/catalog/pg_depend.c
+index 9ffadbb..71c7cef 100644
+--- a/src/backend/catalog/pg_depend.c
++++ b/src/backend/catalog/pg_depend.c
+@@ -124,15 +124,23 @@ recordMultipleDependencies(const ObjectAddress *depender,
+
+ /*
+ * If we are executing a CREATE EXTENSION operation, mark the given object
+- * as being a member of the extension. Otherwise, do nothing.
++ * as being a member of the extension, or check that it already is one.
++ * Otherwise, do nothing.
+ *
+ * This must be called during creation of any user-definable object type
+ * that could be a member of an extension.
+ *
+- * If isReplace is true, the object already existed (or might have already
+- * existed), so we must check for a pre-existing extension membership entry.
+- * Passing false is a guarantee that the object is newly created, and so
+- * could not already be a member of any extension.
++ * isReplace must be true if the object already existed, and false if it is
++ * newly created. In the former case we insist that it already be a member
++ * of the current extension. In the latter case we can skip checking whether
++ * it is already a member of any extension.
++ *
++ * Note: isReplace = true is typically used when updating a object in
++ * CREATE OR REPLACE and similar commands. We used to allow the target
++ * object to not already be an extension member, instead silently absorbing
++ * it into the current extension. However, this was both error-prone
++ * (extensions might accidentally overwrite free-standing objects) and
++ * a security hazard (since the object would retain its previous ownership).
+ */
+ void
+ recordDependencyOnCurrentExtension(const ObjectAddress *object,
+@@ -150,6 +158,12 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object,
+ {
+ Oid oldext;
+
++ /*
++ * Side note: these catalog lookups are safe only because the
++ * object is a pre-existing one. In the not-isReplace case, the
++ * caller has most likely not yet done a CommandCounterIncrement
++ * that would make the new object visible.
++ */
+ oldext = getExtensionOfObject(object->classId, object->objectId);
+ if (OidIsValid(oldext))
+ {
+@@ -163,6 +177,13 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object,
+ getObjectDescription(object),
+ get_extension_name(oldext))));
+ }
++ /* It's a free-standing object, so reject */
++ ereport(ERROR,
++ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
++ errmsg("%s is not a member of extension \"%s\"",
++ getObjectDescription(object),
++ get_extension_name(CurrentExtensionObject)),
++ errdetail("An extension is not allowed to replace an object that it does not own.")));
+ }
+
+ /* OK, record it as a member of CurrentExtensionObject */
+@@ -174,6 +195,49 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object,
+ }
+ }
+
++/*
++ * If we are executing a CREATE EXTENSION operation, check that the given
++ * object is a member of the extension, and throw an error if it isn't.
++ * Otherwise, do nothing.
++ *
++ * This must be called whenever a CREATE IF NOT EXISTS operation (for an
++ * object type that can be an extension member) has found that an object of
++ * the desired name already exists. It is insecure for an extension to use
++ * IF NOT EXISTS except when the conflicting object is already an extension
++ * member; otherwise a hostile user could substitute an object with arbitrary
++ * properties.
++ */
++void
++checkMembershipInCurrentExtension(const ObjectAddress *object)
++{
++ /*
++ * This is actually the same condition tested in
++ * recordDependencyOnCurrentExtension; but we want to issue a
++ * differently-worded error, and anyway it would be pretty confusing to
++ * call recordDependencyOnCurrentExtension in these circumstances.
++ */
++
++ /* Only whole objects can be extension members */
++ Assert(object->objectSubId == 0);
++
++ if (creating_extension)
++ {
++ Oid oldext;
++
++ oldext = getExtensionOfObject(object->classId, object->objectId);
++ /* If already a member of this extension, OK */
++ if (oldext == CurrentExtensionObject)
++ return;
++ /* Else complain */
++ ereport(ERROR,
++ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
++ errmsg("%s is not a member of extension \"%s\"",
++ getObjectDescription(object),
++ get_extension_name(CurrentExtensionObject)),
++ errdetail("An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.")));
++ }
++}
++
+ /*
+ * deleteDependencyRecordsFor -- delete all records with given depender
+ * classId/objectId. Returns the number of records deleted.
+diff --git a/src/backend/catalog/pg_operator.c b/src/backend/catalog/pg_operator.c
+index bcaa26c..84784e6 100644
+--- a/src/backend/catalog/pg_operator.c
++++ b/src/backend/catalog/pg_operator.c
+@@ -867,7 +867,7 @@ makeOperatorDependencies(HeapTuple tuple, bool isUpdate)
+ oper->oprowner);
+
+ /* Dependency on extension */
+- recordDependencyOnCurrentExtension(&myself, true);
++ recordDependencyOnCurrentExtension(&myself, isUpdate);
+
+ return myself;
+ }
+diff --git a/src/backend/catalog/pg_type.c b/src/backend/catalog/pg_type.c
+index 2a51501..3ff017f 100644
+--- a/src/backend/catalog/pg_type.c
++++ b/src/backend/catalog/pg_type.c
+@@ -528,10 +528,9 @@ TypeCreate(Oid newTypeOid,
+ * If rebuild is true, we remove existing dependencies and rebuild them
+ * from scratch. This is needed for ALTER TYPE, and also when replacing
+ * a shell type. We don't remove an existing extension dependency, though.
+- * (That means an extension can't absorb a shell type created in another
+- * extension, nor ALTER a type created by another extension. Also, if it
+- * replaces a free-standing shell type or ALTERs a free-standing type,
+- * that type will become a member of the extension.)
++ * That means an extension can't absorb a shell type that is free-standing
++ * or belongs to another extension, nor ALTER a type that is free-standing or
++ * belongs to another extension.
+ */
+ void
+ GenerateTypeDependencies(Oid typeObjectId,
+diff --git a/src/backend/commands/createas.c b/src/backend/commands/createas.c
+index 4c1d909..a68d945 100644
+--- a/src/backend/commands/createas.c
++++ b/src/backend/commands/createas.c
+@@ -243,15 +243,27 @@ ExecCreateTableAs(CreateTableAsStmt *stmt, const char *queryString,
+ if (stmt->if_not_exists)
+ {
+ Oid nspid;
++ Oid oldrelid;
+
+- nspid = RangeVarGetCreationNamespace(stmt->into->rel);
++ nspid = RangeVarGetCreationNamespace(into->rel);
+
+- if (get_relname_relid(stmt->into->rel->relname, nspid))
++ oldrelid = get_relname_relid(into->rel->relname, nspid);
++ if (OidIsValid(oldrelid))
+ {
++ /*
++ * The relation exists and IF NOT EXISTS has been specified.
++ *
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(address, RelationRelationId, oldrelid);
++ checkMembershipInCurrentExtension(&address);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_TABLE),
+ errmsg("relation \"%s\" already exists, skipping",
+- stmt->into->rel->relname)));
++ into->rel->relname)));
+ return InvalidObjectAddress;
+ }
+ }
+diff --git a/src/backend/commands/foreigncmds.c b/src/backend/commands/foreigncmds.c
+index d7bc6e3..bc583c6 100644
+--- a/src/backend/commands/foreigncmds.c
++++ b/src/backend/commands/foreigncmds.c
+@@ -887,13 +887,22 @@ CreateForeignServer(CreateForeignServerStmt *stmt)
+ ownerId = GetUserId();
+
+ /*
+- * Check that there is no other foreign server by this name. Do nothing if
+- * IF NOT EXISTS was enforced.
++ * Check that there is no other foreign server by this name. If there is
++ * one, do nothing if IF NOT EXISTS was specified.
+ */
+- if (GetForeignServerByName(stmt->servername, true) != NULL)
++ srvId = get_foreign_server_oid(stmt->servername, true);
++ if (OidIsValid(srvId))
+ {
+ if (stmt->if_not_exists)
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(myself, ForeignServerRelationId, srvId);
++ checkMembershipInCurrentExtension(&myself);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+ errmsg("server \"%s\" already exists, skipping",
+@@ -1182,6 +1191,10 @@ CreateUserMapping(CreateUserMappingStmt *stmt)
+ {
+ if (stmt->if_not_exists)
+ {
++ /*
++ * Since user mappings aren't members of extensions (see comments
++ * below), no need for checkMembershipInCurrentExtension here.
++ */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+ errmsg("user mapping for \"%s\" already exists for server \"%s\", skipping",
+diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
+index 6cf94a3..6bc4edc 100644
+--- a/src/backend/commands/schemacmds.c
++++ b/src/backend/commands/schemacmds.c
+@@ -113,14 +113,25 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString,
+ * the permissions checks, but since CREATE TABLE IF NOT EXISTS makes its
+ * creation-permission check first, we do likewise.
+ */
+- if (stmt->if_not_exists &&
+- SearchSysCacheExists1(NAMESPACENAME, PointerGetDatum(schemaName)))
++ if (stmt->if_not_exists)
+ {
+- ereport(NOTICE,
+- (errcode(ERRCODE_DUPLICATE_SCHEMA),
+- errmsg("schema \"%s\" already exists, skipping",
+- schemaName)));
+- return InvalidOid;
++ namespaceId = get_namespace_oid(schemaName, true);
++ if (OidIsValid(namespaceId))
++ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(address, NamespaceRelationId, namespaceId);
++ checkMembershipInCurrentExtension(&address);
++
++ /* OK to skip */
++ ereport(NOTICE,
++ (errcode(ERRCODE_DUPLICATE_SCHEMA),
++ errmsg("schema \"%s\" already exists, skipping",
++ schemaName)));
++ return InvalidOid;
++ }
+ }
+
+ /*
+diff --git a/src/backend/commands/sequence.c b/src/backend/commands/sequence.c
+index 0960b33..0577184 100644
+--- a/src/backend/commands/sequence.c
++++ b/src/backend/commands/sequence.c
+@@ -149,6 +149,14 @@ DefineSequence(ParseState *pstate, CreateSeqStmt *seq)
+ RangeVarGetAndCheckCreationNamespace(seq->sequence, NoLock, &seqoid);
+ if (OidIsValid(seqoid))
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddressSet(address, RelationRelationId, seqoid);
++ checkMembershipInCurrentExtension(&address);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_TABLE),
+ errmsg("relation \"%s\" already exists, skipping",
+diff --git a/src/backend/commands/statscmds.c b/src/backend/commands/statscmds.c
+index 5678d31..409cf28 100644
+--- a/src/backend/commands/statscmds.c
++++ b/src/backend/commands/statscmds.c
+@@ -173,6 +173,10 @@ CreateStatistics(CreateStatsStmt *stmt)
+ {
+ if (stmt->if_not_exists)
+ {
++ /*
++ * Since stats objects aren't members of extensions (see comments
++ * below), no need for checkMembershipInCurrentExtension here.
++ */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_OBJECT),
+ errmsg("statistics object \"%s\" already exists, skipping",
+diff --git a/src/backend/commands/view.c b/src/backend/commands/view.c
+index 87ed453..dd7cc97 100644
+--- a/src/backend/commands/view.c
++++ b/src/backend/commands/view.c
+@@ -205,7 +205,7 @@ DefineVirtualRelation(RangeVar *relation, List *tlist, bool replace,
+ CommandCounterIncrement();
+
+ /*
+- * Finally update the view options.
++ * Update the view's options.
+ *
+ * The new options list replaces the existing options list, even if
+ * it's empty.
+@@ -218,8 +218,22 @@ DefineVirtualRelation(RangeVar *relation, List *tlist, bool replace,
+ /* EventTriggerAlterTableStart called by ProcessUtilitySlow */
+ AlterTableInternal(viewOid, atcmds, true);
+
++ /*
++ * There is very little to do here to update the view's dependencies.
++ * Most view-level dependency relationships, such as those on the
++ * owner, schema, and associated composite type, aren't changing.
++ * Because we don't allow changing type or collation of an existing
++ * view column, those dependencies of the existing columns don't
++ * change either, while the AT_AddColumnToView machinery took care of
++ * adding such dependencies for new view columns. The dependencies of
++ * the view's query could have changed arbitrarily, but that was dealt
++ * with inside StoreViewQuery. What remains is only to check that
++ * view replacement is allowed when we're creating an extension.
++ */
+ ObjectAddressSet(address, RelationRelationId, viewOid);
+
++ recordDependencyOnCurrentExtension(&address, true);
++
+ /*
+ * Seems okay, so return the OID of the pre-existing view.
+ */
+diff --git a/src/backend/parser/parse_utilcmd.c b/src/backend/parser/parse_utilcmd.c
+index 44aa38a..8f4d940 100644
+--- a/src/backend/parser/parse_utilcmd.c
++++ b/src/backend/parser/parse_utilcmd.c
+@@ -206,6 +206,16 @@ transformCreateStmt(CreateStmt *stmt, const char *queryString)
+ */
+ if (stmt->if_not_exists && OidIsValid(existing_relid))
+ {
++ /*
++ * If we are in an extension script, insist that the pre-existing
++ * object be a member of the extension, to avoid security risks.
++ */
++ ObjectAddress address;
++
++ ObjectAddressSet(address, RelationRelationId, existing_relid);
++ checkMembershipInCurrentExtension(&address);
++
++ /* OK to skip */
+ ereport(NOTICE,
+ (errcode(ERRCODE_DUPLICATE_TABLE),
+ errmsg("relation \"%s\" already exists, skipping",
+diff --git a/src/include/catalog/dependency.h b/src/include/catalog/dependency.h
+index 8b1e3aa..27c7509 100644
+--- a/src/include/catalog/dependency.h
++++ b/src/include/catalog/dependency.h
+@@ -201,6 +201,8 @@ extern void recordMultipleDependencies(const ObjectAddress *depender,
+ extern void recordDependencyOnCurrentExtension(const ObjectAddress *object,
+ bool isReplace);
+
++extern void checkMembershipInCurrentExtension(const ObjectAddress *object);
++
+ extern long deleteDependencyRecordsFor(Oid classId, Oid objectId,
+ bool skipExtensionDeps);
+
+diff --git a/src/test/modules/test_extensions/Makefile b/src/test/modules/test_extensions/Makefile
+index d18108e..7428f15 100644
+--- a/src/test/modules/test_extensions/Makefile
++++ b/src/test/modules/test_extensions/Makefile
+@@ -4,10 +4,13 @@ MODULE = test_extensions
+ PGFILEDESC = "test_extensions - regression testing for EXTENSION support"
+
+ EXTENSION = test_ext1 test_ext2 test_ext3 test_ext4 test_ext5 test_ext6 \
+- test_ext7 test_ext8 test_ext_cyclic1 test_ext_cyclic2
++ test_ext7 test_ext8 test_ext_cine test_ext_cor \
++ test_ext_cyclic1 test_ext_cyclic2
+ DATA = test_ext1--1.0.sql test_ext2--1.0.sql test_ext3--1.0.sql \
+ test_ext4--1.0.sql test_ext5--1.0.sql test_ext6--1.0.sql \
+ test_ext7--1.0.sql test_ext7--1.0--2.0.sql test_ext8--1.0.sql \
++ test_ext_cine--1.0.sql test_ext_cine--1.0--1.1.sql \
++ test_ext_cor--1.0.sql \
+ test_ext_cyclic1--1.0.sql test_ext_cyclic2--1.0.sql
+
+ REGRESS = test_extensions test_extdepend
+diff --git a/src/test/modules/test_extensions/expected/test_extensions.out b/src/test/modules/test_extensions/expected/test_extensions.out
+index b5cbdfc..1e91640 100644
+--- a/src/test/modules/test_extensions/expected/test_extensions.out
++++ b/src/test/modules/test_extensions/expected/test_extensions.out
+@@ -154,3 +154,156 @@ DROP TABLE test_ext4_tab;
+ DROP FUNCTION create_extension_with_temp_schema();
+ RESET client_min_messages;
+ \unset SHOW_CONTEXT
++-- It's generally bad style to use CREATE OR REPLACE unnecessarily.
++-- Test what happens if an extension does it anyway.
++-- Replacing a shell type or operator is sort of like CREATE OR REPLACE;
++-- check that too.
++CREATE FUNCTION ext_cor_func() RETURNS text
++ AS $$ SELECT 'ext_cor_func: original'::text $$ LANGUAGE sql;
++CREATE EXTENSION test_ext_cor; -- fail
++ERROR: function ext_cor_func() is not a member of extension "test_ext_cor"
++DETAIL: An extension is not allowed to replace an object that it does not own.
++SELECT ext_cor_func();
++ ext_cor_func
++------------------------
++ ext_cor_func: original
++(1 row)
++
++DROP FUNCTION ext_cor_func();
++CREATE VIEW ext_cor_view AS
++ SELECT 'ext_cor_view: original'::text AS col;
++CREATE EXTENSION test_ext_cor; -- fail
++ERROR: view ext_cor_view is not a member of extension "test_ext_cor"
++DETAIL: An extension is not allowed to replace an object that it does not own.
++SELECT ext_cor_func();
++ERROR: function ext_cor_func() does not exist
++LINE 1: SELECT ext_cor_func();
++ ^
++HINT: No function matches the given name and argument types. You might need to add explicit type casts.
++SELECT * FROM ext_cor_view;
++ col
++------------------------
++ ext_cor_view: original
++(1 row)
++
++DROP VIEW ext_cor_view;
++CREATE TYPE test_ext_type;
++CREATE EXTENSION test_ext_cor; -- fail
++ERROR: type test_ext_type is not a member of extension "test_ext_cor"
++DETAIL: An extension is not allowed to replace an object that it does not own.
++DROP TYPE test_ext_type;
++-- this makes a shell "point <<@@ polygon" operator too
++CREATE OPERATOR @@>> ( PROCEDURE = poly_contain_pt,
++ LEFTARG = polygon, RIGHTARG = point,
++ COMMUTATOR = <<@@ );
++CREATE EXTENSION test_ext_cor; -- fail
++ERROR: operator <<@@(point,polygon) is not a member of extension "test_ext_cor"
++DETAIL: An extension is not allowed to replace an object that it does not own.
++DROP OPERATOR <<@@ (point, polygon);
++CREATE EXTENSION test_ext_cor; -- now it should work
++SELECT ext_cor_func();
++ ext_cor_func
++------------------------------
++ ext_cor_func: from extension
++(1 row)
++
++SELECT * FROM ext_cor_view;
++ col
++------------------------------
++ ext_cor_view: from extension
++(1 row)
++
++SELECT 'x'::test_ext_type;
++ test_ext_type
++---------------
++ x
++(1 row)
++
++SELECT point(0,0) <<@@ polygon(circle(point(0,0),1));
++ ?column?
++----------
++ t
++(1 row)
++
++\dx+ test_ext_cor
++Objects in extension "test_ext_cor"
++ Object description
++------------------------------
++ function ext_cor_func()
++ operator <<@@(point,polygon)
++ type test_ext_type
++ view ext_cor_view
++(4 rows)
++
++--
++-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension
++-- to be doing, but let's at least plug the major security hole in it.
++--
++CREATE COLLATION ext_cine_coll
++ ( LC_COLLATE = "C", LC_CTYPE = "C" );
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: collation ext_cine_coll is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP COLLATION ext_cine_coll;
++CREATE MATERIALIZED VIEW ext_cine_mv AS SELECT 11 AS f1;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: materialized view ext_cine_mv is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP MATERIALIZED VIEW ext_cine_mv;
++CREATE FOREIGN DATA WRAPPER dummy;
++CREATE SERVER ext_cine_srv FOREIGN DATA WRAPPER dummy;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: server ext_cine_srv is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP SERVER ext_cine_srv;
++CREATE SCHEMA ext_cine_schema;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: schema ext_cine_schema is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP SCHEMA ext_cine_schema;
++CREATE SEQUENCE ext_cine_seq;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: sequence ext_cine_seq is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP SEQUENCE ext_cine_seq;
++CREATE TABLE ext_cine_tab1 (x int);
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: table ext_cine_tab1 is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP TABLE ext_cine_tab1;
++CREATE TABLE ext_cine_tab2 AS SELECT 42 AS y;
++CREATE EXTENSION test_ext_cine; -- fail
++ERROR: table ext_cine_tab2 is not a member of extension "test_ext_cine"
++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns.
++DROP TABLE ext_cine_tab2;
++CREATE EXTENSION test_ext_cine;
++\dx+ test_ext_cine
++Objects in extension "test_ext_cine"
++ Object description
++-----------------------------------
++ collation ext_cine_coll
++ foreign-data wrapper ext_cine_fdw
++ materialized view ext_cine_mv
++ schema ext_cine_schema
++ sequence ext_cine_seq
++ server ext_cine_srv
++ table ext_cine_tab1
++ table ext_cine_tab2
++(8 rows)
++
++ALTER EXTENSION test_ext_cine UPDATE TO '1.1';
++\dx+ test_ext_cine
++Objects in extension "test_ext_cine"
++ Object description
++-----------------------------------
++ collation ext_cine_coll
++ foreign-data wrapper ext_cine_fdw
++ materialized view ext_cine_mv
++ schema ext_cine_schema
++ sequence ext_cine_seq
++ server ext_cine_srv
++ table ext_cine_tab1
++ table ext_cine_tab2
++ table ext_cine_tab3
++(9 rows)
++
+diff --git a/src/test/modules/test_extensions/sql/test_extensions.sql b/src/test/modules/test_extensions/sql/test_extensions.sql
+index f505466..b3d4579 100644
+--- a/src/test/modules/test_extensions/sql/test_extensions.sql
++++ b/src/test/modules/test_extensions/sql/test_extensions.sql
+@@ -93,3 +93,113 @@ DROP TABLE test_ext4_tab;
+ DROP FUNCTION create_extension_with_temp_schema();
+ RESET client_min_messages;
+ \unset SHOW_CONTEXT
++
++-- It's generally bad style to use CREATE OR REPLACE unnecessarily.
++-- Test what happens if an extension does it anyway.
++-- Replacing a shell type or operator is sort of like CREATE OR REPLACE;
++-- check that too.
++
++CREATE FUNCTION ext_cor_func() RETURNS text
++ AS $$ SELECT 'ext_cor_func: original'::text $$ LANGUAGE sql;
++
++CREATE EXTENSION test_ext_cor; -- fail
++
++SELECT ext_cor_func();
++
++DROP FUNCTION ext_cor_func();
++
++CREATE VIEW ext_cor_view AS
++ SELECT 'ext_cor_view: original'::text AS col;
++
++CREATE EXTENSION test_ext_cor; -- fail
++
++SELECT ext_cor_func();
++
++SELECT * FROM ext_cor_view;
++
++DROP VIEW ext_cor_view;
++
++CREATE TYPE test_ext_type;
++
++CREATE EXTENSION test_ext_cor; -- fail
++
++DROP TYPE test_ext_type;
++
++-- this makes a shell "point <<@@ polygon" operator too
++CREATE OPERATOR @@>> ( PROCEDURE = poly_contain_pt,
++ LEFTARG = polygon, RIGHTARG = point,
++ COMMUTATOR = <<@@ );
++
++CREATE EXTENSION test_ext_cor; -- fail
++
++DROP OPERATOR <<@@ (point, polygon);
++
++CREATE EXTENSION test_ext_cor; -- now it should work
++
++SELECT ext_cor_func();
++
++SELECT * FROM ext_cor_view;
++
++SELECT 'x'::test_ext_type;
++
++SELECT point(0,0) <<@@ polygon(circle(point(0,0),1));
++
++\dx+ test_ext_cor
++
++--
++-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension
++-- to be doing, but let's at least plug the major security hole in it.
++--
++
++CREATE COLLATION ext_cine_coll
++ ( LC_COLLATE = "C", LC_CTYPE = "C" );
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP COLLATION ext_cine_coll;
++
++CREATE MATERIALIZED VIEW ext_cine_mv AS SELECT 11 AS f1;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP MATERIALIZED VIEW ext_cine_mv;
++
++CREATE FOREIGN DATA WRAPPER dummy;
++
++CREATE SERVER ext_cine_srv FOREIGN DATA WRAPPER dummy;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP SERVER ext_cine_srv;
++
++CREATE SCHEMA ext_cine_schema;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP SCHEMA ext_cine_schema;
++
++CREATE SEQUENCE ext_cine_seq;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP SEQUENCE ext_cine_seq;
++
++CREATE TABLE ext_cine_tab1 (x int);
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP TABLE ext_cine_tab1;
++
++CREATE TABLE ext_cine_tab2 AS SELECT 42 AS y;
++
++CREATE EXTENSION test_ext_cine; -- fail
++
++DROP TABLE ext_cine_tab2;
++
++CREATE EXTENSION test_ext_cine;
++
++\dx+ test_ext_cine
++
++ALTER EXTENSION test_ext_cine UPDATE TO '1.1';
++
++\dx+ test_ext_cine
+diff --git a/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql b/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql
+new file mode 100644
+index 0000000..6dadfd2
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql
+@@ -0,0 +1,26 @@
++/* src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql */
++-- complain if script is sourced in psql, rather than via ALTER EXTENSION
++\echo Use "ALTER EXTENSION test_ext_cine UPDATE TO '1.1'" to load this file. \quit
++
++--
++-- These are the same commands as in the 1.0 script; we expect them
++-- to do nothing.
++--
++
++CREATE COLLATION IF NOT EXISTS ext_cine_coll
++ ( LC_COLLATE = "POSIX", LC_CTYPE = "POSIX" );
++
++CREATE MATERIALIZED VIEW IF NOT EXISTS ext_cine_mv AS SELECT 42 AS f1;
++
++CREATE SERVER IF NOT EXISTS ext_cine_srv FOREIGN DATA WRAPPER ext_cine_fdw;
++
++CREATE SCHEMA IF NOT EXISTS ext_cine_schema;
++
++CREATE SEQUENCE IF NOT EXISTS ext_cine_seq;
++
++CREATE TABLE IF NOT EXISTS ext_cine_tab1 (x int);
++
++CREATE TABLE IF NOT EXISTS ext_cine_tab2 AS SELECT 42 AS y;
++
++-- just to verify the script ran
++CREATE TABLE ext_cine_tab3 (z int);
+diff --git a/src/test/modules/test_extensions/test_ext_cine--1.0.sql b/src/test/modules/test_extensions/test_ext_cine--1.0.sql
+new file mode 100644
+index 0000000..01408ff
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cine--1.0.sql
+@@ -0,0 +1,25 @@
++/* src/test/modules/test_extensions/test_ext_cine--1.0.sql */
++-- complain if script is sourced in psql, rather than via CREATE EXTENSION
++\echo Use "CREATE EXTENSION test_ext_cine" to load this file. \quit
++
++--
++-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension
++-- to be doing, but let's at least plug the major security hole in it.
++--
++
++CREATE COLLATION IF NOT EXISTS ext_cine_coll
++ ( LC_COLLATE = "POSIX", LC_CTYPE = "POSIX" );
++
++CREATE MATERIALIZED VIEW IF NOT EXISTS ext_cine_mv AS SELECT 42 AS f1;
++
++CREATE FOREIGN DATA WRAPPER ext_cine_fdw;
++
++CREATE SERVER IF NOT EXISTS ext_cine_srv FOREIGN DATA WRAPPER ext_cine_fdw;
++
++CREATE SCHEMA IF NOT EXISTS ext_cine_schema;
++
++CREATE SEQUENCE IF NOT EXISTS ext_cine_seq;
++
++CREATE TABLE IF NOT EXISTS ext_cine_tab1 (x int);
++
++CREATE TABLE IF NOT EXISTS ext_cine_tab2 AS SELECT 42 AS y;
+diff --git a/src/test/modules/test_extensions/test_ext_cine.control b/src/test/modules/test_extensions/test_ext_cine.control
+new file mode 100644
+index 0000000..ced713b
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cine.control
+@@ -0,0 +1,3 @@
++comment = 'Test extension using CREATE IF NOT EXISTS'
++default_version = '1.0'
++relocatable = true
+diff --git a/src/test/modules/test_extensions/test_ext_cor--1.0.sql b/src/test/modules/test_extensions/test_ext_cor--1.0.sql
+new file mode 100644
+index 0000000..2e8d89c
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cor--1.0.sql
+@@ -0,0 +1,20 @@
++/* src/test/modules/test_extensions/test_ext_cor--1.0.sql */
++-- complain if script is sourced in psql, rather than via CREATE EXTENSION
++\echo Use "CREATE EXTENSION test_ext_cor" to load this file. \quit
++
++-- It's generally bad style to use CREATE OR REPLACE unnecessarily.
++-- Test what happens if an extension does it anyway.
++
++CREATE OR REPLACE FUNCTION ext_cor_func() RETURNS text
++ AS $$ SELECT 'ext_cor_func: from extension'::text $$ LANGUAGE sql;
++
++CREATE OR REPLACE VIEW ext_cor_view AS
++ SELECT 'ext_cor_view: from extension'::text AS col;
++
++-- These are for testing replacement of a shell type/operator, which works
++-- enough like an implicit OR REPLACE to be important to check.
++
++CREATE TYPE test_ext_type AS ENUM('x', 'y');
++
++CREATE OPERATOR <<@@ ( PROCEDURE = pt_contained_poly,
++ LEFTARG = point, RIGHTARG = polygon );
+diff --git a/src/test/modules/test_extensions/test_ext_cor.control b/src/test/modules/test_extensions/test_ext_cor.control
+new file mode 100644
+index 0000000..0e972e5
+--- /dev/null
++++ b/src/test/modules/test_extensions/test_ext_cor.control
+@@ -0,0 +1,3 @@
++comment = 'Test extension using CREATE OR REPLACE'
++default_version = '1.0'
++relocatable = true
+--
+2.25.1
+
diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
index 67bf2b9604..4b7c1d69fc 100644
--- a/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
+++ b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
@@ -7,6 +7,7 @@ SRC_URI += "\
file://0001-Add-support-for-RISC-V.patch \
file://0001-Improve-reproducibility.patch \
file://remove_duplicate.patch \
+ file://CVE-2022-2625.patch \
"

SRC_URI[sha256sum] = "89fda2de33ed04a98548e43f3ee5f15b882be17505d631fe0dd1a540a2b56dce"
--
2.25.1


Re: [meta-oe][master][kirkstone][PATCH] psplash: delay the psplash service

Khem Raj
 



On Sun, Oct 16, 2022 at 6:36 PM Wentao Zhang <wentao.zhang@...> wrote:
psplash starts too early to start on some types of
machines. Fix this problem by delaying this service.

Signed-off-by: Wentao Zhang <wentao.zhang@...>
---
 meta/recipes-core/psplash/files/psplash-start.service | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-core/psplash/files/psplash-start.service b/meta/recipes-core/psplash/files/psplash-start.service
index 36c2bb38e0..9eaf2658a5 100644
--- a/meta/recipes-core/psplash/files/psplash-start.service
+++ b/meta/recipes-core/psplash/files/psplash-start.service
@@ -2,6 +2,8 @@
 Description=Start psplash boot splash screen
 DefaultDependencies=no
 RequiresMountsFor=/run
+After=systemd-timesyncd.service
+

I think this will fail on systems not having timesyncd or network 


 [Service]
 Type=notify
--
2.25.1





[meta-oe][master][kirkstone][PATCH] psplash: delay the psplash service

Wentao Zhang
 

psplash starts too early to start on some types of
machines. Fix this problem by delaying this service.

Signed-off-by: Wentao Zhang <wentao.zhang@...>
---
meta/recipes-core/psplash/files/psplash-start.service | 2 ++
1 file changed, 2 insertions(+)

diff --git a/meta/recipes-core/psplash/files/psplash-start.service b/meta/recipes-core/psplash/files/psplash-start.service
index 36c2bb38e0..9eaf2658a5 100644
--- a/meta/recipes-core/psplash/files/psplash-start.service
+++ b/meta/recipes-core/psplash/files/psplash-start.service
@@ -2,6 +2,8 @@
Description=Start psplash boot splash screen
DefaultDependencies=no
RequiresMountsFor=/run
+After=systemd-timesyncd.service
+

[Service]
Type=notify
--
2.25.1


Re: [OE-core][PATCH] linux-firmware: package amdgpu firmware

Khem Raj
 

On Sun, Oct 16, 2022 at 4:37 PM Vincent Davis Jr <vince@...> wrote:

Add packages for the firmware required by amdgpu kernel driver.

Signed-off-by: Vincent Davis Jr <vince@...>
---
.../linux-firmware/linux-firmware_20220913.bb | 12 ++++++++++++
Thanks for the patch, this should however go to oe-core mailing list
since this recipe belongs to core layer.

1 file changed, 12 insertions(+)

diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20220913.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20220913.bb
index 45c9d0e861..bf15e53472 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20220913.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20220913.bb
@@ -228,6 +228,7 @@ do_install() {
PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \
${PN}-mt7601u-license ${PN}-mt7601u \
${PN}-radeon-license ${PN}-radeon \
+ ${PN}-amdgpu-license ${PN}-amdgpu \
${PN}-marvell-license ${PN}-pcie8897 ${PN}-pcie8997 \
${PN}-sd8686 ${PN}-sd8688 ${PN}-sd8787 ${PN}-sd8797 ${PN}-sd8801 \
${PN}-sd8887 ${PN}-sd8897 ${PN}-sd8997 ${PN}-usb8997 \
@@ -428,6 +429,17 @@ FILES:${PN}-radeon = " \

RDEPENDS:${PN}-radeon += "${PN}-radeon-license"

+# For amdgpu
+LICENSE:${PN}-amdgpu = "Firmware-amdgpu"
+LICENSE:${PN}-amdgpu-license = "Firmware-amdgpu"
+
+FILES:${PN}-amdgpu-license = "${nonarch_base_libdir}/firmware/LICENSE.amdgpu"
+FILES:${PN}-amdgpu = " \
+ ${nonarch_base_libdir}/firmware/amdgpu \
+"
+
+RDEPENDS:${PN}-amdgpu += "${PN}-amdgpu-license"
+
# For lontium
LICENSE:${PN}-lt9611uxc = "Firmware-Lontium"

--
2.34.1




[OE-core][PATCH] linux-firmware: package amdgpu firmware

Vincent Davis Jr
 

Add packages for the firmware required by amdgpu kernel driver.

Signed-off-by: Vincent Davis Jr <vince@...>
---
.../linux-firmware/linux-firmware_20220913.bb | 12 ++++++++++++
1 file changed, 12 insertions(+)

diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20220913.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20220913.bb
index 45c9d0e861..bf15e53472 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20220913.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20220913.bb
@@ -228,6 +228,7 @@ do_install() {
PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \
${PN}-mt7601u-license ${PN}-mt7601u \
${PN}-radeon-license ${PN}-radeon \
+ ${PN}-amdgpu-license ${PN}-amdgpu \
${PN}-marvell-license ${PN}-pcie8897 ${PN}-pcie8997 \
${PN}-sd8686 ${PN}-sd8688 ${PN}-sd8787 ${PN}-sd8797 ${PN}-sd8801 \
${PN}-sd8887 ${PN}-sd8897 ${PN}-sd8997 ${PN}-usb8997 \
@@ -428,6 +429,17 @@ FILES:${PN}-radeon = " \

RDEPENDS:${PN}-radeon += "${PN}-radeon-license"

+# For amdgpu
+LICENSE:${PN}-amdgpu = "Firmware-amdgpu"
+LICENSE:${PN}-amdgpu-license = "Firmware-amdgpu"
+
+FILES:${PN}-amdgpu-license = "${nonarch_base_libdir}/firmware/LICENSE.amdgpu"
+FILES:${PN}-amdgpu = " \
+ ${nonarch_base_libdir}/firmware/amdgpu \
+"
+
+RDEPENDS:${PN}-amdgpu += "${PN}-amdgpu-license"
+
# For lontium
LICENSE:${PN}-lt9611uxc = "Firmware-Lontium"

--
2.34.1


[meta-networking][PATCH 3/3] conntrack-tools: Use canonical shell spacing

Alex Kiernan
 

Signed-off-by: Alex Kiernan <alex.kiernan@...>
---
.../conntrack-tools/conntrack-tools_1.4.7.bb | 24 +++++++++----------
1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb b/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb
index 6f88b5fe31b8..8b47ceb1c054 100644
--- a/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb
+++ b/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb
@@ -26,21 +26,21 @@ PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd"
INITSCRIPT_NAME = "conntrackd"

do_install:append() {
- install -d ${D}/${sysconfdir}/conntrackd
- install -d ${D}/${sysconfdir}/init.d
- install -m 0644 ${S}/doc/sync/ftfw/conntrackd.conf ${D}/${sysconfdir}/conntrackd/conntrackd.conf.sample
- install -m 0755 ${WORKDIR}/conntrack-failover ${D}/${sysconfdir}/init.d/conntrack-failover
- install -m 0755 ${WORKDIR}/init ${D}/${sysconfdir}/init.d/conntrackd
-
- # Fix hardcoded paths in scripts
- sed -i 's!/usr/sbin/!${sbindir}/!g' ${D}/${sysconfdir}/init.d/conntrack-failover ${D}/${sysconfdir}/init.d/conntrackd
- sed -i 's!/etc/!${sysconfdir}/!g' ${D}/${sysconfdir}/init.d/conntrack-failover ${D}/${sysconfdir}/init.d/conntrackd
- sed -i 's!/var/!${localstatedir}/!g' ${D}/${sysconfdir}/init.d/conntrack-failover ${D}/${sysconfdir}/init.d/conntrackd ${D}/${sysconfdir}/conntrackd/conntrackd.conf.sample
- sed -i 's!^export PATH=.*!export PATH=${base_sbindir}:${base_bindir}:${sbindir}:${bindir}!' ${D}/${sysconfdir}/init.d/conntrackd
+ install -d ${D}/${sysconfdir}/conntrackd
+ install -d ${D}/${sysconfdir}/init.d
+ install -m 0644 ${S}/doc/sync/ftfw/conntrackd.conf ${D}/${sysconfdir}/conntrackd/conntrackd.conf.sample
+ install -m 0755 ${WORKDIR}/conntrack-failover ${D}/${sysconfdir}/init.d/conntrack-failover
+ install -m 0755 ${WORKDIR}/init ${D}/${sysconfdir}/init.d/conntrackd
+
+ # Fix hardcoded paths in scripts
+ sed -i 's!/usr/sbin/!${sbindir}/!g' ${D}/${sysconfdir}/init.d/conntrack-failover ${D}/${sysconfdir}/init.d/conntrackd
+ sed -i 's!/etc/!${sysconfdir}/!g' ${D}/${sysconfdir}/init.d/conntrack-failover ${D}/${sysconfdir}/init.d/conntrackd
+ sed -i 's!/var/!${localstatedir}/!g' ${D}/${sysconfdir}/init.d/conntrack-failover ${D}/${sysconfdir}/init.d/conntrackd ${D}/${sysconfdir}/conntrackd/conntrackd.conf.sample
+ sed -i 's!^export PATH=.*!export PATH=${base_sbindir}:${base_bindir}:${sbindir}:${bindir}!' ${D}/${sysconfdir}/init.d/conntrackd
}

# fix error message: Do not forget that you need *root* or CAP_NET_ADMIN capabilities ;-)
pkg_postinst:${PN} () {
- setcap cap_net_admin+ep "$D/${sbindir}/conntrack"
+ setcap cap_net_admin+ep "$D/${sbindir}/conntrack"
}
PACKAGE_WRITE_DEPS += "libcap-native"
--
2.35.1


[meta-networking][PATCH 2/3] conntrack-tools: Add PACKAGECONFIGs for build options

Alex Kiernan
 

Signed-off-by: Alex Kiernan <alex.kiernan@...>
---
.../conntrack-tools/conntrack-tools_1.4.7.bb | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb b/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb
index 7d8ce9f80aa7..6f88b5fe31b8 100644
--- a/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb
+++ b/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb
@@ -14,7 +14,14 @@ SRC_URI = "http://www.netfilter.org/projects/conntrack-tools/files/conntrack-too
"
SRC_URI[sha256sum] = "099debcf57e81690ced57f516b493588a73518f48c14d656f823b29b4fc24b5d"

-inherit autotools update-rc.d pkgconfig
+inherit autotools update-rc.d pkgconfig systemd
+
+PACKAGECONFIG ?= "cthelper cttimeout \
+ ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
+
+PACKAGECONFIG[cthelper] = "--enable-cthelper,--disable-cthelper"
+PACKAGECONFIG[cttimeout] = "--enable-cttimeout,--disable-cttimeout"
+PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd"

INITSCRIPT_NAME = "conntrackd"

--
2.35.1


[meta-networking][PATCH 1/3] conntrack-tools: Upgrade 1.4.6 -> 1.4.7

Alex Kiernan
 

Signed-off-by: Alex Kiernan <alex.kiernan@...>
---
.../{conntrack-tools_1.4.6.bb => conntrack-tools_1.4.7.bb} | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
rename meta-networking/recipes-filter/conntrack-tools/{conntrack-tools_1.4.6.bb => conntrack-tools_1.4.7.bb} (90%)

diff --git a/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.6.bb b/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb
similarity index 90%
rename from meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.6.bb
rename to meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb
index 8f57e823b88e..7d8ce9f80aa7 100644
--- a/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.6.bb
+++ b/meta-networking/recipes-filter/conntrack-tools/conntrack-tools_1.4.7.bb
@@ -8,12 +8,11 @@ DEPENDS = "libnfnetlink libnetfilter-conntrack libnetfilter-cttimeout \

EXTRA_OECONF += "LIBS=-ltirpc CPPFLAGS=-I${STAGING_INCDIR}/tirpc"

-SRC_URI = "http://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-${PV}.tar.bz2;name=tar \
+SRC_URI = "http://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-${PV}.tar.bz2 \
file://conntrack-failover \
file://init \
"
-SRC_URI[tar.md5sum] = "a9dc7567921213007def78ad72313109"
-SRC_URI[tar.sha256sum] = "590859cc848245dbfd9c6487761dd303b3a1771e007f4f42213063ca56205d5f"
+SRC_URI[sha256sum] = "099debcf57e81690ced57f516b493588a73518f48c14d656f823b29b4fc24b5d"

inherit autotools update-rc.d pkgconfig

--
2.35.1