gnu: postgresql-15: Update to 16.4. [security fixes]

This fixes CVE-2024-7348.

* /gnu/packages/databases.scm
(postgresql-15): Move from here...
(postgresql-16): ... to here.
[version]: Update to 16.4.
[source]: Adapt source and add patch.
[native-inputs]: Add pkg-config.
[inputs]: Add icu4c.
* gnu/packages/patches/postgresql-disable-normalize_exec_path.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.

Signed-off-by: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Change-Id: I57771ebcf462bdeca73eda157274db089816fd12

3 files changed, 51 insertions, 6 deletions

diff --git a/gnu/local.mk b/gnu/local.mk
index 7e31095070..1792ed8c78 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1988,6 +1988,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/portaudio-audacity-compat.patch		\
   %D%/packages/patches/portmidi-modular-build.patch		\
   %D%/packages/patches/postgresql-disable-resolve_symlinks.patch	\
+  %D%/packages/patches/postgresql-disable-normalize_exec_path.patch	\
   %D%/packages/patches/procmail-ambiguous-getline-debian.patch  \
   %D%/packages/patches/procmail-CVE-2014-3618.patch		\
   %D%/packages/patches/procmail-CVE-2017-16844.patch		\
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index 17b7a97f87..96eb4b99b5 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -1289,18 +1289,19 @@ and high-availability (HA).")
     (license license:gpl2)))                  ;'COPYING' says "version 2" only
 
 ;; Don't forget to update the other postgresql packages when upgrading this one.
-(define-public postgresql-15
+(define-public postgresql-16
   (package
     (name "postgresql")
-    (version "15.7")
+    (version "16.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://ftp.postgresql.org/pub/source/v"
                                   version "/postgresql-" version ".tar.bz2"))
               (sha256
                (base32
-                "1xwq1592k1r64ki9bmkcyw39416kymabdfxbkpiqaqxbhnaf8vx4"))
-              (patches (search-patches "postgresql-disable-resolve_symlinks.patch"))))
+                "0vvd73rzj0sl294v15bh8yslakqv412bxqzlkqxyjwxa8pb6c5wp"))
+              (patches (search-patches
+                        "postgresql-disable-normalize_exec_path.patch"))))
     (build-system gnu-build-system)
     (arguments
      (list
@@ -1338,8 +1339,10 @@ and high-availability (HA).")
                 (invoke "make" "postgres.info")
                 (install-file "postgres.info"
                               (string-append #$output "/share/info"))))))))
-    (native-inputs (list docbook-xml-4.5 docbook2x libxml2 perl texinfo))
-    (inputs (list readline `(,util-linux "lib") openssl zlib))
+    (native-inputs
+     (list docbook-xml-4.5 docbook2x libxml2 perl pkg-config texinfo))
+    (inputs
+     (list icu4c readline `(,util-linux "lib") openssl zlib))
     (home-page "https://www.postgresql.org/")
     (synopsis "Powerful object-relational database system")
     (description
@@ -1351,6 +1354,25 @@ TIMESTAMP.  It also supports storage of binary large objects, including
 pictures, sounds, or video.")
     (license (license:x11-style "file://COPYRIGHT"))))
 
+(define-public postgresql-15
+  (package
+    (inherit postgresql-16)
+    (name "postgresql")
+    (version "15.8")
+    (source (origin
+              (inherit (package-source postgresql-16))
+              (uri (string-append "https://ftp.postgresql.org/pub/source/v"
+                                  version "/postgresql-" version ".tar.bz2"))
+              (sha256
+               (base32
+                "0snbxmlygf7m4cxjpscmz3yjn4lnqsw313y9xgpv7vk9k9gm20s4"))
+              (patches (search-patches
+                        "postgresql-disable-resolve_symlinks.patch"))))
+    (native-inputs (modify-inputs (package-native-inputs postgresql-16)
+                     (delete "pkg-config")))
+    (inputs (modify-inputs (package-inputs postgresql-16)
+              (delete "icu4c")))))
+
 (define-public postgresql-14
   (package
     (inherit postgresql-15)
diff --git a/gnu/packages/patches/postgresql-disable-normalize_exec_path.patch b/gnu/packages/patches/postgresql-disable-normalize_exec_path.patch
new file mode 100644
index 0000000000..0397bd5a35
--- /dev/null
+++ b/gnu/packages/patches/postgresql-disable-normalize_exec_path.patch
@@ -0,0 +1,22 @@
+diff --git a/src/common/exec.c b/src/common/exec.c
+index f209b93..ed42202 100644
+--- a/src/common/exec.c
++++ b/src/common/exec.c
+@@ -238,6 +238,14 @@ find_my_exec(const char *argv0, char *retpath)
+ static int
+ normalize_exec_path(char *path)
+ {
++	/*
++	 * Guix specific patch: postgresql extensions need to be located in the
++	 * same directory as postgresql.
++	 * In Guix we currently use directory-unions to create extended postgresql
++	 * packages. Directory unions use symlinks, that's why we need to be able
++	 * to use symlinks.
++	 */
++	return 0;
+ 	/*
+ 	 * We used to do a lot of work ourselves here, but now we just let
+ 	 * realpath(3) do all the heavy lifting.
+-- 
+2.46.0
+