public inbox for [email protected]help / color / mirror / Atom feed
pgsql: Protect against small overread in SASLprep validation 4+ messages / 1 participants [nested] [flat]
* pgsql: Protect against small overread in SASLprep validation @ 2026-02-06 20:20 Jacob Champion <[email protected]> 0 siblings, 0 replies; 4+ messages in thread From: Jacob Champion @ 2026-02-06 20:20 UTC (permalink / raw) To: [email protected] Protect against small overread in SASLprep validation (This is a cherry-pick of 390b3cbbb, which I hadn't realized wasn't backpatched. It was originally reported to security@ and determined not to be a vulnerability; thanks to Stanislav Osipov for noticing the omission in the back branches.) In case of torn UTF8 in the input data we might end up going past the end of the string since we don't account for length. While validation won't be performed on a sequence with a NULL byte it's better to avoid going past the end to beging with. Fix by taking the length into consideration. Reported-by: Stanislav Osipov <[email protected]> Reviewed-by: Daniel Gustafsson <[email protected]> Discussion: https://postgr.es/m/CAOYmi+mTnmM172g=_+Yvc47hzzeAsYPy2C4UBY3HK9p-AXNV0g@mail.gmail.com Backpatch-through: 14 Branch ------ REL_14_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/3bb339fa2c9f2bf09805170fe0867d83b562a324 Modified Files -------------- src/common/saslprep.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) ^ permalink raw reply [nested|flat] 4+ messages in thread
* pgsql: Protect against small overread in SASLprep validation @ 2026-02-06 20:20 Jacob Champion <[email protected]> 0 siblings, 0 replies; 4+ messages in thread From: Jacob Champion @ 2026-02-06 20:20 UTC (permalink / raw) To: [email protected] Protect against small overread in SASLprep validation (This is a cherry-pick of 390b3cbbb, which I hadn't realized wasn't backpatched. It was originally reported to security@ and determined not to be a vulnerability; thanks to Stanislav Osipov for noticing the omission in the back branches.) In case of torn UTF8 in the input data we might end up going past the end of the string since we don't account for length. While validation won't be performed on a sequence with a NULL byte it's better to avoid going past the end to beging with. Fix by taking the length into consideration. Reported-by: Stanislav Osipov <[email protected]> Reviewed-by: Daniel Gustafsson <[email protected]> Discussion: https://postgr.es/m/CAOYmi+mTnmM172g=_+Yvc47hzzeAsYPy2C4UBY3HK9p-AXNV0g@mail.gmail.com Backpatch-through: 14 Branch ------ REL_16_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/46aaec4c0e6d90e9f074982feb43efd4b3c42a78 Modified Files -------------- src/common/saslprep.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) ^ permalink raw reply [nested|flat] 4+ messages in thread
* pgsql: Protect against small overread in SASLprep validation @ 2026-02-06 20:20 Jacob Champion <[email protected]> 0 siblings, 0 replies; 4+ messages in thread From: Jacob Champion @ 2026-02-06 20:20 UTC (permalink / raw) To: [email protected] Protect against small overread in SASLprep validation (This is a cherry-pick of 390b3cbbb, which I hadn't realized wasn't backpatched. It was originally reported to security@ and determined not to be a vulnerability; thanks to Stanislav Osipov for noticing the omission in the back branches.) In case of torn UTF8 in the input data we might end up going past the end of the string since we don't account for length. While validation won't be performed on a sequence with a NULL byte it's better to avoid going past the end to beging with. Fix by taking the length into consideration. Reported-by: Stanislav Osipov <[email protected]> Reviewed-by: Daniel Gustafsson <[email protected]> Discussion: https://postgr.es/m/CAOYmi+mTnmM172g=_+Yvc47hzzeAsYPy2C4UBY3HK9p-AXNV0g@mail.gmail.com Backpatch-through: 14 Branch ------ REL_17_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/5d61bdd11448bd8e61ed12df07ae8b5064772a48 Modified Files -------------- src/common/saslprep.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) ^ permalink raw reply [nested|flat] 4+ messages in thread
* pgsql: Protect against small overread in SASLprep validation @ 2026-02-06 20:20 Jacob Champion <[email protected]> 0 siblings, 0 replies; 4+ messages in thread From: Jacob Champion @ 2026-02-06 20:20 UTC (permalink / raw) To: [email protected] Protect against small overread in SASLprep validation (This is a cherry-pick of 390b3cbbb, which I hadn't realized wasn't backpatched. It was originally reported to security@ and determined not to be a vulnerability; thanks to Stanislav Osipov for noticing the omission in the back branches.) In case of torn UTF8 in the input data we might end up going past the end of the string since we don't account for length. While validation won't be performed on a sequence with a NULL byte it's better to avoid going past the end to beging with. Fix by taking the length into consideration. Reported-by: Stanislav Osipov <[email protected]> Reviewed-by: Daniel Gustafsson <[email protected]> Discussion: https://postgr.es/m/CAOYmi+mTnmM172g=_+Yvc47hzzeAsYPy2C4UBY3HK9p-AXNV0g@mail.gmail.com Backpatch-through: 14 Branch ------ REL_15_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/ff1d5810e907525b396c67ad900114dd4ef83dc2 Modified Files -------------- src/common/saslprep.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) ^ permalink raw reply [nested|flat] 4+ messages in thread
end of thread, other threads:[~2026-02-06 20:20 UTC | newest] Thread overview: 4+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2026-02-06 20:20 pgsql: Protect against small overread in SASLprep validation Jacob Champion <[email protected]> 2026-02-06 20:20 pgsql: Protect against small overread in SASLprep validation Jacob Champion <[email protected]> 2026-02-06 20:20 pgsql: Protect against small overread in SASLprep validation Jacob Champion <[email protected]> 2026-02-06 20:20 pgsql: Protect against small overread in SASLprep validation Jacob Champion <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox