pgsql: pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea()

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Michael Paquier <[email protected]>
To: [email protected]
Subject: pgsql: pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea()
Date: Sun, 08 Feb 2026 23:01:57 +0000
Message-ID: <[email protected]> (raw)

pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea()

pgp_pub_decrypt_bytea() was missing a safeguard for the session key
length read from the message data, that can be given in input of
pgp_pub_decrypt_bytea().  This can result in the possibility of a buffer
overflow for the session key data, when the length specified is longer
than PGP_MAX_KEY, which is the maximum size of the buffer where the
session data is copied to.

A script able to rebuild the message and key data that can trigger the
overflow is included in this commit, based on some contents provided by
the reporter, heavily editted by me.  A SQL test is added, based on the
data generated by the script.

Reported-by: Team Xint Code as part of zeroday.cloud
Author: Michael Paquier <[email protected]>
Reviewed-by: Noah Misch <[email protected]>
Security: CVE-2026-2005
Backpatch-through: 14

Branch
------
REL_16_STABLE

Details
-------
https://git.postgresql.org/pg/commitdiff/527b730f41b2f2fbcda92cfd1dbbc50c14c9a46f

Modified Files
--------------
contrib/pgcrypto/Makefile                        |   3 +-
contrib/pgcrypto/expected/pgp-pubkey-session.out |  47 +++
contrib/pgcrypto/meson.build                     |   1 +
contrib/pgcrypto/pgp-pubdec.c                    |  11 +-
contrib/pgcrypto/px.c                            |   1 +
contrib/pgcrypto/px.h                            |   2 +-
contrib/pgcrypto/scripts/pgp_session_data.py     | 491 +++++++++++++++++++++++
contrib/pgcrypto/sql/pgp-pubkey-session.sql      |  46 +++
8 files changed, 599 insertions(+), 3 deletions(-)

view thread (6+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: pgsql: pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea()
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox