public inbox for [email protected]help / color / mirror / Atom feed
pgsql: pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() 6+ messages / 1 participants [nested] [flat]
* pgsql: pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() @ 2026-02-08 23:01 Michael Paquier <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Michael Paquier @ 2026-02-08 23:01 UTC (permalink / raw) To: [email protected] pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() pgp_pub_decrypt_bytea() was missing a safeguard for the session key length read from the message data, that can be given in input of pgp_pub_decrypt_bytea(). This can result in the possibility of a buffer overflow for the session key data, when the length specified is longer than PGP_MAX_KEY, which is the maximum size of the buffer where the session data is copied to. A script able to rebuild the message and key data that can trigger the overflow is included in this commit, based on some contents provided by the reporter, heavily editted by me. A SQL test is added, based on the data generated by the script. Reported-by: Team Xint Code as part of zeroday.cloud Author: Michael Paquier <[email protected]> Reviewed-by: Noah Misch <[email protected]> Security: CVE-2026-2005 Backpatch-through: 14 Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/379695d3cc70d040b547d912ce4842090d917ece Modified Files -------------- contrib/pgcrypto/Makefile | 3 +- contrib/pgcrypto/expected/pgp-pubkey-session.out | 47 +++ contrib/pgcrypto/meson.build | 1 + contrib/pgcrypto/pgp-pubdec.c | 11 +- contrib/pgcrypto/px.c | 1 + contrib/pgcrypto/px.h | 2 +- contrib/pgcrypto/scripts/pgp_session_data.py | 491 +++++++++++++++++++++++ contrib/pgcrypto/sql/pgp-pubkey-session.sql | 46 +++ 8 files changed, 599 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
* pgsql: pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() @ 2026-02-08 23:01 Michael Paquier <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Michael Paquier @ 2026-02-08 23:01 UTC (permalink / raw) To: [email protected] pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() pgp_pub_decrypt_bytea() was missing a safeguard for the session key length read from the message data, that can be given in input of pgp_pub_decrypt_bytea(). This can result in the possibility of a buffer overflow for the session key data, when the length specified is longer than PGP_MAX_KEY, which is the maximum size of the buffer where the session data is copied to. A script able to rebuild the message and key data that can trigger the overflow is included in this commit, based on some contents provided by the reporter, heavily editted by me. A SQL test is added, based on the data generated by the script. Reported-by: Team Xint Code as part of zeroday.cloud Author: Michael Paquier <[email protected]> Reviewed-by: Noah Misch <[email protected]> Security: CVE-2026-2005 Backpatch-through: 14 Branch ------ REL_18_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/209f387b81660e478eea147db9130af1d1c861f2 Modified Files -------------- contrib/pgcrypto/Makefile | 3 +- contrib/pgcrypto/expected/pgp-pubkey-session.out | 47 +++ contrib/pgcrypto/meson.build | 1 + contrib/pgcrypto/pgp-pubdec.c | 11 +- contrib/pgcrypto/px.c | 1 + contrib/pgcrypto/px.h | 2 +- contrib/pgcrypto/scripts/pgp_session_data.py | 491 +++++++++++++++++++++++ contrib/pgcrypto/sql/pgp-pubkey-session.sql | 46 +++ 8 files changed, 599 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
* pgsql: pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() @ 2026-02-08 23:01 Michael Paquier <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Michael Paquier @ 2026-02-08 23:01 UTC (permalink / raw) To: [email protected] pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() pgp_pub_decrypt_bytea() was missing a safeguard for the session key length read from the message data, that can be given in input of pgp_pub_decrypt_bytea(). This can result in the possibility of a buffer overflow for the session key data, when the length specified is longer than PGP_MAX_KEY, which is the maximum size of the buffer where the session data is copied to. A script able to rebuild the message and key data that can trigger the overflow is included in this commit, based on some contents provided by the reporter, heavily editted by me. A SQL test is added, based on the data generated by the script. Reported-by: Team Xint Code as part of zeroday.cloud Author: Michael Paquier <[email protected]> Reviewed-by: Noah Misch <[email protected]> Security: CVE-2026-2005 Backpatch-through: 14 Branch ------ REL_17_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/7a7d9693c72e680af86298f01d850f95fef0988e Modified Files -------------- contrib/pgcrypto/Makefile | 2 +- contrib/pgcrypto/expected/pgp-pubkey-session.out | 47 +++ contrib/pgcrypto/meson.build | 1 + contrib/pgcrypto/pgp-pubdec.c | 11 +- contrib/pgcrypto/px.c | 1 + contrib/pgcrypto/px.h | 2 +- contrib/pgcrypto/scripts/pgp_session_data.py | 491 +++++++++++++++++++++++ contrib/pgcrypto/sql/pgp-pubkey-session.sql | 46 +++ 8 files changed, 598 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
* pgsql: pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() @ 2026-02-08 23:01 Michael Paquier <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Michael Paquier @ 2026-02-08 23:01 UTC (permalink / raw) To: [email protected] pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() pgp_pub_decrypt_bytea() was missing a safeguard for the session key length read from the message data, that can be given in input of pgp_pub_decrypt_bytea(). This can result in the possibility of a buffer overflow for the session key data, when the length specified is longer than PGP_MAX_KEY, which is the maximum size of the buffer where the session data is copied to. A script able to rebuild the message and key data that can trigger the overflow is included in this commit, based on some contents provided by the reporter, heavily editted by me. A SQL test is added, based on the data generated by the script. Reported-by: Team Xint Code as part of zeroday.cloud Author: Michael Paquier <[email protected]> Reviewed-by: Noah Misch <[email protected]> Security: CVE-2026-2005 Backpatch-through: 14 Branch ------ REL_16_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/527b730f41b2f2fbcda92cfd1dbbc50c14c9a46f Modified Files -------------- contrib/pgcrypto/Makefile | 3 +- contrib/pgcrypto/expected/pgp-pubkey-session.out | 47 +++ contrib/pgcrypto/meson.build | 1 + contrib/pgcrypto/pgp-pubdec.c | 11 +- contrib/pgcrypto/px.c | 1 + contrib/pgcrypto/px.h | 2 +- contrib/pgcrypto/scripts/pgp_session_data.py | 491 +++++++++++++++++++++++ contrib/pgcrypto/sql/pgp-pubkey-session.sql | 46 +++ 8 files changed, 599 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
* pgsql: pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() @ 2026-02-08 23:01 Michael Paquier <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Michael Paquier @ 2026-02-08 23:01 UTC (permalink / raw) To: [email protected] pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() pgp_pub_decrypt_bytea() was missing a safeguard for the session key length read from the message data, that can be given in input of pgp_pub_decrypt_bytea(). This can result in the possibility of a buffer overflow for the session key data, when the length specified is longer than PGP_MAX_KEY, which is the maximum size of the buffer where the session data is copied to. A script able to rebuild the message and key data that can trigger the overflow is included in this commit, based on some contents provided by the reporter, heavily editted by me. A SQL test is added, based on the data generated by the script. Reported-by: Team Xint Code as part of zeroday.cloud Author: Michael Paquier <[email protected]> Reviewed-by: Noah Misch <[email protected]> Security: CVE-2026-2005 Backpatch-through: 14 Branch ------ REL_14_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/01de2e32df7b5b46720f64068a2674c3bd28ae3f Modified Files -------------- contrib/pgcrypto/Makefile | 3 +- contrib/pgcrypto/expected/pgp-pubkey-session.out | 47 +++ contrib/pgcrypto/pgp-pubdec.c | 11 +- contrib/pgcrypto/px.c | 1 + contrib/pgcrypto/px.h | 2 +- contrib/pgcrypto/scripts/pgp_session_data.py | 491 +++++++++++++++++++++++ contrib/pgcrypto/sql/pgp-pubkey-session.sql | 46 +++ 7 files changed, 598 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
* pgsql: pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() @ 2026-02-08 23:01 Michael Paquier <[email protected]> 0 siblings, 0 replies; 6+ messages in thread From: Michael Paquier @ 2026-02-08 23:01 UTC (permalink / raw) To: [email protected] pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() pgp_pub_decrypt_bytea() was missing a safeguard for the session key length read from the message data, that can be given in input of pgp_pub_decrypt_bytea(). This can result in the possibility of a buffer overflow for the session key data, when the length specified is longer than PGP_MAX_KEY, which is the maximum size of the buffer where the session data is copied to. A script able to rebuild the message and key data that can trigger the overflow is included in this commit, based on some contents provided by the reporter, heavily editted by me. A SQL test is added, based on the data generated by the script. Reported-by: Team Xint Code as part of zeroday.cloud Author: Michael Paquier <[email protected]> Reviewed-by: Noah Misch <[email protected]> Security: CVE-2026-2005 Backpatch-through: 14 Branch ------ REL_15_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/9a9982ec6d40cf13e223ed83de1e5729b6e15720 Modified Files -------------- contrib/pgcrypto/Makefile | 3 +- contrib/pgcrypto/expected/pgp-pubkey-session.out | 47 +++ contrib/pgcrypto/pgp-pubdec.c | 11 +- contrib/pgcrypto/px.c | 1 + contrib/pgcrypto/px.h | 2 +- contrib/pgcrypto/scripts/pgp_session_data.py | 491 +++++++++++++++++++++++ contrib/pgcrypto/sql/pgp-pubkey-session.sql | 46 +++ 7 files changed, 598 insertions(+), 3 deletions(-) ^ permalink raw reply [nested|flat] 6+ messages in thread
end of thread, other threads:[~2026-02-08 23:01 UTC | newest] Thread overview: 6+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2026-02-08 23:01 pgsql: pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() Michael Paquier <[email protected]> 2026-02-08 23:01 pgsql: pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() Michael Paquier <[email protected]> 2026-02-08 23:01 pgsql: pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() Michael Paquier <[email protected]> 2026-02-08 23:01 pgsql: pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() Michael Paquier <[email protected]> 2026-02-08 23:01 pgsql: pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() Michael Paquier <[email protected]> 2026-02-08 23:01 pgsql: pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() Michael Paquier <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox