public inbox for [email protected]
help / color / mirror / Atom feedFrom: Noah Misch <[email protected]>
To: [email protected]
Subject: pgsql: Apply timingsafe_bcmp() in authentication paths
Date: Mon, 11 May 2026 12:19:39 +0000
Message-ID: <[email protected]> (raw)
Apply timingsafe_bcmp() in authentication paths
This commit applies timingsafe_bcmp() to authentication paths that
handle attributes or data previously compared with memcpy() or strcmp(),
which are sensitive to timing attacks.
The following data is concerned by this change, some being in the
backend and some in the frontend:
- For a SCRAM or MD5 password, the computed key or the MD5 hash compared
with a password during a plain authentication.
- For a SCRAM exchange, the stored key, the client's final nonce and the
server nonce.
- RADIUS (up to v18), the encrypted password.
- For MD5 authentication, the MD5(MD5()) hash.
Reported-by: Joe Conway <[email protected]>
Security: CVE-2026-6478
Author: Michael Paquier <[email protected]>
Reviewed-by: John Naylor <[email protected]>
Backpatch-through: 14
Branch
------
REL_16_STABLE
Details
-------
https://git.postgresql.org/pg/commitdiff/00e27235e5ef6596acc94ec60eb17f74810bf817
Author: Michael Paquier <[email protected]>
Modified Files
--------------
src/backend/libpq/auth-scram.c | 8 ++++----
src/backend/libpq/auth.c | 2 +-
src/backend/libpq/crypt.c | 6 ++++--
src/interfaces/libpq/fe-auth-scram.c | 6 +++---
4 files changed, 12 insertions(+), 10 deletions(-)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: pgsql: Apply timingsafe_bcmp() in authentication paths
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox