pgsql: Fix buffer overflow when parsing SCRAM verifiers in backend
| От | Michael Paquier |
|---|---|
| Тема | pgsql: Fix buffer overflow when parsing SCRAM verifiers in backend |
| Дата | |
| Msg-id | E1hcr4d-0005JS-7N@gemulon.postgresql.org обсуждение исходный текст |
| Список | pgsql-committers |
Fix buffer overflow when parsing SCRAM verifiers in backend Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account. This fix is contributed by multiple folks, based on an initial analysis from Tom Lane. This issue has been introduced by 68e61ee, so it was possible to make use of it at authentication time. It became more easily to trigger after ccae190 which has made the SCRAM parsing more strict when changing a password, in the case where the client passes down a verifier already hashed using SCRAM. Back-patch to v10 where SCRAM has been introduced. Reported-by: Alexander Lakhin Author: Jonathan Katz, Heikki Linnakangas, Michael Paquier Security: CVE-2019-10164 Backpatch-through: 10 Branch ------ REL_11_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/4c779ce324a15ffa0171160c52579130f25fcd3f Modified Files -------------- src/backend/libpq/auth-scram.c | 35 ++++++++++++++++++++++++++-------- src/test/regress/expected/password.out | 23 ++++++++++++++++++++++ src/test/regress/sql/password.sql | 18 +++++++++++++++++ 3 files changed, 68 insertions(+), 8 deletions(-)
В списке pgsql-committers по дате отправления: