Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitd95ebe0

Browse files
committed
Fix buffer overrun after incomplete read in pullf_read_max().
Most callers pass a stack buffer. The ensuing stack smash can crash theserver, and we have not ruled out the viability of attacks that lead toprivilege escalation. Back-patch to 9.0 (all supported versions).Marko TiikkajaSecurity:CVE-2015-0243
1 parentc6c6aa2 commitd95ebe0

File tree

4 files changed

+54
-1
lines changed

4 files changed

+54
-1
lines changed

‎contrib/pgcrypto/expected/pgp-info.out‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -74,5 +74,6 @@ from encdata order by id;
7474
2C226E1FFE5CC7D4
7575
B68504FD128E1FF9
7676
FD0206C409B74875
77-
(4 rows)
77+
FD0206C409B74875
78+
(5 rows)
7879

‎contrib/pgcrypto/expected/pgp-pubkey-decrypt.out‎

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -564,6 +564,27 @@ GQ==
564564
=XHkF
565565
-----END PGP MESSAGE-----
566566
');
567+
-- rsaenc2048 / aes128 (not from gnupg)
568+
insert into encdata (id, data) values (5, '
569+
-----BEGIN PGP MESSAGE-----
570+
571+
wcBMA/0CBsQJt0h1AQgAzxZ8j+OTeZ8IlLxfZ/mVd28/gUsCY+xigWBk/anZlK3T
572+
p2tNU2idHzKdAttH2Hu/PWbZp4kwjl9spezYxMqCeBZqtfGED88Y+rqK0n/ul30A
573+
7jjFHaw0XUOqFNlST1v6H2i7UXndnp+kcLfHPhnO5BIYWxB2CYBehItqtrn75eqr
574+
C7trGzU/cr74efcWagbCDSNjiAV7GlEptlzmgVMmNikyI6w0ojEUx8lCLc/OsFz9
575+
pJUAX8xuwjxDVv+W7xk6c96grQiQlm+FLDYGiGNXoAzx3Wi/howu3uV40dXfY+jx
576+
3WBrhEew5Pkpt1SsWoFnJWOfJ8GLd0ec8vfRCqAIVdLgAeS7NyawQYtd6wuVrEAj
577+
5SMg4Thb4d+g45RksuGLHUUr4qO9tiXglODa4InhmJfgNuLk+RGz4LXjq8wepEmW
578+
vRbgFOG54+Cf4C/gC+HkreDm5JKSKjvvw4B/jC6CDxq+JoziEe2Z1uEjCuEcr+Es
579+
/eGzeOi36BejXPMHeKxXejj5qBBHKV0pHVhZSgffR0TtlXdB967Yl/5agV0R89hI
580+
7Gw52emfnH4Z0Y4V0au2H0k1dR/2IxXdJEWSTG7Be1JHT59p9ei2gSEOrdBMIOjP
581+
tbYYUlmmbvD49bHfThkDiC+oc9947LgQsk3kOOLbNHcjkbrjH8R5kjII4m/SEZA1
582+
g09T+338SzevBcVXh/cFrQ6/Et+lyyO2LJRUMs69g/HyzJOVWT2Iu8E0eS9MWevY
583+
Qtrkrhrpkl3Y02qEp/j6M03Yu2t6ZF7dp51aJ5VhO2mmmtHaTnCyCc8Fcf72LmD8
584+
blH2nKZC9d6fi4YzSYMepZpMOFR65M80MCMiDUGnZBB8sEADu2/iVtqDUeG8mAA=
585+
=PHJ1
586+
-----END PGP MESSAGE-----
587+
');
567588
-- successful decrypt
568589
select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
569590
from keytbl, encdata where keytbl.id=1 and encdata.id=1;
@@ -629,3 +650,7 @@ from keytbl, encdata where keytbl.id=5 and encdata.id=1;
629650
Secret msg
630651
(1 row)
631652

653+
-- test for a short read from prefix_init
654+
select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
655+
from keytbl, encdata where keytbl.id=6 and encdata.id=5;
656+
ERROR: Wrong key or corrupt data

‎contrib/pgcrypto/mbuf.c‎

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -305,6 +305,7 @@ pullf_read_max(PullFilter *pf, int len, uint8 **data_p, uint8 *tmpbuf)
305305
break;
306306
memcpy(tmpbuf+total,tmp,res);
307307
total+=res;
308+
len-=res;
308309
}
309310
returntotal;
310311
}

‎contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql‎

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -579,6 +579,28 @@ GQ==
579579
-----END PGP MESSAGE-----
580580
');
581581

582+
-- rsaenc2048 / aes128 (not from gnupg)
583+
insert into encdata (id, data)values (5,'
584+
-----BEGIN PGP MESSAGE-----
585+
586+
wcBMA/0CBsQJt0h1AQgAzxZ8j+OTeZ8IlLxfZ/mVd28/gUsCY+xigWBk/anZlK3T
587+
p2tNU2idHzKdAttH2Hu/PWbZp4kwjl9spezYxMqCeBZqtfGED88Y+rqK0n/ul30A
588+
7jjFHaw0XUOqFNlST1v6H2i7UXndnp+kcLfHPhnO5BIYWxB2CYBehItqtrn75eqr
589+
C7trGzU/cr74efcWagbCDSNjiAV7GlEptlzmgVMmNikyI6w0ojEUx8lCLc/OsFz9
590+
pJUAX8xuwjxDVv+W7xk6c96grQiQlm+FLDYGiGNXoAzx3Wi/howu3uV40dXfY+jx
591+
3WBrhEew5Pkpt1SsWoFnJWOfJ8GLd0ec8vfRCqAIVdLgAeS7NyawQYtd6wuVrEAj
592+
5SMg4Thb4d+g45RksuGLHUUr4qO9tiXglODa4InhmJfgNuLk+RGz4LXjq8wepEmW
593+
vRbgFOG54+Cf4C/gC+HkreDm5JKSKjvvw4B/jC6CDxq+JoziEe2Z1uEjCuEcr+Es
594+
/eGzeOi36BejXPMHeKxXejj5qBBHKV0pHVhZSgffR0TtlXdB967Yl/5agV0R89hI
595+
7Gw52emfnH4Z0Y4V0au2H0k1dR/2IxXdJEWSTG7Be1JHT59p9ei2gSEOrdBMIOjP
596+
tbYYUlmmbvD49bHfThkDiC+oc9947LgQsk3kOOLbNHcjkbrjH8R5kjII4m/SEZA1
597+
g09T+338SzevBcVXh/cFrQ6/Et+lyyO2LJRUMs69g/HyzJOVWT2Iu8E0eS9MWevY
598+
Qtrkrhrpkl3Y02qEp/j6M03Yu2t6ZF7dp51aJ5VhO2mmmtHaTnCyCc8Fcf72LmD8
599+
blH2nKZC9d6fi4YzSYMepZpMOFR65M80MCMiDUGnZBB8sEADu2/iVtqDUeG8mAA=
600+
=PHJ1
601+
-----END PGP MESSAGE-----
602+
');
603+
582604
-- successful decrypt
583605
select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
584606
from keytbl, encdatawherekeytbl.id=1andencdata.id=1;
@@ -619,3 +641,7 @@ from keytbl, encdata where keytbl.id=5 and encdata.id=1;
619641
-- password-protected secret key, right password
620642
select pgp_pub_decrypt(dearmor(data), dearmor(seckey),'parool')
621643
from keytbl, encdatawherekeytbl.id=5andencdata.id=1;
644+
645+
-- test for a short read from prefix_init
646+
select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
647+
from keytbl, encdatawherekeytbl.id=6andencdata.id=5;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp