NotificationsYou must be signed in to change notification settings
Fork4.9k
Star17.7k

Commitbf8835e

committed

libpq: Bail out during SSL/GSS negotiation errors

This commit changes libpq so that errors reported by the backend duringthe protocol negotiation for SSL and GSS are discarded by the client, asthese may include bytes that could be consumed by the client and writearbitrary bytes to a client's terminal.A failure with the SSL negotiation now leads to an error immediatelyreported, without a retry on any other methods allowed, like a fallbackto a plaintext connection.A failure with GSS discards the error message received, and we allow afallback as it may be possible that the error is caused by a connectionattempt with a pre-11 server, GSS encryption having been introduced inv12. This was a problem only with v17 and newer versions; olderversions discard the error message already in this case, assuming afailure caused by a lack of support for GSS encryption.Author: Jacob ChampionReviewed-by: Peter Eisentraut, Heikki Linnakangas, Michael PaquierSecurity:CVE-2024-10977Backpatch-through: 12

1 parent5d4298e commitbf8835eCopy full SHA for bf8835e

File tree

3 files changed

+22

-35

lines changed

doc/src/sgml
- protocol.sgml
src/interfaces/libpq
- fe-connect.c
- t
  - 005_negotiate_encryption.pl

3 files changed

+22

-35

lines changed

`‎doc/src/sgml/protocol.sgml`

Lines changed: 11 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -1508,10 +1508,10 @@ SELCT 1/0;<!-- this typo is intentional -->`
`1508`	`1508`
`1509`	`1509`	`<para>`
`1510`	`1510`	`The frontend should also be prepared to handle an ErrorMessage`
`1511`		`- response to SSLRequest from the server. This would only occur if`
`1512`		`- theserver predates theaddition of <acronym>SSL</acronym> support`
`1513`		`-to <productname>PostgreSQL</productname>. (Such servers are now very ancient,`
`1514`		`-and likely do not exist in the wild anymore.)`
	`1511`	`+ response to SSLRequest from the server.The frontend should not display`
	`1512`	`+this error message totheuser/application, since theserver has not been`
	`1513`	`+authenticated`
	`1514`	`+(<ulink url="https://www.postgresql.org/support/security/CVE-2024-10977/">CVE-2024-10977</ulink>).`
`1515`	`1515`	`In this case the connection must`
`1516`	`1516`	`be closed, but the frontend might choose to open a fresh connection`
`1517`	`1517`	`and proceed without requesting <acronym>SSL</acronym>.`
`@@ -1621,12 +1621,13 @@ SELCT 1/0;<!-- this typo is intentional -->`
`1621`	`1621`
`1622`	`1622`	`<para>`
`1623`	`1623`	`The frontend should also be prepared to handle an ErrorMessage`
`1624`		`- response to GSSENCRequest from the server. This would only occur if`
`1625`		`- the server predates the addition of <acronym>GSSAPI</acronym> encryption`
`1626`		`- support to <productname>PostgreSQL</productname>. In this case the`
`1627`		`- connection must be closed, but the frontend might choose to open a fresh`
`1628`		`- connection and proceed without requesting <acronym>GSSAPI</acronym>`
`1629`		`- encryption.`
	`1624`	`+ response to GSSENCRequest from the server. The frontend should not display`
	`1625`	`+ this error message to the user/application, since the server has not been`
	`1626`	`+ authenticated`
	`1627`	`+ (<ulink url="https://www.postgresql.org/support/security/CVE-2024-10977/">CVE-2024-10977</ulink>).`
	`1628`	`+ In this case the connection must be closed, but the frontend might choose`
	`1629`	`+ to open a fresh connection and proceed without requesting`
	`1630`	`+ <acronym>GSSAPI</acronym> encryption.`
`1630`	`1631`	`</para>`
`1631`	`1632`
`1632`	`1633`	`<para>`

`‎src/interfaces/libpq/fe-connect.c`

Lines changed: 10 additions & 24 deletions

Original file line number	Diff line number	Diff line change
`@@ -3509,22 +3509,12 @@ PQconnectPoll(PGconn *conn)`
`3509`	`3509`	`{`
`3510`	`3510`	`/*`
`3511`	`3511`	`* Server failure of some sort, such as failure to`
`3512`		`- * fork a backend process. We need to process and`
`3513`		`- * report the error message, which might be formatted`
`3514`		`- * according to either protocol 2 or protocol 3.`
`3515`		`- * Rather than duplicate the code for that, we flip`
`3516`		`- * into AWAITING_RESPONSE state and let the code there`
`3517`		`- * deal with it. Note we have not consumed the "E"`
`3518`		`- * byte here.`
	`3512`	`+ * fork a backend process. Don't bother retrieving`
	`3513`	`+ * the error message; we should not trust it as the`
	`3514`	`+ * server has not been authenticated yet.`
`3519`	`3515`	`*/`
`3520`		`-conn->status=CONNECTION_AWAITING_RESPONSE;`
`3521`		`-`
`3522`		`-/*`
`3523`		`- * Don't fall back to a plaintext connection after`
`3524`		`- * reading the error.`
`3525`		`- */`
`3526`		`-conn->failed_enc_methods \|=conn->allowed_enc_methods& (~conn->current_enc_method);`
`3527`		`-gotokeep_going;`
	`3516`	`+libpq_append_conn_error(conn,"server sent an error response during SSL exchange");`
	`3517`	`+gotoerror_return;`
`3528`	`3518`	`}`
`3529`	`3519`	`else`
`3530`	`3520`	`{`
`@@ -3600,13 +3590,9 @@ PQconnectPoll(PGconn *conn)`
`3600`	`3590`	`{`
`3601`	`3591`	`/*`
`3602`	`3592`	`* Server failure of some sort, possibly protocol`
`3603`		`- * version support failure. We need to process and`
`3604`		`- * report the error message, which might be formatted`
`3605`		`- * according to either protocol 2 or protocol 3.`
`3606`		`- * Rather than duplicate the code for that, we flip`
`3607`		`- * into AWAITING_RESPONSE state and let the code there`
`3608`		`- * deal with it. Note we have not consumed the "E"`
`3609`		`- * byte here.`
	`3593`	`+ * version support failure. Don't bother retrieving`
	`3594`	`+ * the error message; we should not trust it anyway as`
	`3595`	`+ * the server has not authenticated yet.`
`3610`	`3596`	`*`
`3611`	`3597`	`* Note that unlike on an error response to`
`3612`	`3598`	`* SSLRequest, we allow falling back to SSL or`
`@@ -3615,8 +3601,8 @@ PQconnectPoll(PGconn *conn)`
`3615`	`3601`	`* response might mean that we are connecting to a`
`3616`	`3602`	`* pre-v12 server.`
`3617`	`3603`	`*/`
`3618`		`-conn->status=CONNECTION_AWAITING_RESPONSE;`
`3619`		`-gotokeep_going;`
	`3604`	`+libpq_append_conn_error(conn,"server sent an error response during GSS encryption exchange");`
	`3605`	`+CONNECTION_FAILED();`
`3620`	`3606`	`}`
`3621`	`3607`
`3622`	`3608`	`/* mark byte consumed */`

`‎src/interfaces/libpq/t/005_negotiate_encryption.pl`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -455,7 +455,7 @@ BEGIN`
`455`	`455`	`connect_test(`
`456`	`456`	`$node,`
`457`	`457`	`"user=testuser gssencmode=prefer sslmode=disable",`
`458`		`-'connect, v2error -> fail');`
	`458`	`+'connect, v2error, reconnect, v2error -> fail');`
`459`	`459`	`$node->restart;`
`460`	`460`
`461`	`461`	`$node->safe_psql(`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitbf8835e

File tree

3 files changed

3 files changed

`‎doc/src/sgml/protocol.sgml`

`‎src/interfaces/libpq/fe-connect.c`

`‎src/interfaces/libpq/t/005_negotiate_encryption.pl`

0 commit comments