NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit11f738a

committed

Fix buffer overrun after incomplete read in pullf_read_max().

Most callers pass a stack buffer. The ensuing stack smash can crash theserver, and we have not ruled out the viability of attacks that lead toprivilege escalation. Back-patch to 9.0 (all supported versions).Marko TiikkajaSecurity:CVE-2015-0243

1 parent98f2479 commit11f738aCopy full SHA for 11f738a

File tree

4 files changed

+54

-1

lines changed

contrib/pgcrypto
- expected
  - pgp-info.out
  - pgp-pubkey-decrypt.out
- mbuf.c
- sql
  - pgp-pubkey-decrypt.sql

4 files changed

+54

-1

lines changed

`‎contrib/pgcrypto/expected/pgp-info.out`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -74,5 +74,6 @@ from encdata order by id;`
`74`	`74`	`2C226E1FFE5CC7D4`
`75`	`75`	`B68504FD128E1FF9`
`76`	`76`	`FD0206C409B74875`
`77`		`-(4 rows)`
	`77`	`+ FD0206C409B74875`
	`78`	`+(5 rows)`
`78`	`79`

`‎contrib/pgcrypto/expected/pgp-pubkey-decrypt.out`

Lines changed: 25 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -564,6 +564,27 @@ GQ==`
`564`	`564`	`=XHkF`
`565`	`565`	`-----END PGP MESSAGE-----`
`566`	`566`	`');`
	`567`	`+-- rsaenc2048 / aes128 (not from gnupg)`
	`568`	`+insert into encdata (id, data) values (5, '`
	`569`	`+-----BEGIN PGP MESSAGE-----`
	`570`	`+`
	`571`	`+wcBMA/0CBsQJt0h1AQgAzxZ8j+OTeZ8IlLxfZ/mVd28/gUsCY+xigWBk/anZlK3T`
	`572`	`+p2tNU2idHzKdAttH2Hu/PWbZp4kwjl9spezYxMqCeBZqtfGED88Y+rqK0n/ul30A`
	`573`	`+7jjFHaw0XUOqFNlST1v6H2i7UXndnp+kcLfHPhnO5BIYWxB2CYBehItqtrn75eqr`
	`574`	`+C7trGzU/cr74efcWagbCDSNjiAV7GlEptlzmgVMmNikyI6w0ojEUx8lCLc/OsFz9`
	`575`	`+pJUAX8xuwjxDVv+W7xk6c96grQiQlm+FLDYGiGNXoAzx3Wi/howu3uV40dXfY+jx`
	`576`	`+3WBrhEew5Pkpt1SsWoFnJWOfJ8GLd0ec8vfRCqAIVdLgAeS7NyawQYtd6wuVrEAj`
	`577`	`+5SMg4Thb4d+g45RksuGLHUUr4qO9tiXglODa4InhmJfgNuLk+RGz4LXjq8wepEmW`
	`578`	`+vRbgFOG54+Cf4C/gC+HkreDm5JKSKjvvw4B/jC6CDxq+JoziEe2Z1uEjCuEcr+Es`
	`579`	`+/eGzeOi36BejXPMHeKxXejj5qBBHKV0pHVhZSgffR0TtlXdB967Yl/5agV0R89hI`
	`580`	`+7Gw52emfnH4Z0Y4V0au2H0k1dR/2IxXdJEWSTG7Be1JHT59p9ei2gSEOrdBMIOjP`
	`581`	`+tbYYUlmmbvD49bHfThkDiC+oc9947LgQsk3kOOLbNHcjkbrjH8R5kjII4m/SEZA1`
	`582`	`+g09T+338SzevBcVXh/cFrQ6/Et+lyyO2LJRUMs69g/HyzJOVWT2Iu8E0eS9MWevY`
	`583`	`+Qtrkrhrpkl3Y02qEp/j6M03Yu2t6ZF7dp51aJ5VhO2mmmtHaTnCyCc8Fcf72LmD8`
	`584`	`+blH2nKZC9d6fi4YzSYMepZpMOFR65M80MCMiDUGnZBB8sEADu2/iVtqDUeG8mAA=`
	`585`	`+=PHJ1`
	`586`	`+-----END PGP MESSAGE-----`
	`587`	`+');`
`567`	`588`	`-- successful decrypt`
`568`	`589`	`select pgp_pub_decrypt(dearmor(data), dearmor(seckey))`
`569`	`590`	`from keytbl, encdata where keytbl.id=1 and encdata.id=1;`
`@@ -629,3 +650,7 @@ from keytbl, encdata where keytbl.id=5 and encdata.id=1;`
`629`	`650`	`Secret msg`
`630`	`651`	`(1 row)`
`631`	`652`
	`653`	`+-- test for a short read from prefix_init`
	`654`	`+select pgp_pub_decrypt(dearmor(data), dearmor(seckey))`
	`655`	`+from keytbl, encdata where keytbl.id=6 and encdata.id=5;`
	`656`	`+ERROR: Wrong key or corrupt data`

`‎contrib/pgcrypto/mbuf.c`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -305,6 +305,7 @@ pullf_read_max(PullFilter pf, int len, uint8 data_p, uint8 tmpbuf)`
`305`	`305`	`break;`
`306`	`306`	`memcpy(tmpbuf+total,tmp,res);`
`307`	`307`	`total+=res;`
	`308`	`+len-=res;`
`308`	`309`	`}`
`309`	`310`	`returntotal;`
`310`	`311`	`}`

`‎contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql`

Lines changed: 26 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -579,6 +579,28 @@ GQ==`
`579`	`579`	`-----END PGP MESSAGE-----`
`580`	`580`	`');`
`581`	`581`
	`582`	`+-- rsaenc2048 / aes128 (not from gnupg)`
	`583`	`+insert into encdata (id, data)values (5,'`
	`584`	`+-----BEGIN PGP MESSAGE-----`
	`585`	`+`
	`586`	`+wcBMA/0CBsQJt0h1AQgAzxZ8j+OTeZ8IlLxfZ/mVd28/gUsCY+xigWBk/anZlK3T`
	`587`	`+p2tNU2idHzKdAttH2Hu/PWbZp4kwjl9spezYxMqCeBZqtfGED88Y+rqK0n/ul30A`
	`588`	`+7jjFHaw0XUOqFNlST1v6H2i7UXndnp+kcLfHPhnO5BIYWxB2CYBehItqtrn75eqr`
	`589`	`+C7trGzU/cr74efcWagbCDSNjiAV7GlEptlzmgVMmNikyI6w0ojEUx8lCLc/OsFz9`
	`590`	`+pJUAX8xuwjxDVv+W7xk6c96grQiQlm+FLDYGiGNXoAzx3Wi/howu3uV40dXfY+jx`
	`591`	`+3WBrhEew5Pkpt1SsWoFnJWOfJ8GLd0ec8vfRCqAIVdLgAeS7NyawQYtd6wuVrEAj`
	`592`	`+5SMg4Thb4d+g45RksuGLHUUr4qO9tiXglODa4InhmJfgNuLk+RGz4LXjq8wepEmW`
	`593`	`+vRbgFOG54+Cf4C/gC+HkreDm5JKSKjvvw4B/jC6CDxq+JoziEe2Z1uEjCuEcr+Es`
	`594`	`+/eGzeOi36BejXPMHeKxXejj5qBBHKV0pHVhZSgffR0TtlXdB967Yl/5agV0R89hI`
	`595`	`+7Gw52emfnH4Z0Y4V0au2H0k1dR/2IxXdJEWSTG7Be1JHT59p9ei2gSEOrdBMIOjP`
	`596`	`+tbYYUlmmbvD49bHfThkDiC+oc9947LgQsk3kOOLbNHcjkbrjH8R5kjII4m/SEZA1`
	`597`	`+g09T+338SzevBcVXh/cFrQ6/Et+lyyO2LJRUMs69g/HyzJOVWT2Iu8E0eS9MWevY`
	`598`	`+Qtrkrhrpkl3Y02qEp/j6M03Yu2t6ZF7dp51aJ5VhO2mmmtHaTnCyCc8Fcf72LmD8`
	`599`	`+blH2nKZC9d6fi4YzSYMepZpMOFR65M80MCMiDUGnZBB8sEADu2/iVtqDUeG8mAA=`
	`600`	`+=PHJ1`
	`601`	`+-----END PGP MESSAGE-----`
	`602`	`+');`
	`603`	`+`
`582`	`604`	`-- successful decrypt`
`583`	`605`	`select pgp_pub_decrypt(dearmor(data), dearmor(seckey))`
`584`	`606`	`from keytbl, encdatawherekeytbl.id=1andencdata.id=1;`
`@@ -619,3 +641,7 @@ from keytbl, encdata where keytbl.id=5 and encdata.id=1;`
`619`	`641`	`-- password-protected secret key, right password`
`620`	`642`	`select pgp_pub_decrypt(dearmor(data), dearmor(seckey),'parool')`
`621`	`643`	`from keytbl, encdatawherekeytbl.id=5andencdata.id=1;`
	`644`	`+`
	`645`	`+-- test for a short read from prefix_init`
	`646`	`+select pgp_pub_decrypt(dearmor(data), dearmor(seckey))`
	`647`	`+from keytbl, encdatawherekeytbl.id=6andencdata.id=5;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit11f738a

File tree

4 files changed

4 files changed

`‎contrib/pgcrypto/expected/pgp-info.out`

`‎contrib/pgcrypto/expected/pgp-pubkey-decrypt.out`

`‎contrib/pgcrypto/mbuf.c`

`‎contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql`

0 commit comments