git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Michael Paquier <michael@paquier.xyz>
	Sun, 8 Feb 2026 23:00:59 +0000 (08:00 +0900)
committer	Michael Paquier <michael@paquier.xyz>
	Sun, 8 Feb 2026 23:00:59 +0000 (08:00 +0900)
commit	379695d3cc70d040b547d912ce4842090d917ece
tree	41d0097c7ea483240c4cf90b70c591ba1dc5541a	tree
parent	73dd7163c5d19f93b629d1ccd9d2a2de6e9667f6	commit \| diff

pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea()

pgp_pub_decrypt_bytea() was missing a safeguard for the session key
length read from the message data, that can be given in input of
pgp_pub_decrypt_bytea(). This can result in the possibility of a buffer
overflow for the session key data, when the length specified is longer
than PGP_MAX_KEY, which is the maximum size of the buffer where the
session data is copied to.

A script able to rebuild the message and key data that can trigger the
overflow is included in this commit, based on some contents provided by
the reporter, heavily editted by me. A SQL test is added, based on the
data generated by the script.

Reported-by: Team Xint Code as part of zeroday.cloud
Author: Michael Paquier <michael@paquier.xyz>
Reviewed-by: Noah Misch <noah@leadboat.com>
Security: CVE-2026-2005
Backpatch-through: 14

contrib/pgcrypto/Makefile		diff \| blob \| blame \| history
contrib/pgcrypto/expected/pgp-pubkey-session.out	[new file with mode: 0644]	blob
contrib/pgcrypto/meson.build		diff \| blob \| blame \| history
contrib/pgcrypto/pgp-pubdec.c		diff \| blob \| blame \| history
contrib/pgcrypto/px.c		diff \| blob \| blame \| history
contrib/pgcrypto/px.h		diff \| blob \| blame \| history
contrib/pgcrypto/scripts/pgp_session_data.py	[new file with mode: 0644]	blob
contrib/pgcrypto/sql/pgp-pubkey-session.sql	[new file with mode: 0644]	blob