git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Noah Misch <noah@leadboat.com>
	Mon, 9 Feb 2026 14:14:47 +0000 (06:14 -0800)
committer	Noah Misch <noah@leadboat.com>
	Mon, 9 Feb 2026 14:14:47 +0000 (06:14 -0800)
commit	d536aee5566354e42a1012da9dd3960e45402af5
tree	1ce693604fb947f8d75d028acca28d9860e13381	tree
parent	38e0190ced714b33c43c9676d768cc6814fc662a	commit \| diff

Require PGP-decrypted text to pass encoding validation.

pgp_sym_decrypt() and pgp_pub_decrypt() will raise such errors, while
bytea variants will not.  The existing "dat3" test decrypted to non-UTF8
text, so switch that query to bytea.

The long-term intent is for type "text" to always be valid in the
database encoding.  pgcrypto has long been known as a source of
exceptions to that intent, but a report about exploiting invalid values
of type "text" brought this module to the forefront.  This particular
exception is straightforward to fix, with reasonable effect on user
queries.  Back-patch to v14 (all supported versions).

Reported-by: Paul Gerste (as part of zeroday.cloud)
Reported-by: Moritz Sanft (as part of zeroday.cloud)
Author: shihao zhong <zhong950419@gmail.com>
Reviewed-by: cary huang <hcary328@gmail.com>
Discussion: https://postgr.es/m/CAGRkXqRZyo0gLxPJqUsDqtWYBbgM14betsHiLRPj9mo2=z9VvA@mail.gmail.com
Backpatch-through: 14
Security: CVE-2026-2006

contrib/pgcrypto/expected/pgp-decrypt.out		diff \| blob \| blame \| history
contrib/pgcrypto/expected/pgp-decrypt_1.out		diff \| blob \| blame \| history
contrib/pgcrypto/pgp-pgsql.c		diff \| blob \| blame \| history
contrib/pgcrypto/sql/pgp-decrypt.sql		diff \| blob \| blame \| history