git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Michael Paquier <michael@paquier.xyz>
	Sun, 8 Feb 2026 23:01:12 +0000 (08:01 +0900)
committer	Michael Paquier <michael@paquier.xyz>
	Sun, 8 Feb 2026 23:01:12 +0000 (08:01 +0900)
commit	01de2e32df7b5b46720f64068a2674c3bd28ae3f
tree	a1beb6b3e988ebe4febaf0217f654d47a633a86d	tree \| snapshot
parent	29cb2e1821307b91a30d237610c71f291565550c	commit \| diff

pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea()

pgp_pub_decrypt_bytea() was missing a safeguard for the session key
length read from the message data, that can be given in input of
pgp_pub_decrypt_bytea(). This can result in the possibility of a buffer
overflow for the session key data, when the length specified is longer
than PGP_MAX_KEY, which is the maximum size of the buffer where the
session data is copied to.

A script able to rebuild the message and key data that can trigger the
overflow is included in this commit, based on some contents provided by
the reporter, heavily editted by me. A SQL test is added, based on the
data generated by the script.

Reported-by: Team Xint Code as part of zeroday.cloud
Author: Michael Paquier <michael@paquier.xyz>
Reviewed-by: Noah Misch <noah@leadboat.com>
Security: CVE-2026-2005
Backpatch-through: 14

contrib/pgcrypto/Makefile		diff \| blob \| blame \| history
contrib/pgcrypto/expected/pgp-pubkey-session.out	[new file with mode: 0644]	blob
contrib/pgcrypto/pgp-pubdec.c		diff \| blob \| blame \| history
contrib/pgcrypto/px.c		diff \| blob \| blame \| history
contrib/pgcrypto/px.h		diff \| blob \| blame \| history
contrib/pgcrypto/scripts/pgp_session_data.py	[new file with mode: 0644]	blob
contrib/pgcrypto/sql/pgp-pubkey-session.sql	[new file with mode: 0644]	blob