git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Michael Paquier <michael@paquier.xyz>
	Sun, 8 Feb 2026 23:01:09 +0000 (08:01 +0900)
committer	Michael Paquier <michael@paquier.xyz>
	Sun, 8 Feb 2026 23:01:09 +0000 (08:01 +0900)
commit	527b730f41b2f2fbcda92cfd1dbbc50c14c9a46f
tree	fa5bc6fd747c884419bad180dc5931249f1a036b	tree \| snapshot
parent	79378568178764d962d11e1f5a00a7bf7f480278	commit \| diff

pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea()

pgp_pub_decrypt_bytea() was missing a safeguard for the session key
length read from the message data, that can be given in input of
pgp_pub_decrypt_bytea(). This can result in the possibility of a buffer
overflow for the session key data, when the length specified is longer
than PGP_MAX_KEY, which is the maximum size of the buffer where the
session data is copied to.

A script able to rebuild the message and key data that can trigger the
overflow is included in this commit, based on some contents provided by
the reporter, heavily editted by me. A SQL test is added, based on the
data generated by the script.

Reported-by: Team Xint Code as part of zeroday.cloud
Author: Michael Paquier <michael@paquier.xyz>
Reviewed-by: Noah Misch <noah@leadboat.com>
Security: CVE-2026-2005
Backpatch-through: 14

contrib/pgcrypto/Makefile		diff \| blob \| blame \| history
contrib/pgcrypto/expected/pgp-pubkey-session.out	[new file with mode: 0644]	blob
contrib/pgcrypto/meson.build		diff \| blob \| blame \| history
contrib/pgcrypto/pgp-pubdec.c		diff \| blob \| blame \| history
contrib/pgcrypto/px.c		diff \| blob \| blame \| history
contrib/pgcrypto/px.h		diff \| blob \| blame \| history
contrib/pgcrypto/scripts/pgp_session_data.py	[new file with mode: 0644]	blob
contrib/pgcrypto/sql/pgp-pubkey-session.sql	[new file with mode: 0644]	blob