git.ipfire.org Git - thirdparty/postgresql.git/commit

author	Michael Paquier <michael@paquier.xyz>
	Sun, 8 Feb 2026 23:01:07 +0000 (08:01 +0900)
committer	Michael Paquier <michael@paquier.xyz>
	Sun, 8 Feb 2026 23:01:07 +0000 (08:01 +0900)
commit	7a7d9693c72e680af86298f01d850f95fef0988e
tree	4c985045b7cf4f1eab54f1c9ac0079c34f97ffa4	tree \| snapshot
parent	4d3d88844b1b6c18e2ec752b03cb304d3b296216	commit \| diff

pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea()

pgp_pub_decrypt_bytea() was missing a safeguard for the session key
length read from the message data, that can be given in input of
pgp_pub_decrypt_bytea(). This can result in the possibility of a buffer
overflow for the session key data, when the length specified is longer
than PGP_MAX_KEY, which is the maximum size of the buffer where the
session data is copied to.

A script able to rebuild the message and key data that can trigger the
overflow is included in this commit, based on some contents provided by
the reporter, heavily editted by me. A SQL test is added, based on the
data generated by the script.

Reported-by: Team Xint Code as part of zeroday.cloud
Author: Michael Paquier <michael@paquier.xyz>
Reviewed-by: Noah Misch <noah@leadboat.com>
Security: CVE-2026-2005
Backpatch-through: 14

contrib/pgcrypto/Makefile		diff \| blob \| blame \| history
contrib/pgcrypto/expected/pgp-pubkey-session.out	[new file with mode: 0644]	blob
contrib/pgcrypto/meson.build		diff \| blob \| blame \| history
contrib/pgcrypto/pgp-pubdec.c		diff \| blob \| blame \| history
contrib/pgcrypto/px.c		diff \| blob \| blame \| history
contrib/pgcrypto/px.h		diff \| blob \| blame \| history
contrib/pgcrypto/scripts/pgp_session_data.py	[new file with mode: 0644]	blob
contrib/pgcrypto/sql/pgp-pubkey-session.sql	[new file with mode: 0644]	blob