(cloudberry) branch main updated: Backport: Properly NULL-terminate GSS receive buffer on error packet reception (#1498)

reshke Tue, 23 Dec 2025 05:58:55 -0800

This is an automated email from the ASF dual-hosted git repository.

reshke pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudberry.git



The following commit(s) were added to refs/heads/main by this push:
     new 68e52482729 Backport: Properly NULL-terminate GSS receive buffer on 
error packet reception (#1498)
68e52482729 is described below

commit 68e52482729eada3172b546cb73312627d9fe740
Author: reshke <[email protected]>
AuthorDate: Tue Dec 23 18:58:46 2025 +0500

    Backport: Properly NULL-terminate GSS receive buffer on error packet 
reception (#1498)
    
    This pr fixes https://www.postgresql.org/support/security/CVE-2022-41862/ 
in cloudberry
    
    
    
https://git.postgresql.org/cgit/postgresql.git/commit/?id=71c37797d7bd78266146a5829ab62b3687c47295
    
    
    Original commit message:
    
    ===
    
    pqsecure_open_gss() includes a code path handling error messages with 
v2-style protocol messages coming from the server.  The client-side buffer 
holding the error message does not force a NULL-termination, with the data of 
the server getting copied to the errorMessage of the connection.  Hence, it 
would be possible for a server to send an unterminated string and copy 
arbitrary bytes in the buffer receiving the error message in the client, 
opening the door to a crash or even data exposure.
    
    As at this stage of the authentication process the exchange has not been 
completed yet, this could be abused by an attacker without Kerberos 
credentials.  Clients that have a valid kerberos cache are vulnerable as libpq 
opportunistically requests for it except if gssencmode is disabled.
    
    Author: Jacob Champion
    Backpatch-through: 12
    Security: CVE-2022-41862
---
 src/interfaces/libpq/fe-secure-gssapi.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/interfaces/libpq/fe-secure-gssapi.c 
b/src/interfaces/libpq/fe-secure-gssapi.c
index 7006ed58a12..aeb6e35dbdd 100644
--- a/src/interfaces/libpq/fe-secure-gssapi.c
+++ b/src/interfaces/libpq/fe-secure-gssapi.c
@@ -585,6 +585,8 @@ pqsecure_open_gss(PGconn *conn)
 
                        PqGSSRecvLength += ret;
 
+                       Assert(PqGSSRecvLength < PQ_GSS_RECV_BUFFER_SIZE);
+                       PqGSSRecvBuffer[PqGSSRecvLength] = '\0';
                        appendPQExpBuffer(&conn->errorMessage, "%s\n", 
PqGSSRecvBuffer + 1);
 
                        return PGRES_POLLING_FAILED;


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(cloudberry) branch main updated: Backport: Properly NULL-terminate GSS receive buffer on error packet reception (#1498)

Reply via email to