--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:pgbouncer
User: [email protected]
Usertags: pu
Please accept pgbouncer/1.24.1-1+deb13u2 for trixie. It fixes
CVE-2026-6664 CVE-2026-6665 CVE-2026-6666 CVE-2026-6667.
[ Tests ]
It passes the build-time tests and autopkgtest on salsa for the trixie
branch.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Christoph
No differences were encountered between the control files
diff -Nru pgbouncer-1.24.1/debian/changelog pgbouncer-1.24.1/debian/changelog
--- pgbouncer-1.24.1/debian/changelog 2025-12-20 13:52:56.000000000 +0100
+++ pgbouncer-1.24.1/debian/changelog 2026-05-10 11:44:27.000000000 +0200
@@ -1,3 +1,26 @@
+pgbouncer (1.24.1-1+deb13u2) trixie; urgency=medium
+
+ * Security update.
+ * Fix CVE-2026-6664: An integer overflow in network packet parsing code
+ in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a
+ crash. An unauthenticated remote attacker can crash PgBouncer with a
+ malformed SCRAM authentication packet.
+ * Fix CVE-2026-6665: The SCRAM code in PgBouncer before 1.25.2 did not
+ check the return value of strlcat() correctly when building the
+ contents of the SCRAM client-final-message. A malicious backend that
+ sends a SCRAM server-final-message with a long nonce can trigger a
+ stack overflow.
+ * Fix CVE-2026-6666: A possible null pointer reference in PgBouncer
+ before 1.25.2 could lead to a crash, if a server sends an error
+ response without SQLSTATE field.
+ * Fix CVE-2026-6667: PgBouncer before 1.25.2 did not perform an
+ appropriate authorization check for the KILL_CLIENT admin command. All
+ users with access to the administration console (which itself requires
+ authorization) could run this command. It would have been correct to
+ allow only users listed in the admin_users parameter.
+
+ -- Christoph Berg <[email protected]> Sun, 10 May 2026 11:44:27 +0200
+
pgbouncer (1.24.1-1+deb13u1) trixie; urgency=medium
* Non-maintainer upload by the Debian LTS Security Team.
diff -Nru pgbouncer-1.24.1/debian/gitlab-ci.yml pgbouncer-1.24.1/debian/gitlab-ci.yml
--- pgbouncer-1.24.1/debian/gitlab-ci.yml 2023-07-25 16:53:11.000000000 +0200
+++ pgbouncer-1.24.1/debian/gitlab-ci.yml 2026-05-10 11:44:27.000000000 +0200
@@ -1 +1,3 @@
include: https://salsa.debian.org/postgresql/postgresql-common/raw/master/gitlab/gitlab-ci.yml
+variables:
+ RELEASE: trixie
diff -Nru pgbouncer-1.24.1/debian/patches/CVE-2026-6664-Fix-integer-overflow-in-mbuf.h.patch pgbouncer-1.24.1/debian/patches/CVE-2026-6664-Fix-integer-overflow-in-mbuf.h.patch
--- pgbouncer-1.24.1/debian/patches/CVE-2026-6664-Fix-integer-overflow-in-mbuf.h.patch 1970-01-01 01:00:00.000000000 +0100
+++ pgbouncer-1.24.1/debian/patches/CVE-2026-6664-Fix-integer-overflow-in-mbuf.h.patch 2026-05-10 11:44:27.000000000 +0200
@@ -0,0 +1,43 @@
+From ddc63c2175825bca9ef3c0a528280acaad76dbaa Mon Sep 17 00:00:00 2001
+From: Euler Taveira <[email protected]>
+Date: Tue, 14 Apr 2026 16:34:23 -0300
+Subject: [PATCH 1/4] Fix integer overflow in mbuf.h
+
+An integer overflow in mbuf_get_bytes() bypasses a boundary check and
+can lead to a crash.
+
+An unauthenticated remote attacker can crash PgBouncer with a
+malformed SCRAM authentication packet.
+
+Report and fix by @JohannesLks.
+
+Security: CVE-2026-6664
+---
+ lib/usual/mbuf.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/usual/mbuf.h b/lib/usual/mbuf.h
+index b846182..f8fccd0 100644
+--- a/lib/usual/mbuf.h
++++ b/lib/usual/mbuf.h
+@@ -210,7 +210,7 @@ static inline bool mbuf_get_uint64be(struct MBuf *buf, uint64_t *dst_p)
+ _MUSTCHECK
+ static inline bool mbuf_get_bytes(struct MBuf *buf, unsigned len, const uint8_t **dst_p)
+ {
+- if (buf->read_pos + len > buf->write_pos)
++ if (len > buf->write_pos - buf->read_pos)
+ return false;
+ *dst_p = buf->data + buf->read_pos;
+ buf->read_pos += len;
+@@ -221,7 +221,7 @@ static inline bool mbuf_get_bytes(struct MBuf *buf, unsigned len, const uint8_t
+ _MUSTCHECK
+ static inline bool mbuf_get_chars(struct MBuf *buf, unsigned len, const char **dst_p)
+ {
+- if (buf->read_pos + len > buf->write_pos)
++ if (len > buf->write_pos - buf->read_pos)
+ return false;
+ *dst_p = (char *)buf->data + buf->read_pos;
+ buf->read_pos += len;
+--
+2.53.0
+
diff -Nru pgbouncer-1.24.1/debian/patches/CVE-2026-6665-Fix-buffer-overflow-in-SCRAM.patch pgbouncer-1.24.1/debian/patches/CVE-2026-6665-Fix-buffer-overflow-in-SCRAM.patch
--- pgbouncer-1.24.1/debian/patches/CVE-2026-6665-Fix-buffer-overflow-in-SCRAM.patch 1970-01-01 01:00:00.000000000 +0100
+++ pgbouncer-1.24.1/debian/patches/CVE-2026-6665-Fix-buffer-overflow-in-SCRAM.patch 2026-05-10 11:44:27.000000000 +0200
@@ -0,0 +1,41 @@
+From ab8dbb3b1a73b4a195062546e5e4f964b79f5b45 Mon Sep 17 00:00:00 2001
+From: Euler Taveira <[email protected]>
+Date: Wed, 15 Apr 2026 11:28:55 -0300
+Subject: [PATCH 2/4] Fix buffer overflow in SCRAM
+
+The SCRAM code did not check the return value of strlcat() correctly
+when building the contents of the SCRAM client-final-message. A
+malicious backend that sends a SCRAM server-final-message with a long
+nonce can trigger a stack overflow.
+
+Reported by @HarutoKimura.
+
+Security: CVE-2026-6665
+---
+ src/proto.c | 2 ++
+ src/scram.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+--- a/src/proto.c
++++ b/src/proto.c
+@@ -458,6 +458,8 @@ static bool login_scram_sha_256_cont(PgS
+ credentials, server_nonce,
+ salt, saltlen, iterations);
+
++ if (!client_final_message)
++ goto failed;
+ free(salt);
+ free(ibuf);
+
+--- a/src/scram.c
++++ b/src/scram.c
+@@ -346,6 +346,9 @@ char *build_client_final_message(ScramSt
+ goto failed;
+
+ len = strlcat(buf, ",p=", sizeof(buf));
++ /* Final string is too long */
++ if (len >= sizeof(buf))
++ goto failed;
+ enclen = pg_b64_enc_len(sizeof(client_proof));
+ enclen = pg_b64_encode((char *) client_proof,
+ SCRAM_KEY_LEN,
diff -Nru pgbouncer-1.24.1/debian/patches/CVE-2026-6666-Avoid-crash-in-kill_pool_logins_server_error.patch pgbouncer-1.24.1/debian/patches/CVE-2026-6666-Avoid-crash-in-kill_pool_logins_server_error.patch
--- pgbouncer-1.24.1/debian/patches/CVE-2026-6666-Avoid-crash-in-kill_pool_logins_server_error.patch 1970-01-01 01:00:00.000000000 +0100
+++ pgbouncer-1.24.1/debian/patches/CVE-2026-6666-Avoid-crash-in-kill_pool_logins_server_error.patch 2026-05-10 11:44:27.000000000 +0200
@@ -0,0 +1,46 @@
+From 0564f937c0fd81378d67ddcb57b0c00abc0b0f8f Mon Sep 17 00:00:00 2001
+From: Euler Taveira <[email protected]>
+Date: Mon, 27 Apr 2026 12:22:15 -0300
+Subject: [PATCH 3/4] Avoid crash in kill_pool_logins_server_error
+
+Prevent a null pointer deference crash while comparing SQLSTATE error
+code. It also checks msg and level before using them in log_warning.
+
+A malicious backend could send a mal-formed ErrorResponse that does
+not include an SQLSTATE error code.
+
+Reported by @HarutoKimura.
+
+Security: CVE-2026-6666
+---
+ src/server.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/server.c b/src/server.c
+index 5dfd671..16cf7c2 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -102,14 +102,17 @@ const char * kill_pool_logins_server_error(PgPool *pool, PktHdr *errpkt)
+ const char *level, *sqlstate, *msg;
+
+ parse_server_error(errpkt, &level, &msg, &sqlstate);
+- log_warning("server login failed: %s %s", level, msg);
++ if (level != NULL && msg != NULL)
++ log_warning("server login failed: %s %s", level, msg);
++ else
++ log_warning("server login failed");
+
+ /*
+ * Kill all waiting clients unless it's a temporary error, such as
+ * "database system is starting up".
+ */
+- if (strcmp(sqlstate, ERRCODE_CANNOT_CONNECT_NOW) != 0) {
+- log_noise("kill_pool_logins_server_error: sqlstate: %s", sqlstate);
++ if (sqlstate == NULL || strcmp(sqlstate, ERRCODE_CANNOT_CONNECT_NOW) != 0) {
++ log_noise("kill_pool_logins_server_error: sqlstate: %s", sqlstate ? sqlstate : "NULL");
+ kill_pool_logins(pool, sqlstate, msg);
+ }
+ return msg;
+--
+2.53.0
+
diff -Nru pgbouncer-1.24.1/debian/patches/CVE-2026-6667-KILL_CLIENT-requires-admin-access.patch pgbouncer-1.24.1/debian/patches/CVE-2026-6667-KILL_CLIENT-requires-admin-access.patch
--- pgbouncer-1.24.1/debian/patches/CVE-2026-6667-KILL_CLIENT-requires-admin-access.patch 1970-01-01 01:00:00.000000000 +0100
+++ pgbouncer-1.24.1/debian/patches/CVE-2026-6667-KILL_CLIENT-requires-admin-access.patch 2026-05-10 11:44:27.000000000 +0200
@@ -0,0 +1,28 @@
+From 97b5634be55d167a602b0bc0f09a8675997248a6 Mon Sep 17 00:00:00 2001
+From: Euler Taveira <[email protected]>
+Date: Tue, 28 Apr 2026 11:41:13 -0300
+Subject: [PATCH 4/4] KILL_CLIENT requires admin access
+
+The commit 1dbde96 that added the KILL_CLIENT command forgot to check
+the privileges to execute it. As KILL, KILL_CLIENT should only be
+executed by users listed in the admin_users parameter.
+
+Report and fix by @HarutoKimura.
+
+Security: CVE-2026-6667
+---
+ src/admin.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/src/admin.c
++++ b/src/admin.c
+@@ -1423,6 +1423,9 @@ static bool admin_cmd_kill_client(PgSock
+ PgSocket *kill_client;
+ unsigned long long int target_id = 0;
+
++ if (!admin->admin_user)
++ return admin_error(admin, "admin access needed");
++
+ if (sscanf(arg, "%llu", &target_id) != 1) {
+ return admin_error(admin, "invalid client pointer supplied");
+ }
diff -Nru pgbouncer-1.24.1/debian/patches/series pgbouncer-1.24.1/debian/patches/series
--- pgbouncer-1.24.1/debian/patches/series 2025-12-20 13:45:25.000000000 +0100
+++ pgbouncer-1.24.1/debian/patches/series 2026-05-10 11:44:27.000000000 +0200
@@ -1,2 +1,6 @@
debian-config
CVE-2025-12819.patch
+CVE-2026-6664-Fix-integer-overflow-in-mbuf.h.patch
+CVE-2026-6665-Fix-buffer-overflow-in-SCRAM.patch
+CVE-2026-6666-Avoid-crash-in-kill_pool_logins_server_error.patch
+CVE-2026-6667-KILL_CLIENT-requires-admin-access.patch
--- End Message ---
