Add timingsafe_bcmp(), for constant-time memory comparison timingsafe_bcmp() should be used instead of memcmp() or a naive for-loop, when comparing passwords or secret tokens, to avoid leaking information about the secret token by timing. This commit just introduces the function but does not change any existing code to use it yet.
This has been initially applied as of 09be39112654 in v18 and newer versions, and will be used in all the stable branches for an upcoming fix. Co-authored-by: Jelte Fennema-Nio <[email protected]> Discussion: https://www.postgresql.org/message-id/[email protected] Security: CVE-2026-6478 Backpatch-through: 14 Branch ------ REL_14_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/b282280e9b69cae988c0c69cce3eda4d4bd38fff Author: Heikki Linnakangas <[email protected]> Modified Files -------------- configure | 23 +++++++++++++++++++++++ configure.ac | 3 ++- src/include/pg_config.h.in | 7 +++++++ src/include/port.h | 4 ++++ src/port/timingsafe_bcmp.c | 43 +++++++++++++++++++++++++++++++++++++++++++ src/tools/msvc/Mkvcbuild.pm | 2 +- src/tools/msvc/Solution.pm | 2 ++ 7 files changed, 82 insertions(+), 2 deletions(-)
