Prevent a double free by not reentering be_tls_close(). Reentering this function with the right timing caused a double free, typically crashing the backend. By synchronizing a disconnection with the authentication timeout, an unauthenticated attacker could achieve this somewhat consistently. Call be_tls_close() solely from within proc_exit_prepare(). Back-patch to 9.0 (all supported versions).
Benkocs Norbert Attila Security: CVE-2015-3165 Branch ------ REL9_2_STABLE Details ------- http://git.postgresql.org/pg/commitdiff/439ff9b6b9de435e1c92d05221cfbcb7ff80e150 Modified Files -------------- src/backend/libpq/be-secure.c | 5 ----- src/backend/libpq/pqcomm.c | 23 ++++++++++++++++++----- src/backend/postmaster/postmaster.c | 11 ++++++++++- 3 files changed, 28 insertions(+), 11 deletions(-) -- Sent via pgsql-committers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-committers
