pgsql: Properly NULL-terminate GSS receive buffer on error packet recep
Properly NULL-terminate GSS receive buffer on error packet reception pqsecure_open_gss() includes a code path handling error messages with v2-style protocol messages coming from the server. The client-side buffer holding the error message does not force a NULL-termination, with the data of the server getting copied to the errorMessage of the connection. Hence, it would be possible for a server to send an unterminated string and copy arbitrary bytes in the buffer receiving the error message in the client, opening the door to a crash or even data exposure. As at this stage of the authentication process the exchange has not been completed yet, this could be abused by an attacker without Kerberos credentials. Clients that have a valid kerberos cache are vulnerable as libpq opportunistically requests for it except if gssencmode is disabled. Author: Jacob Champion Backpatch-through: 12 Security: CVE-2022-41862 Branch -- REL_15_STABLE Details --- https://git.postgresql.org/pg/commitdiff/715c345dd9a5594758be9a7aa41e898ead96e2a6 Modified Files -- src/interfaces/libpq/fe-secure-gssapi.c | 2 ++ 1 file changed, 2 insertions(+)
pgsql: Properly NULL-terminate GSS receive buffer on error packet recep
Properly NULL-terminate GSS receive buffer on error packet reception pqsecure_open_gss() includes a code path handling error messages with v2-style protocol messages coming from the server. The client-side buffer holding the error message does not force a NULL-termination, with the data of the server getting copied to the errorMessage of the connection. Hence, it would be possible for a server to send an unterminated string and copy arbitrary bytes in the buffer receiving the error message in the client, opening the door to a crash or even data exposure. As at this stage of the authentication process the exchange has not been completed yet, this could be abused by an attacker without Kerberos credentials. Clients that have a valid kerberos cache are vulnerable as libpq opportunistically requests for it except if gssencmode is disabled. Author: Jacob Champion Backpatch-through: 12 Security: CVE-2022-41862 Branch -- master Details --- https://git.postgresql.org/pg/commitdiff/71c37797d7bd78266146a5829ab62b3687c47295 Modified Files -- src/interfaces/libpq/fe-secure-gssapi.c | 2 ++ 1 file changed, 2 insertions(+)
pgsql: Properly NULL-terminate GSS receive buffer on error packet recep
Properly NULL-terminate GSS receive buffer on error packet reception pqsecure_open_gss() includes a code path handling error messages with v2-style protocol messages coming from the server. The client-side buffer holding the error message does not force a NULL-termination, with the data of the server getting copied to the errorMessage of the connection. Hence, it would be possible for a server to send an unterminated string and copy arbitrary bytes in the buffer receiving the error message in the client, opening the door to a crash or even data exposure. As at this stage of the authentication process the exchange has not been completed yet, this could be abused by an attacker without Kerberos credentials. Clients that have a valid kerberos cache are vulnerable as libpq opportunistically requests for it except if gssencmode is disabled. Author: Jacob Champion Backpatch-through: 12 Security: CVE-2022-41862 Branch -- REL_14_STABLE Details --- https://git.postgresql.org/pg/commitdiff/626f2c1d6b85a6a0780460c7acc306bc2c326266 Modified Files -- src/interfaces/libpq/fe-secure-gssapi.c | 2 ++ 1 file changed, 2 insertions(+)
pgsql: Properly NULL-terminate GSS receive buffer on error packet recep
Properly NULL-terminate GSS receive buffer on error packet reception pqsecure_open_gss() includes a code path handling error messages with v2-style protocol messages coming from the server. The client-side buffer holding the error message does not force a NULL-termination, with the data of the server getting copied to the errorMessage of the connection. Hence, it would be possible for a server to send an unterminated string and copy arbitrary bytes in the buffer receiving the error message in the client, opening the door to a crash or even data exposure. As at this stage of the authentication process the exchange has not been completed yet, this could be abused by an attacker without Kerberos credentials. Clients that have a valid kerberos cache are vulnerable as libpq opportunistically requests for it except if gssencmode is disabled. Author: Jacob Champion Backpatch-through: 12 Security: CVE-2022-41862 Branch -- REL_13_STABLE Details --- https://git.postgresql.org/pg/commitdiff/45a945ee97b8b55a45d2ff5d4f4944b1e2dcacb8 Modified Files -- src/interfaces/libpq/fe-secure-gssapi.c | 2 ++ 1 file changed, 2 insertions(+)
pgsql: Properly NULL-terminate GSS receive buffer on error packet recep
Properly NULL-terminate GSS receive buffer on error packet reception pqsecure_open_gss() includes a code path handling error messages with v2-style protocol messages coming from the server. The client-side buffer holding the error message does not force a NULL-termination, with the data of the server getting copied to the errorMessage of the connection. Hence, it would be possible for a server to send an unterminated string and copy arbitrary bytes in the buffer receiving the error message in the client, opening the door to a crash or even data exposure. As at this stage of the authentication process the exchange has not been completed yet, this could be abused by an attacker without Kerberos credentials. Clients that have a valid kerberos cache are vulnerable as libpq opportunistically requests for it except if gssencmode is disabled. Author: Jacob Champion Backpatch-through: 12 Security: CVE-2022-41862 Branch -- REL_12_STABLE Details --- https://git.postgresql.org/pg/commitdiff/3f7342671341a7a137f2d8b06ab3461cdb0e1d88 Modified Files -- src/interfaces/libpq/fe-secure-gssapi.c | 2 ++ 1 file changed, 2 insertions(+)