Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 1dc7551

Browse files
committed
Fix buffer overrun after incomplete read in pullf_read_max().
Most callers pass a stack buffer. The ensuing stack smash can crash the server, and we have not ruled out the viability of attacks that lead to privilege escalation. Back-patch to 9.0 (all supported versions). Marko Tiikkaja Security: CVE-2015-0243
1 parent 29725b3 commit 1dc7551

File tree

4 files changed

+54
-1
lines changed

4 files changed

+54
-1
lines changed

contrib/pgcrypto/expected/pgp-info.out

+2-1
Original file line numberDiff line numberDiff line change
@@ -74,5 +74,6 @@ from encdata order by id;
7474
2C226E1FFE5CC7D4
7575
B68504FD128E1FF9
7676
FD0206C409B74875
77-
(4 rows)
77+
FD0206C409B74875
78+
(5 rows)
7879

contrib/pgcrypto/expected/pgp-pubkey-decrypt.out

+25
Original file line numberDiff line numberDiff line change
@@ -564,6 +564,27 @@ GQ==
564564
=XHkF
565565
-----END PGP MESSAGE-----
566566
');
567+
-- rsaenc2048 / aes128 (not from gnupg)
568+
insert into encdata (id, data) values (5, '
569+
-----BEGIN PGP MESSAGE-----
570+
571+
wcBMA/0CBsQJt0h1AQgAzxZ8j+OTeZ8IlLxfZ/mVd28/gUsCY+xigWBk/anZlK3T
572+
p2tNU2idHzKdAttH2Hu/PWbZp4kwjl9spezYxMqCeBZqtfGED88Y+rqK0n/ul30A
573+
7jjFHaw0XUOqFNlST1v6H2i7UXndnp+kcLfHPhnO5BIYWxB2CYBehItqtrn75eqr
574+
C7trGzU/cr74efcWagbCDSNjiAV7GlEptlzmgVMmNikyI6w0ojEUx8lCLc/OsFz9
575+
pJUAX8xuwjxDVv+W7xk6c96grQiQlm+FLDYGiGNXoAzx3Wi/howu3uV40dXfY+jx
576+
3WBrhEew5Pkpt1SsWoFnJWOfJ8GLd0ec8vfRCqAIVdLgAeS7NyawQYtd6wuVrEAj
577+
5SMg4Thb4d+g45RksuGLHUUr4qO9tiXglODa4InhmJfgNuLk+RGz4LXjq8wepEmW
578+
vRbgFOG54+Cf4C/gC+HkreDm5JKSKjvvw4B/jC6CDxq+JoziEe2Z1uEjCuEcr+Es
579+
/eGzeOi36BejXPMHeKxXejj5qBBHKV0pHVhZSgffR0TtlXdB967Yl/5agV0R89hI
580+
7Gw52emfnH4Z0Y4V0au2H0k1dR/2IxXdJEWSTG7Be1JHT59p9ei2gSEOrdBMIOjP
581+
tbYYUlmmbvD49bHfThkDiC+oc9947LgQsk3kOOLbNHcjkbrjH8R5kjII4m/SEZA1
582+
g09T+338SzevBcVXh/cFrQ6/Et+lyyO2LJRUMs69g/HyzJOVWT2Iu8E0eS9MWevY
583+
Qtrkrhrpkl3Y02qEp/j6M03Yu2t6ZF7dp51aJ5VhO2mmmtHaTnCyCc8Fcf72LmD8
584+
blH2nKZC9d6fi4YzSYMepZpMOFR65M80MCMiDUGnZBB8sEADu2/iVtqDUeG8mAA=
585+
=PHJ1
586+
-----END PGP MESSAGE-----
587+
');
567588
-- successful decrypt
568589
select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
569590
from keytbl, encdata where keytbl.id=1 and encdata.id=1;
@@ -629,3 +650,7 @@ from keytbl, encdata where keytbl.id=5 and encdata.id=1;
629650
Secret msg
630651
(1 row)
631652

653+
-- test for a short read from prefix_init
654+
select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
655+
from keytbl, encdata where keytbl.id=6 and encdata.id=5;
656+
ERROR: Wrong key or corrupt data

contrib/pgcrypto/mbuf.c

+1
Original file line numberDiff line numberDiff line change
@@ -305,6 +305,7 @@ pullf_read_max(PullFilter *pf, int len, uint8 **data_p, uint8 *tmpbuf)
305305
break;
306306
memcpy(tmpbuf + total, tmp, res);
307307
total += res;
308+
len -= res;
308309
}
309310
return total;
310311
}

contrib/pgcrypto/sql/pgp-pubkey-decrypt.sql

+26
Original file line numberDiff line numberDiff line change
@@ -579,6 +579,28 @@ GQ==
579579
-----END PGP MESSAGE-----
580580
');
581581

582+
-- rsaenc2048 / aes128 (not from gnupg)
583+
insert into encdata (id, data) values (5, '
584+
-----BEGIN PGP MESSAGE-----
585+
586+
wcBMA/0CBsQJt0h1AQgAzxZ8j+OTeZ8IlLxfZ/mVd28/gUsCY+xigWBk/anZlK3T
587+
p2tNU2idHzKdAttH2Hu/PWbZp4kwjl9spezYxMqCeBZqtfGED88Y+rqK0n/ul30A
588+
7jjFHaw0XUOqFNlST1v6H2i7UXndnp+kcLfHPhnO5BIYWxB2CYBehItqtrn75eqr
589+
C7trGzU/cr74efcWagbCDSNjiAV7GlEptlzmgVMmNikyI6w0ojEUx8lCLc/OsFz9
590+
pJUAX8xuwjxDVv+W7xk6c96grQiQlm+FLDYGiGNXoAzx3Wi/howu3uV40dXfY+jx
591+
3WBrhEew5Pkpt1SsWoFnJWOfJ8GLd0ec8vfRCqAIVdLgAeS7NyawQYtd6wuVrEAj
592+
5SMg4Thb4d+g45RksuGLHUUr4qO9tiXglODa4InhmJfgNuLk+RGz4LXjq8wepEmW
593+
vRbgFOG54+Cf4C/gC+HkreDm5JKSKjvvw4B/jC6CDxq+JoziEe2Z1uEjCuEcr+Es
594+
/eGzeOi36BejXPMHeKxXejj5qBBHKV0pHVhZSgffR0TtlXdB967Yl/5agV0R89hI
595+
7Gw52emfnH4Z0Y4V0au2H0k1dR/2IxXdJEWSTG7Be1JHT59p9ei2gSEOrdBMIOjP
596+
tbYYUlmmbvD49bHfThkDiC+oc9947LgQsk3kOOLbNHcjkbrjH8R5kjII4m/SEZA1
597+
g09T+338SzevBcVXh/cFrQ6/Et+lyyO2LJRUMs69g/HyzJOVWT2Iu8E0eS9MWevY
598+
Qtrkrhrpkl3Y02qEp/j6M03Yu2t6ZF7dp51aJ5VhO2mmmtHaTnCyCc8Fcf72LmD8
599+
blH2nKZC9d6fi4YzSYMepZpMOFR65M80MCMiDUGnZBB8sEADu2/iVtqDUeG8mAA=
600+
=PHJ1
601+
-----END PGP MESSAGE-----
602+
');
603+
582604
-- successful decrypt
583605
select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
584606
from keytbl, encdata where keytbl.id=1 and encdata.id=1;
@@ -619,3 +641,7 @@ from keytbl, encdata where keytbl.id=5 and encdata.id=1;
619641
-- password-protected secret key, right password
620642
select pgp_pub_decrypt(dearmor(data), dearmor(seckey), 'parool')
621643
from keytbl, encdata where keytbl.id=5 and encdata.id=1;
644+
645+
-- test for a short read from prefix_init
646+
select pgp_pub_decrypt(dearmor(data), dearmor(seckey))
647+
from keytbl, encdata where keytbl.id=6 and encdata.id=5;

0 commit comments

Comments
 (0)