path: root/meta-oe/recipes-dbs/postgresql/files/0001-Properly-NULL-terminate-GSS-receive-buffer-on-error-.patch

From 586b074026d703c29057b04b1318e984701fe195 Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Thu, 2 Mar 2023 19:10:47 +0800
Subject: [PATCH] Properly NULL-terminate GSS receive buffer on error packet
 reception

pqsecure_open_gss() includes a code path handling error messages with
v2-style protocol messages coming from the server.  The client-side
buffer holding the error message does not force a NULL-termination, with
the data of the server getting copied to the errorMessage of the
connection.  Hence, it would be possible for a server to send an
unterminated string and copy arbitrary bytes in the buffer receiving the
error message in the client, opening the door to a crash or even data
exposure.

As at this stage of the authentication process the exchange has not been
completed yet, this could be abused by an attacker without Kerberos
credentials.  Clients that have a valid kerberos cache are vulnerable as
libpq opportunistically requests for it except if gssencmode is
disabled.

Author: Jacob Champion
Backpatch-through: 12
Security: CVE-2022-41862

Upstream-Status: Backport [https://github.com/postgres/postgres/commit/71c37797d7bd78266146a5829ab62b3687c47295]
CVE: CVE-2022-41862

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 src/interfaces/libpq/fe-secure-gssapi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c
index c783a53..a42ebc0 100644
--- a/src/interfaces/libpq/fe-secure-gssapi.c
+++ b/src/interfaces/libpq/fe-secure-gssapi.c
@@ -577,7 +577,8 @@ pqsecure_open_gss(PGconn *conn)
 				return result;
 
 			PqGSSRecvLength += ret;
-
+			Assert(PqGSSRecvLength < PQ_GSS_RECV_BUFFER_SIZE);
+			PqGSSRecvBuffer[PqGSSRecvLength] = '\0';
 			appendPQExpBuffer(&conn->errorMessage, "%s\n", PqGSSRecvBuffer + 1);
 
 			return PGRES_POLLING_FAILED;
-- 
2.25.1