granicus.if.org Git - postgresql/commit

author	Michael Paquier <michael@paquier.xyz>
	Mon, 17 Jun 2019 12:48:17 +0000 (21:48 +0900)
committer	Michael Paquier <michael@paquier.xyz>
	Mon, 17 Jun 2019 12:48:17 +0000 (21:48 +0900)
commit	09ec55b933091cb5b0af99978718cb3d289c71b6
tree	437f17017539481e4e5dff82c78cf4fa281e3479	tree \| snapshot
parent	3412030205211079f9b0510e2244083e4ee7b15a	commit \| diff

Fix buffer overflow when parsing SCRAM verifiers in backend

Any authenticated user can overflow a stack-based buffer by changing the
user's own password to a purpose-crafted value.  This often suffices to
execute arbitrary code as the PostgreSQL operating system account.

This fix is contributed by multiple folks, based on an initial analysis
from Tom Lane.  This issue has been introduced by 68e61ee, so it was
possible to make use of it at authentication time.  It became more
easily to trigger after ccae190 which has made the SCRAM parsing more
strict when changing a password, in the case where the client passes
down a verifier already hashed using SCRAM.  Back-patch to v10 where
SCRAM has been introduced.

Reported-by: Alexander Lakhin
Author: Jonathan Katz, Heikki Linnakangas, Michael Paquier
Security: CVE-2019-10164
Backpatch-through: 10

src/backend/libpq/auth-scram.c		diff \| blob \| history
src/test/regress/expected/password.out		diff \| blob \| history
src/test/regress/sql/password.sql		diff \| blob \| history