granicus.if.org Git - postgresql/commit

author	Michael Paquier <michael@paquier.xyz>
	Mon, 17 Jun 2019 12:48:25 +0000 (21:48 +0900)
committer	Michael Paquier <michael@paquier.xyz>
	Mon, 17 Jun 2019 12:48:25 +0000 (21:48 +0900)
commit	4c779ce324a15ffa0171160c52579130f25fcd3f
tree	ef7cdd34f644d27fbd245506eef606a6359c3f96	tree \| snapshot
parent	28dc2c25c579232dbba98a0ec62476b4091df96e	commit \| diff

Fix buffer overflow when parsing SCRAM verifiers in backend

Any authenticated user can overflow a stack-based buffer by changing the
user's own password to a purpose-crafted value.  This often suffices to
execute arbitrary code as the PostgreSQL operating system account.

This fix is contributed by multiple folks, based on an initial analysis
from Tom Lane.  This issue has been introduced by 68e61ee, so it was
possible to make use of it at authentication time.  It became more
easily to trigger after ccae190 which has made the SCRAM parsing more
strict when changing a password, in the case where the client passes
down a verifier already hashed using SCRAM.  Back-patch to v10 where
SCRAM has been introduced.

Reported-by: Alexander Lakhin
Author: Jonathan Katz, Heikki Linnakangas, Michael Paquier
Security: CVE-2019-10164
Backpatch-through: 10

src/backend/libpq/auth-scram.c		diff \| blob \| history
src/test/regress/expected/password.out		diff \| blob \| history
src/test/regress/sql/password.sql		diff \| blob \| history