granicus.if.org Git - postgresql/commit

author	Michael Paquier <michael@paquier.xyz>
	Mon, 17 Jun 2019 12:48:34 +0000 (21:48 +0900)
committer	Michael Paquier <michael@paquier.xyz>
	Mon, 17 Jun 2019 12:48:34 +0000 (21:48 +0900)
commit	90adc16ea13750a6b6f704c6cf65dc0f1bdb845c
tree	323af6a854efea01608d201e6c3f9dbf57d69da5	tree \| snapshot
parent	93d4484ef80aa4df04f70348fd34d45d2eb85416	commit \| diff

Fix buffer overflow when parsing SCRAM verifiers in backend

Any authenticated user can overflow a stack-based buffer by changing the
user's own password to a purpose-crafted value.  This often suffices to
execute arbitrary code as the PostgreSQL operating system account.

This fix is contributed by multiple folks, based on an initial analysis
from Tom Lane.  This issue has been introduced by 68e61ee, so it was
possible to make use of it at authentication time.  It became more
easily to trigger after ccae190 which has made the SCRAM parsing more
strict when changing a password, in the case where the client passes
down a verifier already hashed using SCRAM.  Back-patch to v10 where
SCRAM has been introduced.

Reported-by: Alexander Lakhin
Author: Jonathan Katz, Heikki Linnakangas, Michael Paquier
Security: CVE-2019-10164
Backpatch-through: 10

src/backend/libpq/auth-scram.c		diff \| blob \| history
src/test/regress/expected/password.out		diff \| blob \| history
src/test/regress/sql/password.sql		diff \| blob \| history