postgresql: CVE-2022-41862 Client memory disclosure when connecting with Kerberos to modified server

Upstream-Status: Backport from https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=3f7342671341a7a137f2d8b06ab3461cdb0e1d88 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-03-24 17:34:04 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-04-06 07:32:11 -0400
commit: 4f78732be2e6950e8b252fc066058966baf9a3de (patch)
tree: 4c37934a8219ebf2763f1bfdcf420c3c3cf96b08
parent: 7b7913fd475b903dd859dc360573d0065c911449 (diff)
download: meta-openembedded-4f78732be2e6950e8b252fc066058966baf9a3de.tar.gz
2 files changed, 49 insertions, 0 deletions
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2022-41862.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-41862.patch
new file mode 100644
index 0000000000..f4093f4ba7
--- /dev/null
+++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-41862.patch
@@ -0,0 +1,48 @@
+From 3f7342671341a7a137f2d8b06ab3461cdb0e1d88 Mon Sep 17 00:00:00 2001
+From: Michael Paquier <michael@paquier.xyz>
+Date: Mon, 6 Feb 2023 11:20:31 +0900
+Subject: [PATCH] Properly NULL-terminate GSS receive buffer on error packet
+ reception
+pqsecure_open_gss() includes a code path handling error messages with
+v2-style protocol messages coming from the server.  The client-side
+buffer holding the error message does not force a NULL-termination, with
+the data of the server getting copied to the errorMessage of the
+connection.  Hence, it would be possible for a server to send an
+unterminated string and copy arbitrary bytes in the buffer receiving the
+error message in the client, opening the door to a crash or even data
+exposure.
+As at this stage of the authentication process the exchange has not been
+completed yet, this could be abused by an attacker without Kerberos
+credentials.  Clients that have a valid kerberos cache are vulnerable as
+libpq opportunistically requests for it except if gssencmode is
+disabled.
+Author: Jacob Champion
+Backpatch-through: 12
+Security: CVE-2022-41862
+CVE: CVE-2022-41862
+Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=3f7342671341a7a137f2d8b06ab3461cdb0e1d88]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/interfaces/libpq/fe-secure-gssapi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c
+index 7b5e383..aef201b 100644
+--- a/src/interfaces/libpq/fe-secure-gssapi.c
+++ b/src/interfaces/libpq/fe-secure-gssapi.c
+@@ -578,6 +578,8 @@ pqsecure_open_gss(PGconn *conn)
+ 
+                        PqGSSRecvLength += ret;
+ 
+                       Assert(PqGSSRecvLength < PQ_GSS_RECV_BUFFER_SIZE);
+                       PqGSSRecvBuffer[PqGSSRecvLength] = '\0';
+                        printfPQExpBuffer(&conn->errorMessage, "%s\n", PqGSSRecvBuffer + 1);
+ 
+                        return PGRES_POLLING_FAILED;
+-- 
+2.25.1
diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
index 860e821b20..808c5d6e77 100644
--- a/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
+++ b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
@@ -9,6 +9,7 @@ SRC_URI += "\
   file://remove_duplicate.patch \
   file://CVE-2022-1552.patch \
   file://CVE-2022-2625.patch \
+   file://CVE-2022-41862.patch \
 "
 SRC_URI[sha256sum] = "89fda2de33ed04a98548e43f3ee5f15b882be17505d631fe0dd1a540a2b56dce"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-03-24 17:34:04 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-04-06 07:32:11 -0400
commit	4f78732be2e6950e8b252fc066058966baf9a3de (patch)
tree	4c37934a8219ebf2763f1bfdcf420c3c3cf96b08
parent	7b7913fd475b903dd859dc360573d0065c911449 (diff)
download	meta-openembedded-4f78732be2e6950e8b252fc066058966baf9a3de.tar.gz

diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2022-41862.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-41862.patch new file mode 100644 index 0000000000..f4093f4ba7 --- /dev/null +++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-41862.patch
@@ -0,0 +1,48 @@
		1	From 3f7342671341a7a137f2d8b06ab3461cdb0e1d88 Mon Sep 17 00:00:00 2001
		2	From: Michael Paquier <michael@paquier.xyz>
		3	Date: Mon, 6 Feb 2023 11:20:31 +0900
		4	Subject: [PATCH] Properly NULL-terminate GSS receive buffer on error packet
		5	reception
		6
		7	pqsecure_open_gss() includes a code path handling error messages with
		8	v2-style protocol messages coming from the server. The client-side
		9	buffer holding the error message does not force a NULL-termination, with
		10	the data of the server getting copied to the errorMessage of the
		11	connection. Hence, it would be possible for a server to send an
		12	unterminated string and copy arbitrary bytes in the buffer receiving the
		13	error message in the client, opening the door to a crash or even data
		14	exposure.
		15
		16	As at this stage of the authentication process the exchange has not been
		17	completed yet, this could be abused by an attacker without Kerberos
		18	credentials. Clients that have a valid kerberos cache are vulnerable as
		19	libpq opportunistically requests for it except if gssencmode is
		20	disabled.
		21
		22	Author: Jacob Champion
		23	Backpatch-through: 12
		24	Security: CVE-2022-41862
		25
		26	CVE: CVE-2022-41862
		27	Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=3f7342671341a7a137f2d8b06ab3461cdb0e1d88]
		28	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		29	---
		30	src/interfaces/libpq/fe-secure-gssapi.c \| 2 ++
		31	1 file changed, 2 insertions(+)
		32
		33	diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c
		34	index 7b5e383..aef201b 100644
		35	--- a/src/interfaces/libpq/fe-secure-gssapi.c
		36	+++ b/src/interfaces/libpq/fe-secure-gssapi.c
		37	@@ -578,6 +578,8 @@ pqsecure_open_gss(PGconn *conn)
		38
		39	PqGSSRecvLength += ret;
		40
		41	+ Assert(PqGSSRecvLength < PQ_GSS_RECV_BUFFER_SIZE);
		42	+ PqGSSRecvBuffer[PqGSSRecvLength] = '\0';
		43	printfPQExpBuffer(&conn->errorMessage, "%s\n", PqGSSRecvBuffer + 1);
		44
		45	return PGRES_POLLING_FAILED;
		46	--
		47	2.25.1
		48


diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb index 860e821b20..808c5d6e77 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb +++ b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb
@@ -9,6 +9,7 @@ SRC_URI += "\
9	file://remove_duplicate.patch \	9	file://remove_duplicate.patch \
10	file://CVE-2022-1552.patch \	10	file://CVE-2022-1552.patch \
11	file://CVE-2022-2625.patch \	11	file://CVE-2022-2625.patch \
		12	file://CVE-2022-41862.patch \
12	"	13	"
13		14
14	SRC_URI[sha256sum] = "89fda2de33ed04a98548e43f3ee5f15b882be17505d631fe0dd1a540a2b56dce"	15	SRC_URI[sha256sum] = "89fda2de33ed04a98548e43f3ee5f15b882be17505d631fe0dd1a540a2b56dce"