pgsql: Cherry-pick security-relevant fixes from upstream imath library. - Mailing list pgsql-committers

From Noah Misch
Subject pgsql: Cherry-pick security-relevant fixes from upstream imath library.
Date
Msg-id E1YIIVa-0008Q6-Te@gemulon.postgresql.org
Whole thread Raw
List pgsql-committers
Cherry-pick security-relevant fixes from upstream imath library.

This covers alterations to buffer sizing and zeroing made between imath
1.3 and imath 1.20.  Valgrind Memcheck identified the buffer overruns
and reliance on uninitialized data; their exploit potential is unknown.
Builds specifying --with-openssl are unaffected, because they use the
OpenSSL BIGNUM facility instead of imath.  Back-patch to 9.0 (all
supported versions).

Security: CVE-2015-0243

Branch
------
REL9_1_STABLE

Details
-------
http://git.postgresql.org/pg/commitdiff/8d412e02ebfb106aedc2edef8e3b26e802311151

Modified Files
--------------
contrib/pgcrypto/imath.c |   24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)


pgsql-committers by date:

Previous
From: Bruce Momjian
Date:
Subject: pgsql: port/snprintf(): fix overflow and do padding
Next
From: Bruce Momjian
Date:
Subject: pgsql: to_char(): prevent writing beyond the allocated buffer