Fix buffer overflow when parsing SCRAM verifiers in backend
Any authenticated user can overflow a stack-based buffer by changing the
user's own password to a purpose-crafted value. This often suffices to
execute arbitrary code as the PostgreSQL operating system account.
This fix is contributed by multiple folks, based on an initial analysis
from Tom Lane. This issue has been introduced by 68e61ee, so it was
possible to make use of it at authentication time. It became more
easily to trigger after ccae190 which has made the SCRAM parsing more
strict when changing a password, in the case where the client passes
down a verifier already hashed using SCRAM. Back-patch to v10 where
SCRAM has been introduced.
Reported-by: Alexander Lakhin
Author: Jonathan Katz, Heikki Linnakangas, Michael Paquier
Security: CVE-2019-10164
Backpatch-through: 10
Branch
------
REL_11_STABLE
Details
-------
https://git.postgresql.org/pg/commitdiff/4c779ce324a15ffa0171160c52579130f25fcd3f
Modified Files
--------------
src/backend/libpq/auth-scram.c | 35 ++++++++++++++++++++++++++--------
src/test/regress/expected/password.out | 23 ++++++++++++++++++++++
src/test/regress/sql/password.sql | 18 +++++++++++++++++
3 files changed, 68 insertions(+), 8 deletions(-)
