diff options
Diffstat (limited to 'meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch')
-rw-r--r-- | meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch | 116 |
1 files changed, 0 insertions, 116 deletions
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch deleted file mode 100644 index 58bf81062..000000000 --- a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch +++ /dev/null | |||
@@ -1,116 +0,0 @@ | |||
1 | From 24c2b9e42edb6d2f4ef2cead3b0aa1d6196adfce Mon Sep 17 00:00:00 2001 | ||
2 | From: Tom Lane <tgl@sss.pgh.pa.us> | ||
3 | Date: Mon, 8 Nov 2021 11:01:43 -0500 | ||
4 | Subject: [PATCH 2/2] Reject extraneous data after SSL or GSS encryption | ||
5 | handshake. | ||
6 | |||
7 | The server collects up to a bufferload of data whenever it reads data | ||
8 | from the client socket. When SSL or GSS encryption is requested | ||
9 | during startup, any additional data received with the initial | ||
10 | request message remained in the buffer, and would be treated as | ||
11 | already-decrypted data once the encryption handshake completed. | ||
12 | Thus, a man-in-the-middle with the ability to inject data into the | ||
13 | TCP connection could stuff some cleartext data into the start of | ||
14 | a supposedly encryption-protected database session. | ||
15 | |||
16 | This could be abused to send faked SQL commands to the server, | ||
17 | although that would only work if the server did not demand any | ||
18 | authentication data. (However, a server relying on SSL certificate | ||
19 | authentication might well not do so.) | ||
20 | |||
21 | To fix, throw a protocol-violation error if the internal buffer | ||
22 | is not empty after the encryption handshake. | ||
23 | |||
24 | Our thanks to Jacob Champion for reporting this problem. | ||
25 | |||
26 | Security: CVE-2021-23214 | ||
27 | |||
28 | Upstream-Status: Backport[https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951] | ||
29 | CVE: CVE-2021-23214 | ||
30 | |||
31 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
32 | |||
33 | --- | ||
34 | src/backend/libpq/pqcomm.c | 11 +++++++++++ | ||
35 | src/backend/postmaster/postmaster.c | 23 ++++++++++++++++++++++- | ||
36 | src/include/libpq/libpq.h | 1 + | ||
37 | 3 files changed, 34 insertions(+), 1 deletion(-) | ||
38 | |||
39 | diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c | ||
40 | index ee2cd86..4dd1c02 100644 | ||
41 | --- a/src/backend/libpq/pqcomm.c | ||
42 | +++ b/src/backend/libpq/pqcomm.c | ||
43 | @@ -1183,6 +1183,17 @@ pq_getstring(StringInfo s) | ||
44 | } | ||
45 | } | ||
46 | |||
47 | +/* ------------------------------- | ||
48 | + * pq_buffer_has_data - is any buffered data available to read? | ||
49 | + * | ||
50 | + * This will *not* attempt to read more data. | ||
51 | + * -------------------------------- | ||
52 | + */ | ||
53 | +bool | ||
54 | +pq_buffer_has_data(void) | ||
55 | +{ | ||
56 | + return (PqRecvPointer < PqRecvLength); | ||
57 | +} | ||
58 | |||
59 | /* -------------------------------- | ||
60 | * pq_startmsgread - begin reading a message from the client. | ||
61 | diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c | ||
62 | index 5775fc0..1fcc3f8 100644 | ||
63 | --- a/src/backend/postmaster/postmaster.c | ||
64 | +++ b/src/backend/postmaster/postmaster.c | ||
65 | @@ -2049,6 +2049,17 @@ retry1: | ||
66 | return STATUS_ERROR; | ||
67 | #endif | ||
68 | |||
69 | + /* | ||
70 | + * At this point we should have no data already buffered. If we do, | ||
71 | + * it was received before we performed the SSL handshake, so it wasn't | ||
72 | + * encrypted and indeed may have been injected by a man-in-the-middle. | ||
73 | + * We report this case to the client. | ||
74 | + */ | ||
75 | + if (pq_buffer_has_data()) | ||
76 | + ereport(FATAL, | ||
77 | + (errcode(ERRCODE_PROTOCOL_VIOLATION), | ||
78 | + errmsg("received unencrypted data after SSL request"), | ||
79 | + errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack."))); | ||
80 | /* | ||
81 | * regular startup packet, cancel, etc packet should follow, but not | ||
82 | * another SSL negotiation request, and a GSS request should only | ||
83 | @@ -2080,7 +2091,17 @@ retry1: | ||
84 | if (GSSok == 'G' && secure_open_gssapi(port) == -1) | ||
85 | return STATUS_ERROR; | ||
86 | #endif | ||
87 | - | ||
88 | + /* | ||
89 | + * At this point we should have no data already buffered. If we do, | ||
90 | + * it was received before we performed the GSS handshake, so it wasn't | ||
91 | + * encrypted and indeed may have been injected by a man-in-the-middle. | ||
92 | + * We report this case to the client. | ||
93 | + */ | ||
94 | + if (pq_buffer_has_data()) | ||
95 | + ereport(FATAL, | ||
96 | + (errcode(ERRCODE_PROTOCOL_VIOLATION), | ||
97 | + errmsg("received unencrypted data after GSSAPI encryption request"), | ||
98 | + errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack."))); | ||
99 | /* | ||
100 | * regular startup packet, cancel, etc packet should follow, but not | ||
101 | * another GSS negotiation request, and an SSL request should only | ||
102 | diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h | ||
103 | index b115247..9969692 100644 | ||
104 | --- a/src/include/libpq/libpq.h | ||
105 | +++ b/src/include/libpq/libpq.h | ||
106 | @@ -73,6 +73,7 @@ extern int pq_getbyte(void); | ||
107 | extern int pq_peekbyte(void); | ||
108 | extern int pq_getbyte_if_available(unsigned char *c); | ||
109 | extern int pq_putbytes(const char *s, size_t len); | ||
110 | +extern bool pq_buffer_has_data(void); | ||
111 | |||
112 | /* | ||
113 | * prototypes for functions in be-secure.c | ||
114 | -- | ||
115 | 2.17.1 | ||
116 | |||