summaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch')
-rw-r--r--meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch116
1 files changed, 0 insertions, 116 deletions
diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch
deleted file mode 100644
index 58bf81062..000000000
--- a/meta-oe/recipes-dbs/postgresql/files/CVE-2021-23214.patch
+++ /dev/null
@@ -1,116 +0,0 @@
1From 24c2b9e42edb6d2f4ef2cead3b0aa1d6196adfce Mon Sep 17 00:00:00 2001
2From: Tom Lane <tgl@sss.pgh.pa.us>
3Date: Mon, 8 Nov 2021 11:01:43 -0500
4Subject: [PATCH 2/2] Reject extraneous data after SSL or GSS encryption
5 handshake.
6
7The server collects up to a bufferload of data whenever it reads data
8from the client socket. When SSL or GSS encryption is requested
9during startup, any additional data received with the initial
10request message remained in the buffer, and would be treated as
11already-decrypted data once the encryption handshake completed.
12Thus, a man-in-the-middle with the ability to inject data into the
13TCP connection could stuff some cleartext data into the start of
14a supposedly encryption-protected database session.
15
16This could be abused to send faked SQL commands to the server,
17although that would only work if the server did not demand any
18authentication data. (However, a server relying on SSL certificate
19authentication might well not do so.)
20
21To fix, throw a protocol-violation error if the internal buffer
22is not empty after the encryption handshake.
23
24Our thanks to Jacob Champion for reporting this problem.
25
26Security: CVE-2021-23214
27
28Upstream-Status: Backport[https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951]
29CVE: CVE-2021-23214
30
31Signed-off-by: Changqing Li <changqing.li@windriver.com>
32
33---
34 src/backend/libpq/pqcomm.c | 11 +++++++++++
35 src/backend/postmaster/postmaster.c | 23 ++++++++++++++++++++++-
36 src/include/libpq/libpq.h | 1 +
37 3 files changed, 34 insertions(+), 1 deletion(-)
38
39diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c
40index ee2cd86..4dd1c02 100644
41--- a/src/backend/libpq/pqcomm.c
42+++ b/src/backend/libpq/pqcomm.c
43@@ -1183,6 +1183,17 @@ pq_getstring(StringInfo s)
44 }
45 }
46
47+/* -------------------------------
48+ * pq_buffer_has_data - is any buffered data available to read?
49+ *
50+ * This will *not* attempt to read more data.
51+ * --------------------------------
52+ */
53+bool
54+pq_buffer_has_data(void)
55+{
56+ return (PqRecvPointer < PqRecvLength);
57+}
58
59 /* --------------------------------
60 * pq_startmsgread - begin reading a message from the client.
61diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
62index 5775fc0..1fcc3f8 100644
63--- a/src/backend/postmaster/postmaster.c
64+++ b/src/backend/postmaster/postmaster.c
65@@ -2049,6 +2049,17 @@ retry1:
66 return STATUS_ERROR;
67 #endif
68
69+ /*
70+ * At this point we should have no data already buffered. If we do,
71+ * it was received before we performed the SSL handshake, so it wasn't
72+ * encrypted and indeed may have been injected by a man-in-the-middle.
73+ * We report this case to the client.
74+ */
75+ if (pq_buffer_has_data())
76+ ereport(FATAL,
77+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
78+ errmsg("received unencrypted data after SSL request"),
79+ errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
80 /*
81 * regular startup packet, cancel, etc packet should follow, but not
82 * another SSL negotiation request, and a GSS request should only
83@@ -2080,7 +2091,17 @@ retry1:
84 if (GSSok == 'G' && secure_open_gssapi(port) == -1)
85 return STATUS_ERROR;
86 #endif
87-
88+ /*
89+ * At this point we should have no data already buffered. If we do,
90+ * it was received before we performed the GSS handshake, so it wasn't
91+ * encrypted and indeed may have been injected by a man-in-the-middle.
92+ * We report this case to the client.
93+ */
94+ if (pq_buffer_has_data())
95+ ereport(FATAL,
96+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
97+ errmsg("received unencrypted data after GSSAPI encryption request"),
98+ errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
99 /*
100 * regular startup packet, cancel, etc packet should follow, but not
101 * another GSS negotiation request, and an SSL request should only
102diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
103index b115247..9969692 100644
104--- a/src/include/libpq/libpq.h
105+++ b/src/include/libpq/libpq.h
106@@ -73,6 +73,7 @@ extern int pq_getbyte(void);
107 extern int pq_peekbyte(void);
108 extern int pq_getbyte_if_available(unsigned char *c);
109 extern int pq_putbytes(const char *s, size_t len);
110+extern bool pq_buffer_has_data(void);
111
112 /*
113 * prototypes for functions in be-secure.c
114--
1152.17.1
116