1 files changed, 0 insertions, 50 deletions
diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Properly-NULL-terminate-GSS-receive-buffer-on-error-.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Properly-NULL-terminate-GSS-receive-buffer-on-error-.patch
deleted file mode 100644
index 2d11b18883..0000000000
--- a/meta-oe/recipes-dbs/postgresql/files/0001-Properly-NULL-terminate-GSS-receive-buffer-on-error-.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 586b074026d703c29057b04b1318e984701fe195 Mon Sep 17 00:00:00 2001
-From: Changqing Li <changqing.li@windriver.com>
-Date: Thu, 2 Mar 2023 19:10:47 +0800
-Subject: [PATCH] Properly NULL-terminate GSS receive buffer on error packet
- reception
-pqsecure_open_gss() includes a code path handling error messages with
-v2-style protocol messages coming from the server.  The client-side
-buffer holding the error message does not force a NULL-termination, with
-the data of the server getting copied to the errorMessage of the
-connection.  Hence, it would be possible for a server to send an
-unterminated string and copy arbitrary bytes in the buffer receiving the
-error message in the client, opening the door to a crash or even data
-exposure.
-As at this stage of the authentication process the exchange has not been
-completed yet, this could be abused by an attacker without Kerberos
-credentials.  Clients that have a valid kerberos cache are vulnerable as
-libpq opportunistically requests for it except if gssencmode is
-disabled.
-Author: Jacob Champion
-Backpatch-through: 12
-Security: CVE-2022-41862
-Upstream-Status: Backport [https://github.com/postgres/postgres/commit/71c37797d7bd78266146a5829ab62b3687c47295]
-CVE: CVE-2022-41862
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
- src/interfaces/libpq/fe-secure-gssapi.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c
-index c783a53..a42ebc0 100644
--- a/src/interfaces/libpq/fe-secure-gssapi.c
-+++ b/src/interfaces/libpq/fe-secure-gssapi.c
-@@ -577,7 +577,8 @@ pqsecure_open_gss(PGconn *conn)
-                                return result;
- 
-                        PqGSSRecvLength += ret;
-
-+                       Assert(PqGSSRecvLength < PQ_GSS_RECV_BUFFER_SIZE);
-+                       PqGSSRecvBuffer[PqGSSRecvLength] = '\0';
-                        appendPQExpBuffer(&conn->errorMessage, "%s\n", PqGSSRecvBuffer + 1);
- 
-                        return PGRES_POLLING_FAILED;
-- 
-2.25.1

diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Properly-NULL-terminate-GSS-receive-buffer-on-error-.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Properly-NULL-terminate-GSS-receive-buffer-on-error-.patch deleted file mode 100644 index 2d11b18883..0000000000 --- a/meta-oe/recipes-dbs/postgresql/files/0001-Properly-NULL-terminate-GSS-receive-buffer-on-error-.patch +++ /dev/null
@@ -1,50 +0,0 @@
1	From 586b074026d703c29057b04b1318e984701fe195 Mon Sep 17 00:00:00 2001
2	From: Changqing Li <changqing.li@windriver.com>
3	Date: Thu, 2 Mar 2023 19:10:47 +0800
4	Subject: [PATCH] Properly NULL-terminate GSS receive buffer on error packet
5	reception
6
7	pqsecure_open_gss() includes a code path handling error messages with
8	v2-style protocol messages coming from the server. The client-side
9	buffer holding the error message does not force a NULL-termination, with
10	the data of the server getting copied to the errorMessage of the
11	connection. Hence, it would be possible for a server to send an
12	unterminated string and copy arbitrary bytes in the buffer receiving the
13	error message in the client, opening the door to a crash or even data
14	exposure.
15
16	As at this stage of the authentication process the exchange has not been
17	completed yet, this could be abused by an attacker without Kerberos
18	credentials. Clients that have a valid kerberos cache are vulnerable as
19	libpq opportunistically requests for it except if gssencmode is
20	disabled.
21
22	Author: Jacob Champion
23	Backpatch-through: 12
24	Security: CVE-2022-41862
25
26	Upstream-Status: Backport [https://github.com/postgres/postgres/commit/71c37797d7bd78266146a5829ab62b3687c47295]
27	CVE: CVE-2022-41862
28
29	Signed-off-by: Changqing Li <changqing.li@windriver.com>
30	---
31	src/interfaces/libpq/fe-secure-gssapi.c \| 3 ++-
32	1 file changed, 2 insertions(+), 1 deletion(-)
33
34	diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c
35	index c783a53..a42ebc0 100644
36	--- a/src/interfaces/libpq/fe-secure-gssapi.c
37	+++ b/src/interfaces/libpq/fe-secure-gssapi.c
38	@@ -577,7 +577,8 @@ pqsecure_open_gss(PGconn *conn)
39	return result;
40
41	PqGSSRecvLength += ret;
42	-
43	+ Assert(PqGSSRecvLength < PQ_GSS_RECV_BUFFER_SIZE);
44	+ PqGSSRecvBuffer[PqGSSRecvLength] = '\0';
45	appendPQExpBuffer(&conn->errorMessage, "%s\n", PqGSSRecvBuffer + 1);
46
47	return PGRES_POLLING_FAILED;
48	--
49	2.25.1
50