This is an automated email from the ASF dual-hosted git repository.
reshke pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudberry.git
The following commit(s) were added to refs/heads/main by this push:
new 84a84584c60 libpq: Bail out during SSL/GSS negotiation errors (#1633)
84a84584c60 is described below
commit 84a84584c60433d04d633d7a7c4bd71b631e96dd
Author: reshke <[email protected]>
AuthorDate: Wed Mar 25 16:05:24 2026 +0500
libpq: Bail out during SSL/GSS negotiation errors (#1633)
This commit changes libpq so that errors reported by the backend during the
protocol negotiation for SSL and GSS are discarded by the client, as these may
include bytes that could be consumed by the client and write arbitrary bytes to
a client's terminal.
A failure with the SSL negotiation now leads to an error immediately
reported, without a retry on any other methods allowed, like a fallback to a
plaintext connection.
A failure with GSS discards the error message received, and we allow a
fallback as it may be possible that the error is caused by a connection attempt
with a pre-11 server, GSS encryption having been introduced in v12. This was a
problem only with v17 and newer versions; older versions discard the error
message already in this case, assuming a failure caused by a lack of support
for GSS encryption.
Author: Jacob Champion
Reviewed-by: Peter Eisentraut, Heikki Linnakangas, Michael Paquier
Security: CVE-2024-10977
Backpatch-through: 12
Back-ported-by: reshke <[email protected]>
======
CBDB source commit is
https://git.postgresql.org/cgit/postgresql.git/commit/?h=e6c9454764d880ee30735aa8c1e05d3674722ff9
---
doc/src/sgml/protocol.sgml | 21 +++++++++++----------
src/interfaces/libpq/fe-connect.c | 15 ++++++---------
2 files changed, 17 insertions(+), 19 deletions(-)
diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index cf1fadcda4b..9072cf847e4 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1526,10 +1526,10 @@ SELCT 1/0;<!-- this typo is intentional -->
<para>
The frontend should also be prepared to handle an ErrorMessage
- response to SSLRequest from the server. This would only occur if
- the server predates the addition of <acronym>SSL</acronym> support
- to <productname>PostgreSQL</productname>. (Such servers are now very
ancient,
- and likely do not exist in the wild anymore.)
+ response to SSLRequest from the server. The frontend should not display
+ this error message to the user/application, since the server has not been
+ authenticated
+ (<ulink
url="https://www.postgresql.org/support/security/CVE-2024-10977/";>CVE-2024-10977</ulink>).
In this case the connection must
be closed, but the frontend might choose to open a fresh connection
and proceed without requesting <acronym>SSL</acronym>.
@@ -1603,12 +1603,13 @@ SELCT 1/0;<!-- this typo is intentional -->
<para>
The frontend should also be prepared to handle an ErrorMessage
- response to GSSENCRequest from the server. This would only occur if
- the server predates the addition of <acronym>GSSAPI</acronym> encryption
- support to <productname>PostgreSQL</productname>. In this case the
- connection must be closed, but the frontend might choose to open a fresh
- connection and proceed without requesting <acronym>GSSAPI</acronym>
- encryption.
+ response to GSSENCRequest from the server. The frontend should not display
+ this error message to the user/application, since the server has not been
+ authenticated
+ (<ulink
url="https://www.postgresql.org/support/security/CVE-2024-10977/";>CVE-2024-10977</ulink>).
+ In this case the connection must be closed, but the frontend might choose
+ to open a fresh connection and proceed without requesting
+ <acronym>GSSAPI</acronym> encryption.
</para>
<para>
diff --git a/src/interfaces/libpq/fe-connect.c
b/src/interfaces/libpq/fe-connect.c
index 7f3dfd462a6..be288ff8bd5 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -3168,16 +3168,13 @@ keep_going:
/* We will come back to here until there is
{
/*
* Server failure of some sort,
such as failure to
- * fork a backend process. We
need to process and
- * report the error message,
which might be formatted
- * according to either protocol
2 or protocol 3.
- * Rather than duplicate the
code for that, we flip
- * into AWAITING_RESPONSE state
and let the code there
- * deal with it. Note we have
*not* consumed the "E"
- * byte here.
+ * fork a backend process.
Don't bother retrieving
+ * the error message; we should
not trust it as the
+ * server has not been
authenticated yet.
*/
- conn->status =
CONNECTION_AWAITING_RESPONSE;
- goto keep_going;
+
appendPQExpBuffer(&conn->errorMessage,
+
libpq_gettext("server sent an error response during SSL exchange\n"));
+ goto error_return;
}
else
{
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
