Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:pgbouncer User: [email protected] Usertags: pu
Please accept pgbouncer/1.24.1-1+deb13u2 for trixie. It fixes CVE-2026-6664 CVE-2026-6665 CVE-2026-6666 CVE-2026-6667. [ Tests ] It passes the build-time tests and autopkgtest on salsa for the trixie branch. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Christoph
No differences were encountered between the control files diff -Nru pgbouncer-1.24.1/debian/changelog pgbouncer-1.24.1/debian/changelog --- pgbouncer-1.24.1/debian/changelog 2025-12-20 13:52:56.000000000 +0100 +++ pgbouncer-1.24.1/debian/changelog 2026-05-10 11:44:27.000000000 +0200 @@ -1,3 +1,26 @@ +pgbouncer (1.24.1-1+deb13u2) trixie; urgency=medium + + * Security update. + * Fix CVE-2026-6664: An integer overflow in network packet parsing code + in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a + crash. An unauthenticated remote attacker can crash PgBouncer with a + malformed SCRAM authentication packet. + * Fix CVE-2026-6665: The SCRAM code in PgBouncer before 1.25.2 did not + check the return value of strlcat() correctly when building the + contents of the SCRAM client-final-message. A malicious backend that + sends a SCRAM server-final-message with a long nonce can trigger a + stack overflow. + * Fix CVE-2026-6666: A possible null pointer reference in PgBouncer + before 1.25.2 could lead to a crash, if a server sends an error + response without SQLSTATE field. + * Fix CVE-2026-6667: PgBouncer before 1.25.2 did not perform an + appropriate authorization check for the KILL_CLIENT admin command. All + users with access to the administration console (which itself requires + authorization) could run this command. It would have been correct to + allow only users listed in the admin_users parameter. + + -- Christoph Berg <[email protected]> Sun, 10 May 2026 11:44:27 +0200 + pgbouncer (1.24.1-1+deb13u1) trixie; urgency=medium * Non-maintainer upload by the Debian LTS Security Team. diff -Nru pgbouncer-1.24.1/debian/gitlab-ci.yml pgbouncer-1.24.1/debian/gitlab-ci.yml --- pgbouncer-1.24.1/debian/gitlab-ci.yml 2023-07-25 16:53:11.000000000 +0200 +++ pgbouncer-1.24.1/debian/gitlab-ci.yml 2026-05-10 11:44:27.000000000 +0200 @@ -1 +1,3 @@ include: https://salsa.debian.org/postgresql/postgresql-common/raw/master/gitlab/gitlab-ci.yml +variables: + RELEASE: trixie diff -Nru pgbouncer-1.24.1/debian/patches/CVE-2026-6664-Fix-integer-overflow-in-mbuf.h.patch pgbouncer-1.24.1/debian/patches/CVE-2026-6664-Fix-integer-overflow-in-mbuf.h.patch --- pgbouncer-1.24.1/debian/patches/CVE-2026-6664-Fix-integer-overflow-in-mbuf.h.patch 1970-01-01 01:00:00.000000000 +0100 +++ pgbouncer-1.24.1/debian/patches/CVE-2026-6664-Fix-integer-overflow-in-mbuf.h.patch 2026-05-10 11:44:27.000000000 +0200 @@ -0,0 +1,43 @@ +From ddc63c2175825bca9ef3c0a528280acaad76dbaa Mon Sep 17 00:00:00 2001 +From: Euler Taveira <[email protected]> +Date: Tue, 14 Apr 2026 16:34:23 -0300 +Subject: [PATCH 1/4] Fix integer overflow in mbuf.h + +An integer overflow in mbuf_get_bytes() bypasses a boundary check and +can lead to a crash. + +An unauthenticated remote attacker can crash PgBouncer with a +malformed SCRAM authentication packet. + +Report and fix by @JohannesLks. + +Security: CVE-2026-6664 +--- + lib/usual/mbuf.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/usual/mbuf.h b/lib/usual/mbuf.h +index b846182..f8fccd0 100644 +--- a/lib/usual/mbuf.h ++++ b/lib/usual/mbuf.h +@@ -210,7 +210,7 @@ static inline bool mbuf_get_uint64be(struct MBuf *buf, uint64_t *dst_p) + _MUSTCHECK + static inline bool mbuf_get_bytes(struct MBuf *buf, unsigned len, const uint8_t **dst_p) + { +- if (buf->read_pos + len > buf->write_pos) ++ if (len > buf->write_pos - buf->read_pos) + return false; + *dst_p = buf->data + buf->read_pos; + buf->read_pos += len; +@@ -221,7 +221,7 @@ static inline bool mbuf_get_bytes(struct MBuf *buf, unsigned len, const uint8_t + _MUSTCHECK + static inline bool mbuf_get_chars(struct MBuf *buf, unsigned len, const char **dst_p) + { +- if (buf->read_pos + len > buf->write_pos) ++ if (len > buf->write_pos - buf->read_pos) + return false; + *dst_p = (char *)buf->data + buf->read_pos; + buf->read_pos += len; +-- +2.53.0 + diff -Nru pgbouncer-1.24.1/debian/patches/CVE-2026-6665-Fix-buffer-overflow-in-SCRAM.patch pgbouncer-1.24.1/debian/patches/CVE-2026-6665-Fix-buffer-overflow-in-SCRAM.patch --- pgbouncer-1.24.1/debian/patches/CVE-2026-6665-Fix-buffer-overflow-in-SCRAM.patch 1970-01-01 01:00:00.000000000 +0100 +++ pgbouncer-1.24.1/debian/patches/CVE-2026-6665-Fix-buffer-overflow-in-SCRAM.patch 2026-05-10 11:44:27.000000000 +0200 @@ -0,0 +1,41 @@ +From ab8dbb3b1a73b4a195062546e5e4f964b79f5b45 Mon Sep 17 00:00:00 2001 +From: Euler Taveira <[email protected]> +Date: Wed, 15 Apr 2026 11:28:55 -0300 +Subject: [PATCH 2/4] Fix buffer overflow in SCRAM + +The SCRAM code did not check the return value of strlcat() correctly +when building the contents of the SCRAM client-final-message. A +malicious backend that sends a SCRAM server-final-message with a long +nonce can trigger a stack overflow. + +Reported by @HarutoKimura. + +Security: CVE-2026-6665 +--- + src/proto.c | 2 ++ + src/scram.c | 3 +++ + 2 files changed, 5 insertions(+) + +--- a/src/proto.c ++++ b/src/proto.c +@@ -458,6 +458,8 @@ static bool login_scram_sha_256_cont(PgS + credentials, server_nonce, + salt, saltlen, iterations); + ++ if (!client_final_message) ++ goto failed; + free(salt); + free(ibuf); + +--- a/src/scram.c ++++ b/src/scram.c +@@ -346,6 +346,9 @@ char *build_client_final_message(ScramSt + goto failed; + + len = strlcat(buf, ",p=", sizeof(buf)); ++ /* Final string is too long */ ++ if (len >= sizeof(buf)) ++ goto failed; + enclen = pg_b64_enc_len(sizeof(client_proof)); + enclen = pg_b64_encode((char *) client_proof, + SCRAM_KEY_LEN, diff -Nru pgbouncer-1.24.1/debian/patches/CVE-2026-6666-Avoid-crash-in-kill_pool_logins_server_error.patch pgbouncer-1.24.1/debian/patches/CVE-2026-6666-Avoid-crash-in-kill_pool_logins_server_error.patch --- pgbouncer-1.24.1/debian/patches/CVE-2026-6666-Avoid-crash-in-kill_pool_logins_server_error.patch 1970-01-01 01:00:00.000000000 +0100 +++ pgbouncer-1.24.1/debian/patches/CVE-2026-6666-Avoid-crash-in-kill_pool_logins_server_error.patch 2026-05-10 11:44:27.000000000 +0200 @@ -0,0 +1,46 @@ +From 0564f937c0fd81378d67ddcb57b0c00abc0b0f8f Mon Sep 17 00:00:00 2001 +From: Euler Taveira <[email protected]> +Date: Mon, 27 Apr 2026 12:22:15 -0300 +Subject: [PATCH 3/4] Avoid crash in kill_pool_logins_server_error + +Prevent a null pointer deference crash while comparing SQLSTATE error +code. It also checks msg and level before using them in log_warning. + +A malicious backend could send a mal-formed ErrorResponse that does +not include an SQLSTATE error code. + +Reported by @HarutoKimura. + +Security: CVE-2026-6666 +--- + src/server.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/server.c b/src/server.c +index 5dfd671..16cf7c2 100644 +--- a/src/server.c ++++ b/src/server.c +@@ -102,14 +102,17 @@ const char * kill_pool_logins_server_error(PgPool *pool, PktHdr *errpkt) + const char *level, *sqlstate, *msg; + + parse_server_error(errpkt, &level, &msg, &sqlstate); +- log_warning("server login failed: %s %s", level, msg); ++ if (level != NULL && msg != NULL) ++ log_warning("server login failed: %s %s", level, msg); ++ else ++ log_warning("server login failed"); + + /* + * Kill all waiting clients unless it's a temporary error, such as + * "database system is starting up". + */ +- if (strcmp(sqlstate, ERRCODE_CANNOT_CONNECT_NOW) != 0) { +- log_noise("kill_pool_logins_server_error: sqlstate: %s", sqlstate); ++ if (sqlstate == NULL || strcmp(sqlstate, ERRCODE_CANNOT_CONNECT_NOW) != 0) { ++ log_noise("kill_pool_logins_server_error: sqlstate: %s", sqlstate ? sqlstate : "NULL"); + kill_pool_logins(pool, sqlstate, msg); + } + return msg; +-- +2.53.0 + diff -Nru pgbouncer-1.24.1/debian/patches/CVE-2026-6667-KILL_CLIENT-requires-admin-access.patch pgbouncer-1.24.1/debian/patches/CVE-2026-6667-KILL_CLIENT-requires-admin-access.patch --- pgbouncer-1.24.1/debian/patches/CVE-2026-6667-KILL_CLIENT-requires-admin-access.patch 1970-01-01 01:00:00.000000000 +0100 +++ pgbouncer-1.24.1/debian/patches/CVE-2026-6667-KILL_CLIENT-requires-admin-access.patch 2026-05-10 11:44:27.000000000 +0200 @@ -0,0 +1,28 @@ +From 97b5634be55d167a602b0bc0f09a8675997248a6 Mon Sep 17 00:00:00 2001 +From: Euler Taveira <[email protected]> +Date: Tue, 28 Apr 2026 11:41:13 -0300 +Subject: [PATCH 4/4] KILL_CLIENT requires admin access + +The commit 1dbde96 that added the KILL_CLIENT command forgot to check +the privileges to execute it. As KILL, KILL_CLIENT should only be +executed by users listed in the admin_users parameter. + +Report and fix by @HarutoKimura. + +Security: CVE-2026-6667 +--- + src/admin.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/src/admin.c ++++ b/src/admin.c +@@ -1423,6 +1423,9 @@ static bool admin_cmd_kill_client(PgSock + PgSocket *kill_client; + unsigned long long int target_id = 0; + ++ if (!admin->admin_user) ++ return admin_error(admin, "admin access needed"); ++ + if (sscanf(arg, "%llu", &target_id) != 1) { + return admin_error(admin, "invalid client pointer supplied"); + } diff -Nru pgbouncer-1.24.1/debian/patches/series pgbouncer-1.24.1/debian/patches/series --- pgbouncer-1.24.1/debian/patches/series 2025-12-20 13:45:25.000000000 +0100 +++ pgbouncer-1.24.1/debian/patches/series 2026-05-10 11:44:27.000000000 +0200 @@ -1,2 +1,6 @@ debian-config CVE-2025-12819.patch +CVE-2026-6664-Fix-integer-overflow-in-mbuf.h.patch +CVE-2026-6665-Fix-buffer-overflow-in-SCRAM.patch +CVE-2026-6666-Avoid-crash-in-kill_pool_logins_server_error.patch +CVE-2026-6667-KILL_CLIENT-requires-admin-access.patch
