pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() pgp_pub_decrypt_bytea() was missing a safeguard for the session key length read from the message data, that can be given in input of pgp_pub_decrypt_bytea(). This can result in the possibility of a buffer overflow for the session key data, when the length specified is longer than PGP_MAX_KEY, which is the maximum size of the buffer where the session data is copied to.
A script able to rebuild the message and key data that can trigger the overflow is included in this commit, based on some contents provided by the reporter, heavily editted by me. A SQL test is added, based on the data generated by the script. Reported-by: Team Xint Code as part of zeroday.cloud Author: Michael Paquier <[email protected]> Reviewed-by: Noah Misch <[email protected]> Security: CVE-2026-2005 Backpatch-through: 14 Branch ------ REL_14_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/01de2e32df7b5b46720f64068a2674c3bd28ae3f Modified Files -------------- contrib/pgcrypto/Makefile | 3 +- contrib/pgcrypto/expected/pgp-pubkey-session.out | 47 +++ contrib/pgcrypto/pgp-pubdec.c | 11 +- contrib/pgcrypto/px.c | 1 + contrib/pgcrypto/px.h | 2 +- contrib/pgcrypto/scripts/pgp_session_data.py | 491 +++++++++++++++++++++++ contrib/pgcrypto/sql/pgp-pubkey-session.sql | 46 +++ 7 files changed, 598 insertions(+), 3 deletions(-)
