pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() pgp_pub_decrypt_bytea() was missing a safeguard for the session key length read from the message data, that can be given in input of pgp_pub_decrypt_bytea(). This can result in the possibility of a buffer overflow for the session key data, when the length specified is longer than PGP_MAX_KEY, which is the maximum size of the buffer where the session data is copied to.
A script able to rebuild the message and key data that can trigger the overflow is included in this commit, based on some contents provided by the reporter, heavily editted by me. A SQL test is added, based on the data generated by the script. Reported-by: Team Xint Code as part of zeroday.cloud Author: Michael Paquier <[email protected]> Reviewed-by: Noah Misch <[email protected]> Security: CVE-2026-2005 Backpatch-through: 14 Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/379695d3cc70d040b547d912ce4842090d917ece Modified Files -------------- contrib/pgcrypto/Makefile | 3 +- contrib/pgcrypto/expected/pgp-pubkey-session.out | 47 +++ contrib/pgcrypto/meson.build | 1 + contrib/pgcrypto/pgp-pubdec.c | 11 +- contrib/pgcrypto/px.c | 1 + contrib/pgcrypto/px.h | 2 +- contrib/pgcrypto/scripts/pgp_session_data.py | 491 +++++++++++++++++++++++ contrib/pgcrypto/sql/pgp-pubkey-session.sql | 46 +++ 8 files changed, 599 insertions(+), 3 deletions(-)
