pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() pgp_pub_decrypt_bytea() was missing a safeguard for the session key length read from the message data, that can be given in input of pgp_pub_decrypt_bytea(). This can result in the possibility of a buffer overflow for the session key data, when the length specified is longer than PGP_MAX_KEY, which is the maximum size of the buffer where the session data is copied to.
A script able to rebuild the message and key data that can trigger the overflow is included in this commit, based on some contents provided by the reporter, heavily editted by me. A SQL test is added, based on the data generated by the script. Reported-by: Team Xint Code as part of zeroday.cloud Author: Michael Paquier <[email protected]> Reviewed-by: Noah Misch <[email protected]> Security: CVE-2026-2005 Backpatch-through: 14 Branch ------ REL_17_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/7a7d9693c72e680af86298f01d850f95fef0988e Modified Files -------------- contrib/pgcrypto/Makefile | 2 +- contrib/pgcrypto/expected/pgp-pubkey-session.out | 47 +++ contrib/pgcrypto/meson.build | 1 + contrib/pgcrypto/pgp-pubdec.c | 11 +- contrib/pgcrypto/px.c | 1 + contrib/pgcrypto/px.h | 2 +- contrib/pgcrypto/scripts/pgp_session_data.py | 491 +++++++++++++++++++++++ contrib/pgcrypto/sql/pgp-pubkey-session.sql | 46 +++ 8 files changed, 598 insertions(+), 3 deletions(-)
