pgcrypto: Fix buffer overflow in pgp_pub_decrypt_bytea() pgp_pub_decrypt_bytea() was missing a safeguard for the session key length read from the message data, that can be given in input of pgp_pub_decrypt_bytea(). This can result in the possibility of a buffer overflow for the session key data, when the length specified is longer than PGP_MAX_KEY, which is the maximum size of the buffer where the session data is copied to.
A script able to rebuild the message and key data that can trigger the overflow is included in this commit, based on some contents provided by the reporter, heavily editted by me. A SQL test is added, based on the data generated by the script. Reported-by: Team Xint Code as part of zeroday.cloud Author: Michael Paquier <[email protected]> Reviewed-by: Noah Misch <[email protected]> Security: CVE-2026-2005 Backpatch-through: 14 Branch ------ REL_16_STABLE Details ------- https://git.postgresql.org/pg/commitdiff/527b730f41b2f2fbcda92cfd1dbbc50c14c9a46f Modified Files -------------- contrib/pgcrypto/Makefile | 3 +- contrib/pgcrypto/expected/pgp-pubkey-session.out | 47 +++ contrib/pgcrypto/meson.build | 1 + contrib/pgcrypto/pgp-pubdec.c | 11 +- contrib/pgcrypto/px.c | 1 + contrib/pgcrypto/px.h | 2 +- contrib/pgcrypto/scripts/pgp_session_data.py | 491 +++++++++++++++++++++++ contrib/pgcrypto/sql/pgp-pubkey-session.sql | 46 +++ 8 files changed, 599 insertions(+), 3 deletions(-)
