Prevent a double free by not reentering be_tls_close(). Reentering this function with the right timing caused a double free, typically crashing the backend. By synchronizing a disconnection with the authentication timeout, an unauthenticated attacker could achieve this somewhat consistently. Call be_tls_close() solely from within proc_exit_prepare(). Back-patch to 9.0 (all supported versions).
Benkocs Norbert Attila Security: CVE-2015-3165 Branch ------ REL9_0_STABLE Details ------- http://git.postgresql.org/pg/commitdiff/648e41a6e480dae85a5aa0c90e36487c7f09a229 Modified Files -------------- src/backend/libpq/be-secure.c | 5 ----- src/backend/libpq/pqcomm.c | 23 ++++++++++++++++++----- src/backend/postmaster/postmaster.c | 11 ++++++++++- 3 files changed, 28 insertions(+), 11 deletions(-) -- Sent via pgsql-committers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-committers
