Prevent a double free by not reentering be_tls_close(). Reentering this function with the right timing caused a double free, typically crashing the backend. By synchronizing a disconnection with the authentication timeout, an unauthenticated attacker could achieve this somewhat consistently. Call be_tls_close() solely from within proc_exit_prepare(). Back-patch to 9.0 (all supported versions).
Benkocs Norbert Attila Security: CVE-2015-3165 Branch ------ master Details ------- http://git.postgresql.org/pg/commitdiff/b0ce385032d72d6acf1e330f733013553fe6affe Modified Files -------------- src/backend/libpq/be-secure-openssl.c | 5 ----- src/backend/libpq/pqcomm.c | 23 ++++++++++++++++++----- src/backend/postmaster/postmaster.c | 11 ++++++++++- 3 files changed, 28 insertions(+), 11 deletions(-) -- Sent via pgsql-committers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-committers
