mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-09-08 17:49:20 +02:00
36bb95ef2b
libpq collects up to a bufferload of data whenever it reads data from the socket. When SSL or GSS encryption is requested during startup, any additional data received with the server's yes-or-no reply remained in the buffer, and would be treated as already-decrypted data once the encryption handshake completed. Thus, a man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214. To fix, throw a protocol-violation error if the internal buffer is not empty after the encryption handshake. Our thanks to Jacob Champion for reporting this problem. Security: CVE-2021-23222 |
||
---|---|---|
.. | ||
backend | ||
bin | ||
common | ||
fe_utils | ||
include | ||
interfaces | ||
makefiles | ||
pl | ||
port | ||
template | ||
test | ||
timezone | ||
tools | ||
tutorial | ||
.gitignore | ||
DEVELOPERS | ||
Makefile | ||
Makefile.global.in | ||
Makefile.shlib | ||
nls-global.mk |