pgcrypto: Detect and report too-short crypt() salts.

Certain short salts crashed the backend or disclosed a few bytes of backend memory. For existing salt-induced error conditions, emit a message saying as much. Back-patch to 9.0 (all supported versions). Josh Kupershmidt Security: CVE-2015-5288
2025-07-28 23:42:10 +03:00 · 2015-10-05 10:06:29 -04:00
parent 3933417141
commit cc1210f0aa
9 changed files with 103 additions and 6 deletions
--- a/contrib/pgcrypto/sql/crypt-des.sql
+++ b/contrib/pgcrypto/sql/crypt-des.sql
@ -6,6 +6,10 @@ SELECT crypt('', 'NB');

 SELECT crypt('foox', 'NB');

+-- We are supposed to pass in a 2-character salt.
+-- error since salt is too short:
+SELECT crypt('password', 'a');
+
 CREATE TABLE ctest (data text, res text, salt text);
 INSERT INTO ctest VALUES ('password', '', '');