database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-27 12:41:57 +03:00
Code Activity

pgcrypto: Detect and report too-short crypt() salts.

Browse Source 
Certain short salts crashed the backend or disclosed a few bytes of
backend memory.  For existing salt-induced error conditions, emit a
message saying as much.  Back-patch to 9.0 (all supported versions).

Josh Kupershmidt

Security: CVE-2015-5288
This commit is contained in:
Noah Misch
2015-10-05 10:06:29 -04:00
parent 3933417141
commit cc1210f0aa
9 changed files with 103 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
contrib/pgcrypto/sql/crypt-xdes.sql
View File

@ -6,6 +6,22 @@ SELECT crypt('', '_J9..j2zz');
SELECT crypt('foox', '_J9..j2zz');
-- check XDES handling of keys longer than 8 chars
SELECT crypt('longlongpassword', '_J9..j2zz');
-- error, salt too short
SELECT crypt('foox', '_J9..BWH');
-- error, count specified in the second argument is 0
SELECT crypt('password', '_........');
-- error, count will wind up still being 0 due to invalid encoding
-- of the count: only chars ``./0-9A-Za-z' are valid
SELECT crypt('password', '_..!!!!!!');
-- count should be non-zero here, will work
SELECT crypt('password', '_/!!!!!!!');
CREATE TABLE ctest (data text, res text, salt text);
INSERT INTO ctest VALUES ('password', '', '');