[Pkg-postgresql-public] pgbouncer DoS fix
Christoph Berg
myon at debian.org
Wed May 20 20:51:32 UTC 2015
Hi,
there's a new pgbouncer release out that fixes a DoS. The effective
change is:
--- pgbouncer-1.5.4/NEWS 2012-11-28 14:06:30.000000000 +0100
+++ pgbouncer-1.5.5/NEWS 2015-04-09 16:07:52.000000000 +0200
@@ -1,3 +1,10 @@
+2015-04-09 - PgBouncer 1.5.5 - "Play Dead To Win"
+
+ = Fixes =
+
+ * Fix remote crash - invalid packet order causes lookup of NULL
+ pointer. Not exploitable, just DoS.
+
2012-11-28 - PgBouncer 1.5.4 - "No Leaks, Potty-Training Successful"
= Fixes =
diff -Nru pgbouncer-1.5.4/src/client.c pgbouncer-1.5.5/src/client.c
--- pgbouncer-1.5.4/src/client.c 2012-08-16 13:03:34.000000000 +0200
+++ pgbouncer-1.5.5/src/client.c 2015-04-09 16:03:32.000000000 +0200
@@ -262,6 +262,12 @@
}
break;
case 'p': /* PasswordMessage */
+ /* too early */
+ if (!client->auth_user) {
+ disconnect_client(client, true, "client password pkt before startup packet");
+ return false;
+ }
+
/* haven't requested it */
if (cf_auth_type <= AUTH_TRUST) {
disconnect_client(client, true, "unrequested passwd pkt");
Would this patch applied to the current (old)stable packages be
acceptable for a DSA? The fix for unstable is just being uploaded.
(I'm not aware of a CVE number allocated for this.)
Christoph
--
cb at df7cb.de | http://www.df7cb.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-postgresql-public/attachments/20150520/b3f2a055/attachment.sig>
More information about the Pkg-postgresql-public
mailing list