upstream/postgresql
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2026-05-25 18:54:20 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
postgresql/src
History
Michael Paquier d93ef41317 Apply timingsafe_bcmp() in authentication paths 
This commit applies timingsafe_bcmp() to authentication paths that
handle attributes or data previously compared with memcpy() or strcmp(),
which are sensitive to timing attacks.

The following data is concerned by this change, some being in the
backend and some in the frontend:
- For a SCRAM or MD5 password, the computed key or the MD5 hash compared
with a password during a plain authentication.
- For a SCRAM exchange, the stored key, the client's final nonce and the
server nonce.
- RADIUS (up to v18), the encrypted password.
- For MD5 authentication, the MD5(MD5()) hash.

Reported-by: Joe Conway <mail@joeconway.com>
Security: CVE-2026-6478
Author: Michael Paquier <michael@paquier.xyz>
Reviewed-by: John Naylor <johncnaylorls@gmail.com>
Backpatch-through: 14
2026-05-11 05:13:47 -07:00
..
backend Apply timingsafe_bcmp() in authentication paths 2026-05-11 05:13:47 -07:00
bin Translation updates 2026-05-11 13:03:08 +02:00
common Fix assorted places that need to use palloc_array(). 2026-05-11 05:13:47 -07:00
fe_utils Harden astreamer tar parsing logic against archives it can't handle. 2026-04-02 12:20:26 -04:00
include Harden our regex engine against integer overflow in size calculations. 2026-05-11 05:13:47 -07:00
interfaces Apply timingsafe_bcmp() in authentication paths 2026-05-11 05:13:47 -07:00
makefiles pgxs.mk: remove unreachable rule for deleting regress.def. 2025-06-20 12:12:29 -04:00
pl Make plpgsql_trap test more robust and less resource-intensive. 2026-04-21 10:54:39 -04:00
port Suppress "has no symbols" linker warnings on macOS. 2026-04-29 12:25:09 -05:00
template thread-safety: gmtime_r(), localtime_r() 2024-08-23 07:43:04 +02:00
test Fix unbounded recursive handling of SSL/GSS in ProcessStartupPacket() 2026-05-11 05:13:47 -07:00
timezone Update time zone data files to tzdata release 2026b. 2026-04-24 12:28:35 -04:00
tools Consider opfamily and collation when removing redundant GROUP BY columns 2026-05-08 12:47:26 +09:00
tutorial Doc: simplify the tutorial's window-function examples. 2025-01-21 14:43:21 -05:00
.gitignore
DEVELOPERS
Makefile Remove distprep 2023-11-06 15:18:04 +01:00
Makefile.global.in Don't put library-supplied -L/-I switches before user-supplied ones. 2025-07-29 15:17:40 -04:00
Makefile.shlib Use exported symbols list on macOS for loadable modules as well 2025-06-10 07:04:43 +02:00
meson.build Update copyright for 2025 2025-01-01 11:21:55 -05:00
nls-global.mk Fix update-po for the PGXS case 2025-10-16 20:21:05 +02:00