Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
Weakness
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Postgresql | Postgresql | 14.0 (including) | 14.21 (excluding) |
| Postgresql | Postgresql | 15.0 (including) | 15.16 (excluding) |
| Postgresql | Postgresql | 16.0 (including) | 16.12 (excluding) |
| Postgresql | Postgresql | 17.0 (including) | 17.8 (excluding) |
| Postgresql | Postgresql | 18.0 (including) | 18.2 (excluding) |
| Red Hat Enterprise Linux 10 | RedHat | postgresql16-0:16.13-1.el10_1 | * |
| Red Hat Enterprise Linux 10.0 Extended Update Support | RedHat | postgresql16-0:16.13-1.el10_0 | * |
| Red Hat Enterprise Linux 8 | RedHat | postgresql:13-8100020260227180702.489197e6 | * |
| Red Hat Enterprise Linux 8 | RedHat | postgresql:15-8100020260227221316.489197e6 | * |
| Red Hat Enterprise Linux 8 | RedHat | postgresql:16-8100020260227221401.489197e6 | * |
| Red Hat Enterprise Linux 8 | RedHat | postgresql:12-8100020260302082007.489197e6 | * |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | RedHat | postgresql:12-8020020260309120440.4cda2c84 | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | postgresql:13-8040020260305144728.522a0ee4 | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | postgresql:12-8040020260306101701.522a0ee4 | * |
| Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | RedHat | postgresql:13-8040020260305144728.522a0ee4 | * |
| Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | RedHat | postgresql:12-8040020260306101701.522a0ee4 | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | postgresql:12-8060020260306113941.ad008a3a | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | postgresql:13-8060020260309111524.ad008a3a | * |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | RedHat | postgresql:12-8060020260306113941.ad008a3a | * |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | RedHat | postgresql:13-8060020260309111524.ad008a3a | * |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | RedHat | postgresql:12-8060020260306113941.ad008a3a | * |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | RedHat | postgresql:13-8060020260309111524.ad008a3a | * |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | RedHat | postgresql:13-8080020260302123717.63b34585 | * |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | RedHat | postgresql:12-8080020260302123049.63b34585 | * |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | RedHat | postgresql:13-8080020260302123717.63b34585 | * |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | RedHat | postgresql:12-8080020260302123049.63b34585 | * |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | RedHat | postgresql:15-8080020260306092921.63b34585 | * |
| Red Hat Enterprise Linux 9 | RedHat | postgresql-0:13.23-2.el9_7 | * |
| Red Hat Enterprise Linux 9 | RedHat | postgresql:15-9070020260227094950.rhel9 | * |
| Red Hat Enterprise Linux 9 | RedHat | postgresql:16-9070020260227095951.rhel9 | * |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | RedHat | postgresql-0:13.23-1.el9_0.1 | * |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | RedHat | postgresql:15-9020020260309133405.rhel9 | * |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | RedHat | postgresql-0:13.23-1.el9_2.1 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | postgresql-0:13.23-1.el9_4.1 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | postgresql:16-9040020260306102041.rhel9 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | postgresql:15-9040020260305163703.rhel9 | * |
| Red Hat Enterprise Linux 9.6 Extended Update Support | RedHat | postgresql-0:13.23-1.el9_6.1 | * |
| Red Hat Enterprise Linux 9.6 Extended Update Support | RedHat | postgresql:15-9060020260309125703.rhel9 | * |
| Red Hat Enterprise Linux 9.6 Extended Update Support | RedHat | postgresql:16-9060020260305153549.rhel9 | * |
| Postgresql-10 | Ubuntu | upstream | * |
| Postgresql-12 | Ubuntu | upstream | * |
| Postgresql-14 | Ubuntu | jammy | * |
| Postgresql-16 | Ubuntu | noble | * |
| Postgresql-17 | Ubuntu | questing | * |
| Postgresql-18 | Ubuntu | devel | * |
| Postgresql-9.3 | Ubuntu | upstream | * |
| Postgresql-9.5 | Ubuntu | upstream | * |
Potential Mitigations
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
- Run or compile the software using features or extensions that randomly arrange the positions of a program’s executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as “rebasing” (for Windows) and “prelinking” (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].