pgcrypto: Detect and report too-short crypt() salts.
Noah Misch <noah@leadboat.com>
pgcrypto: Detect and report too-short crypt() salts. Certain short salts crashed the backend or disclosed a few bytes of backend memory. For existing salt-induced error conditions, emit a message saying as much. Back-patch to 9.0 (all supported versions). Josh Kupershmidt Security: CVE-2015-5288
Files
| Path | Change | +/− |
|---|---|---|
| contrib/pgcrypto/crypt-blowfish.c | modified | +17 −2 |
| contrib/pgcrypto/crypt-des.c | modified | +19 −3 |
| contrib/pgcrypto/expected/crypt-blowfish.out | modified | +9 −0 |
| contrib/pgcrypto/expected/crypt-des.out | modified | +4 −0 |
| contrib/pgcrypto/expected/crypt-xdes.out | modified | +24 −0 |
| contrib/pgcrypto/px-crypt.c | modified | +1 −1 |
| contrib/pgcrypto/sql/crypt-blowfish.sql | modified | +9 −0 |
| contrib/pgcrypto/sql/crypt-des.sql | modified | +4 −0 |
| contrib/pgcrypto/sql/crypt-xdes.sql | modified | +16 −0 |