Backport: Properly NULL-terminate GSS receive buffer on error packet reception#1498
Merged
reshke merged 4 commits intoapache:mainfrom Dec 23, 2025
Merged
Backport: Properly NULL-terminate GSS receive buffer on error packet reception#1498reshke merged 4 commits intoapache:mainfrom
reshke merged 4 commits intoapache:mainfrom
Conversation
pqsecure_open_gss() includes a code path handling error messages with v2-style protocol messages coming from the server. The client-side buffer holding the error message does not force a NULL-termination, with the data of the server getting copied to the errorMessage of the connection. Hence, it would be possible for a server to send an unterminated string and copy arbitrary bytes in the buffer receiving the error message in the client, opening the door to a crash or even data exposure. As at this stage of the authentication process the exchange has not been completed yet, this could be abused by an attacker without Kerberos credentials. Clients that have a valid kerberos cache are vulnerable as libpq opportunistically requests for it except if gssencmode is disabled. Author: Jacob Champion Backpatch-through: 12 Security: CVE-2022-41862
reshke
changed the title
my-ship-it
approved these changes
Dec 22, 2025
x4m
approved these changes
Dec 23, 2025
reshke
added
the
type: Security
reshke
added a commit
to open-gpdb/cloudberry
that referenced
this pull request
Dec 24, 2025
…reception (apache#1498) This pr fixes https://www.postgresql.org/support/security/CVE-2022-41862/ in cloudberry https://git.postgresql.org/cgit/postgresql.git/commit/?id=71c37797d7bd78266146a5829ab62b3687c47295 Original commit message: === pqsecure_open_gss() includes a code path handling error messages with v2-style protocol messages coming from the server. The client-side buffer holding the error message does not force a NULL-termination, with the data of the server getting copied to the errorMessage of the connection. Hence, it would be possible for a server to send an unterminated string and copy arbitrary bytes in the buffer receiving the error message in the client, opening the door to a crash or even data exposure. As at this stage of the authentication process the exchange has not been completed yet, this could be abused by an attacker without Kerberos credentials. Clients that have a valid kerberos cache are vulnerable as libpq opportunistically requests for it except if gssencmode is disabled. Author: Jacob Champion Backpatch-through: 12 Security: CVE-2022-41862
hw118118
pushed a commit
to hw118118/cloudberrydb
that referenced
this pull request
Jan 27, 2026
…reception (apache#1498) This pr fixes https://www.postgresql.org/support/security/CVE-2022-41862/ in cloudberry https://git.postgresql.org/cgit/postgresql.git/commit/?id=71c37797d7bd78266146a5829ab62b3687c47295 Original commit message: === pqsecure_open_gss() includes a code path handling error messages with v2-style protocol messages coming from the server. The client-side buffer holding the error message does not force a NULL-termination, with the data of the server getting copied to the errorMessage of the connection. Hence, it would be possible for a server to send an unterminated string and copy arbitrary bytes in the buffer receiving the error message in the client, opening the door to a crash or even data exposure. As at this stage of the authentication process the exchange has not been completed yet, this could be abused by an attacker without Kerberos credentials. Clients that have a valid kerberos cache are vulnerable as libpq opportunistically requests for it except if gssencmode is disabled. Author: Jacob Champion Backpatch-through: 12 Security: CVE-2022-41862
hw118118
pushed a commit
to hw118118/cloudberrydb
that referenced
this pull request
Jan 27, 2026
…reception (apache#1498) This pr fixes https://www.postgresql.org/support/security/CVE-2022-41862/ in cloudberry https://git.postgresql.org/cgit/postgresql.git/commit/?id=71c37797d7bd78266146a5829ab62b3687c47295 Original commit message: === pqsecure_open_gss() includes a code path handling error messages with v2-style protocol messages coming from the server. The client-side buffer holding the error message does not force a NULL-termination, with the data of the server getting copied to the errorMessage of the connection. Hence, it would be possible for a server to send an unterminated string and copy arbitrary bytes in the buffer receiving the error message in the client, opening the door to a crash or even data exposure. As at this stage of the authentication process the exchange has not been completed yet, this could be abused by an attacker without Kerberos credentials. Clients that have a valid kerberos cache are vulnerable as libpq opportunistically requests for it except if gssencmode is disabled. Author: Jacob Champion Backpatch-through: 12 Security: CVE-2022-41862
hw118118
pushed a commit
to hw118118/cloudberrydb
that referenced
this pull request
Jan 28, 2026
…reception (apache#1498) This pr fixes https://www.postgresql.org/support/security/CVE-2022-41862/ in cloudberry https://git.postgresql.org/cgit/postgresql.git/commit/?id=71c37797d7bd78266146a5829ab62b3687c47295 Original commit message: === pqsecure_open_gss() includes a code path handling error messages with v2-style protocol messages coming from the server. The client-side buffer holding the error message does not force a NULL-termination, with the data of the server getting copied to the errorMessage of the connection. Hence, it would be possible for a server to send an unterminated string and copy arbitrary bytes in the buffer receiving the error message in the client, opening the door to a crash or even data exposure. As at this stage of the authentication process the exchange has not been completed yet, this could be abused by an attacker without Kerberos credentials. Clients that have a valid kerberos cache are vulnerable as libpq opportunistically requests for it except if gssencmode is disabled. Author: Jacob Champion Backpatch-through: 12 Security: CVE-2022-41862
oppenheimer01
pushed a commit
to oppenheimer01/cloudberrydb
that referenced
this pull request
Apr 12, 2026
…reception (apache#1498) This pr fixes https://www.postgresql.org/support/security/CVE-2022-41862/ in cloudberry https://git.postgresql.org/cgit/postgresql.git/commit/?id=71c37797d7bd78266146a5829ab62b3687c47295 Original commit message: === pqsecure_open_gss() includes a code path handling error messages with v2-style protocol messages coming from the server. The client-side buffer holding the error message does not force a NULL-termination, with the data of the server getting copied to the errorMessage of the connection. Hence, it would be possible for a server to send an unterminated string and copy arbitrary bytes in the buffer receiving the error message in the client, opening the door to a crash or even data exposure. As at this stage of the authentication process the exchange has not been completed yet, this could be abused by an attacker without Kerberos credentials. Clients that have a valid kerberos cache are vulnerable as libpq opportunistically requests for it except if gssencmode is disabled. Author: Jacob Champion Backpatch-through: 12 Security: CVE-2022-41862
oppenheimer01
pushed a commit
to oppenheimer01/cloudberrydb
that referenced
this pull request
Apr 21, 2026
…reception (apache#1498) This pr fixes https://www.postgresql.org/support/security/CVE-2022-41862/ in cloudberry https://git.postgresql.org/cgit/postgresql.git/commit/?id=71c37797d7bd78266146a5829ab62b3687c47295 Original commit message: === pqsecure_open_gss() includes a code path handling error messages with v2-style protocol messages coming from the server. The client-side buffer holding the error message does not force a NULL-termination, with the data of the server getting copied to the errorMessage of the connection. Hence, it would be possible for a server to send an unterminated string and copy arbitrary bytes in the buffer receiving the error message in the client, opening the door to a crash or even data exposure. As at this stage of the authentication process the exchange has not been completed yet, this could be abused by an attacker without Kerberos credentials. Clients that have a valid kerberos cache are vulnerable as libpq opportunistically requests for it except if gssencmode is disabled. Author: Jacob Champion Backpatch-through: 12 Security: CVE-2022-41862
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pr fixes https://www.postgresql.org/support/security/CVE-2022-41862/ in cloudberry
https://git.postgresql.org/cgit/postgresql.git/commit/?id=71c37797d7bd78266146a5829ab62b3687c47295
Original commit message:
===
pqsecure_open_gss() includes a code path handling error messages with v2-style protocol messages coming from the server. The client-side buffer holding the error message does not force a NULL-termination, with the data of the server getting copied to the errorMessage of the connection. Hence, it would be possible for a server to send an unterminated string and copy arbitrary bytes in the buffer receiving the error message in the client, opening the door to a crash or even data exposure.
As at this stage of the authentication process the exchange has not been completed yet, this could be abused by an attacker without Kerberos credentials. Clients that have a valid kerberos cache are vulnerable as libpq opportunistically requests for it except if gssencmode is disabled.
Author: Jacob Champion
Backpatch-through: 12
Security: CVE-2022-41862