mirror of
https://github.com/rustsec/advisory-db.git
synced 2026-07-16 00:12:29 -04:00
Add advisories for rust-postgres DoS issues (postgres-protocol, tokio-postgres)
Three denial-of-service issues triggered by a malicious, compromised, or man-in-the-middle PostgreSQL server, all fixed and released: - postgres-protocol: unbounded SCRAM PBKDF2 iteration count (CPU exhaustion, pins a tokio worker thread), fixed in 0.6.12 - postgres-protocol: panic decoding a malformed hstore value, fixed in 0.6.12 - tokio-postgres: panic on a DataRow with fewer fields than columns, fixed in 0.7.18
This commit is contained in:
committed by
Dirkjan Ochtman
parent
7aa81cbb51
commit
e43228936a
25
crates/postgres-protocol/RUSTSEC-0000-0000.1.md
Normal file
25
crates/postgres-protocol/RUSTSEC-0000-0000.1.md
Normal file
@@ -0,0 +1,25 @@
|
||||
```toml
|
||||
[advisory]
|
||||
id = "RUSTSEC-0000-0000"
|
||||
package = "postgres-protocol"
|
||||
date = "2026-06-12"
|
||||
url = "https://github.com/rust-postgres/rust-postgres/commit/a7cf84b5c46431cbca9d8ff50508c23f446efa7d"
|
||||
categories = ["denial-of-service"]
|
||||
cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
|
||||
keywords = ["hstore"]
|
||||
|
||||
[affected.functions]
|
||||
"postgres_protocol::types::hstore_from_sql" = ["< 0.6.12"]
|
||||
|
||||
[versions]
|
||||
patched = [">= 0.6.12"]
|
||||
```
|
||||
|
||||
# Panic decoding a malformed `hstore` value allows denial of service
|
||||
|
||||
A malicious or compromised server can return a binary `hstore` value with an
|
||||
invalid internal length field, causing the client to panic while decoding it.
|
||||
|
||||
Applications that connect only to a trusted database are not exposed; the risk
|
||||
applies to clients that may connect to untrusted or user-supplied servers, or
|
||||
whose connection can be intercepted by a man-in-the-middle.
|
||||
29
crates/postgres-protocol/RUSTSEC-0000-0000.md
Normal file
29
crates/postgres-protocol/RUSTSEC-0000-0000.md
Normal file
@@ -0,0 +1,29 @@
|
||||
```toml
|
||||
[advisory]
|
||||
id = "RUSTSEC-0000-0000"
|
||||
package = "postgres-protocol"
|
||||
date = "2026-06-12"
|
||||
url = "https://github.com/rust-postgres/rust-postgres/commit/d40097a36a85068ea50a3afbf0ce154ba439e7f0"
|
||||
references = ["https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq"]
|
||||
categories = ["denial-of-service"]
|
||||
cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
|
||||
keywords = ["scram", "pbkdf2"]
|
||||
|
||||
[affected.functions]
|
||||
"postgres_protocol::authentication::sasl::ScramSha256::update" = ["< 0.6.12"]
|
||||
|
||||
[versions]
|
||||
patched = [">= 0.6.12"]
|
||||
unaffected = ["< 0.3.0"]
|
||||
```
|
||||
|
||||
# Unbounded SCRAM iteration count allows a malicious server to cause CPU-exhaustion denial of service
|
||||
|
||||
A malicious, compromised, or man-in-the-middle server can supply an arbitrarily
|
||||
large SCRAM-SHA-256 PBKDF2 iteration count during authentication. The client
|
||||
runs it inline with no upper bound, pinning a `tokio` worker thread for minutes
|
||||
per connection, possibly stalling the whole async runtime.
|
||||
|
||||
Applications that connect only to a trusted database are not exposed; the risk
|
||||
applies to clients that may connect to untrusted or user-supplied servers, or
|
||||
whose connection can be intercepted by a man-in-the-middle.
|
||||
31
crates/tokio-postgres/RUSTSEC-0000-0000.md
Normal file
31
crates/tokio-postgres/RUSTSEC-0000-0000.md
Normal file
@@ -0,0 +1,31 @@
|
||||
```toml
|
||||
[advisory]
|
||||
id = "RUSTSEC-0000-0000"
|
||||
package = "tokio-postgres"
|
||||
date = "2026-06-12"
|
||||
url = "https://github.com/rust-postgres/rust-postgres/commit/7a00ffa9ad4d951ec0a4564b52f1780fa9d353c1"
|
||||
categories = ["denial-of-service"]
|
||||
cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
|
||||
keywords = ["datarow"]
|
||||
|
||||
[affected.functions]
|
||||
"tokio_postgres::Row::get" = ["< 0.7.18"]
|
||||
"tokio_postgres::Row::try_get" = ["< 0.7.18"]
|
||||
"tokio_postgres::SimpleQueryRow::get" = ["< 0.7.18"]
|
||||
"tokio_postgres::SimpleQueryRow::try_get" = ["< 0.7.18"]
|
||||
|
||||
[versions]
|
||||
patched = [">= 0.7.18"]
|
||||
unaffected = ["< 0.4.0"]
|
||||
```
|
||||
|
||||
# Panic on a `DataRow` with fewer fields than columns allows denial of service
|
||||
|
||||
A malicious or compromised server can send a row containing fewer fields than
|
||||
its row description declares columns. Reading one of the missing columns then
|
||||
panics with an out-of-bounds index, aborting the calling task. This affects even
|
||||
the otherwise non-panicking `try_get`, and both `Row` and `SimpleQueryRow`.
|
||||
|
||||
Applications that connect only to a trusted database are not exposed; the risk
|
||||
applies to clients that may connect to untrusted or user-supplied servers, or
|
||||
whose connection can be intercepted by a man-in-the-middle.
|
||||
Reference in New Issue
Block a user