Add advisories for rust-postgres DoS issues (postgres-protocol, tokio-postgres)

Three denial-of-service issues triggered by a malicious, compromised, or
man-in-the-middle PostgreSQL server, all fixed and released:

- postgres-protocol: unbounded SCRAM PBKDF2 iteration count (CPU exhaustion,
  pins a tokio worker thread), fixed in 0.6.12
- postgres-protocol: panic decoding a malformed hstore value, fixed in 0.6.12
- tokio-postgres: panic on a DataRow with fewer fields than columns, fixed in 0.7.18
This commit is contained in:
Paolo Barbolini
2026-06-12 16:27:10 +00:00
committed by Dirkjan Ochtman
parent 7aa81cbb51
commit e43228936a
3 changed files with 85 additions and 0 deletions

View File

@@ -0,0 +1,25 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "postgres-protocol"
date = "2026-06-12"
url = "https://github.com/rust-postgres/rust-postgres/commit/a7cf84b5c46431cbca9d8ff50508c23f446efa7d"
categories = ["denial-of-service"]
cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
keywords = ["hstore"]
[affected.functions]
"postgres_protocol::types::hstore_from_sql" = ["< 0.6.12"]
[versions]
patched = [">= 0.6.12"]
```
# Panic decoding a malformed `hstore` value allows denial of service
A malicious or compromised server can return a binary `hstore` value with an
invalid internal length field, causing the client to panic while decoding it.
Applications that connect only to a trusted database are not exposed; the risk
applies to clients that may connect to untrusted or user-supplied servers, or
whose connection can be intercepted by a man-in-the-middle.

View File

@@ -0,0 +1,29 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "postgres-protocol"
date = "2026-06-12"
url = "https://github.com/rust-postgres/rust-postgres/commit/d40097a36a85068ea50a3afbf0ce154ba439e7f0"
references = ["https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-98qh-xjc8-98pq"]
categories = ["denial-of-service"]
cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
keywords = ["scram", "pbkdf2"]
[affected.functions]
"postgres_protocol::authentication::sasl::ScramSha256::update" = ["< 0.6.12"]
[versions]
patched = [">= 0.6.12"]
unaffected = ["< 0.3.0"]
```
# Unbounded SCRAM iteration count allows a malicious server to cause CPU-exhaustion denial of service
A malicious, compromised, or man-in-the-middle server can supply an arbitrarily
large SCRAM-SHA-256 PBKDF2 iteration count during authentication. The client
runs it inline with no upper bound, pinning a `tokio` worker thread for minutes
per connection, possibly stalling the whole async runtime.
Applications that connect only to a trusted database are not exposed; the risk
applies to clients that may connect to untrusted or user-supplied servers, or
whose connection can be intercepted by a man-in-the-middle.

View File

@@ -0,0 +1,31 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "tokio-postgres"
date = "2026-06-12"
url = "https://github.com/rust-postgres/rust-postgres/commit/7a00ffa9ad4d951ec0a4564b52f1780fa9d353c1"
categories = ["denial-of-service"]
cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
keywords = ["datarow"]
[affected.functions]
"tokio_postgres::Row::get" = ["< 0.7.18"]
"tokio_postgres::Row::try_get" = ["< 0.7.18"]
"tokio_postgres::SimpleQueryRow::get" = ["< 0.7.18"]
"tokio_postgres::SimpleQueryRow::try_get" = ["< 0.7.18"]
[versions]
patched = [">= 0.7.18"]
unaffected = ["< 0.4.0"]
```
# Panic on a `DataRow` with fewer fields than columns allows denial of service
A malicious or compromised server can send a row containing fewer fields than
its row description declares columns. Reading one of the missing columns then
panics with an out-of-bounds index, aborting the calling task. This affects even
the otherwise non-panicking `try_get`, and both `Row` and `SimpleQueryRow`.
Applications that connect only to a trusted database are not exposed; the risk
applies to clients that may connect to untrusted or user-supplied servers, or
whose connection can be intercepted by a man-in-the-middle.