Crypt change in 9.4.5

On Friday, March 18, 2016 1:18:01 PM EDT andomar@aule.net wrote:

Hi,

After upgrading to PostgreSQL 9.4.6, our test system gave error messages
like:

ERROR: invalid salt

The cause of these errors is statements like:

WHERE password = crypt('secret', 'secret')

After reverting to Postgres 9.4.4 the test system worked properly again.

This might be related to a security fix in 9.4.5:

---
Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh
Kupershmidt)
Certain invalid salt arguments crashed the server or disclosed a few bytes
of server memory. We have not ruled out the viability of attacks that
arrange for presence of confidential information in the disclosed bytes, but
they seem unlikely. (CVE-2015-5288)
---

The "crypt" call is hardcoded in legacy code that hasn't been recompiled in
years. Are there ways to keep the old code running against a newer Postgres
version?

You could get the source of 9.4.6 from git, back out the commit for that fix,
and compile.

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general