Security Patch 2012-05-30

Posted on 2012-05-30 by PostgreSQL Global Development Group

Today the PHP, OpenBSD and FreeBSD communities announced updates to patch a security hole involving their crypt() hashing algorithms. This issue is described in CVE-2012-2143. This vulnerability also affects a minority of PostgreSQL users, and will be fixed in an update release on June 4, 2012.

Affected users are those who use the crypt(text, text) function with DES encryption in the optional pgcrypto module. Passwords affected are those that contain characters that cannot be represented with 7-bit ASCII. If a password contains a character that has the most significant bit set (0x80), and DES encryption is used, that character and all characters after it will be ignored.

Users of high-security applications who cannot wait for the update are recommended to do one of three things:

  • switch from using crypt() with DES to a more current encryption algorithm such as Blowfish.
  • download the patch, patch their own installations in source code form, reinstall pgcrypto, disconnect all sessions and restart them to reload the library or restart the server.
  • add a check to ensure that all passwords hashed with crypt() do not allow the value 0x80.

Note that users who patch their installations, or who apply the update on June 4th, may need to regenerate passwords for some or all of their application users due to the change in the hashing algorithm. Specifically, after the update, passwords containing 0x80 will no longer work.

The PostgreSQL Project regrets the inconvenience to our users. We are grateful to security researchers Robin Xu and Joseph Bonneau for discovering this issue.

For more information on the pgcrypto module, please see the documentation.