CVE-2024-10977

NameCVE-2024-10977
DescriptionClient use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3954-1, DSA-5812-1
Debian Bugs1088687

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
postgresql-11 (PTS)buster, buster (lts)11.22-0+deb10u3vulnerable
buster (security)11.22-0+deb10u2vulnerable
postgresql-13 (PTS)bullseye13.16-0+deb11u1vulnerable
bullseye (security)13.18-0+deb11u1fixed
postgresql-15 (PTS)bookworm15.8-0+deb12u1vulnerable
bookworm (security)15.10-0+deb12u1fixed
postgresql-16 (PTS)sid, trixie16.4-3vulnerable
postgresql-17 (PTS)sid, trixie17.2-1fixed
postgresql-9.4 (PTS)jessie, jessie (lts)9.4.26-0+deb8u10vulnerable
postgresql-9.6 (PTS)stretch (security)9.6.24-0+deb9u1vulnerable
stretch (lts), stretch9.6.24-0+deb9u7vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
postgresql-11source(unstable)(unfixed)
postgresql-13sourcebullseye13.17-0+deb11u1DLA-3954-1
postgresql-13source(unstable)(unfixed)
postgresql-15sourcebookworm15.9-0+deb12u1DSA-5812-1
postgresql-15source(unstable)(unfixed)
postgresql-16source(unstable)(unfixed)1088687
postgresql-17source(unstable)17.1-1
postgresql-9.4source(unstable)(unfixed)
postgresql-9.6source(unstable)(unfixed)

Notes

https://www.postgresql.org/support/security/CVE-2024-10977/
Fixed by: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=a5cc4c66719be2ae1eebe92ad97727dc905bbc6d (v17.2)
Fixed by: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=67d28bd02ec06f5056754bc295f57d2dd2bbd749 (v16.6)
Fixed by: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=d2c3e31c13a6820980c2c6019f0b8f9f0b63ae6e (v15.10)
Fixed by: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=e6c9454764d880ee30735aa8c1e05d3674722ff9 (v14.15)
Fixed by: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=7b49707b72612ef068ce9275b9b6da104f1960f3 (v13.18)
Fixed by: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=2a951ef0aace58026c31b9a88aeeda19c9af4205 (v12.21)

Search for package or bug name: Reporting problems