Jackc Pgproto3 Data Row Message Input Validation Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the Jackc Pgproto3 library, specifically in version 2.3.3. This vulnerability arises from improper validation of field lengths in the DataRow message of the PostgreSQL wire protocol. A malicious or compromised PostgreSQL server can exploit this flaw by sending a DataRow message with a negative field length, causing a slice bounds out-of-range panic. As a result, any Go application using this library to connect to a PostgreSQL server can be crashed, terminating the process without recovery.

Impact

Exploitation of this vulnerability leads to an immediate and unrecoverable crash of the affected application process.

Reproduction

To reproduce this vulnerability, connect to a PostgreSQL server that has been compromised or is malicious. Once connected, execute a query that returns rows. The server can then send a crafted DataRow message with a negative field length, bypassing the library's input validation and causing the application to panic with a slice bounds error. This vulnerability can also be reproduced by intercepting and modifying the TCP traffic between a client and a PostgreSQL server to inject a malformed DataRow message.

Remediation

Users are advised to update to Jackc Pgproto3 version 2.3.4 or later, where this vulnerability has been fixed. Monitor the Jackc Pgproto3 repository for the release of the patched version.