PostgreSQL libpq Functions Stack Buffer Overflow Vulnerability for Superusers

A stack buffer overflow vulnerability has been identified in PostgreSQL's libpq library, specifically within the lo_export, lo_read, lo_lseek64, and lo_tell64 functions. This vulnerability allows a server superuser to overwrite a client's stack memory by sending an arbitrarily large response. The issue arises because the PQfn function, when called with result_is_int set to 0, transfers variable-length data determined by the server into a buffer of undefined size. Both the lo_export command in psql and pg_dump utilize lo_read(), creating a vector for superusers to manipulate the stack memory of these tools. Affected versions include those prior to PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23.

Impact

Exploitation of this vulnerability allows for a stack buffer overflow, where a server superuser can overwrite the stack memory of a client application, such as psql or pg_dump.

Remediation

Users can upgrade to PostgreSQL versions 18.4, 17.10, 16.14, 15.18, or 14.23 to address this vulnerability.