A modified, unauthenticated server can send an unterminated string during the
establishment of Kerberos transport encryption. When a libpq client
application has a Kerberos credential cache and doesn't explicitly disable
option "gssencmode", a server can cause libpq to over-read and report an error
message containing uninitialized bytes from and following its receive buffer.
If libpq's caller somehow makes that message accessible to the attacker, this
achieves a disclosure of the over-read bytes. We have not confirmed or ruled
out viability of attacks that arrange for a crash or for presence of notable,
confidential information in disclosed bytes.
Created postgresql-jdbc tracking bugs for this issue:
Affects: fedora-all [bug 2170071]