Insufficient Verification of Data Authenticity

Summary

Client use of server error messages in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients whose user interface unambiguously indicates the boundary between one error message and other texts. This issue affects PostgreSQL versions 12.x prior to 12.21, 13.x prior to 13.17, 14.x prior to 14.14, 15.x prior to 15.9, 16.x prior to 16.5, and 17.x prior to 17.1.