Your message dated Sun, 28 May 2006 11:40:37 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: postgresql
Version: 7.4.7-6sarge1
Tags: security
Severity: grave
A couple of PostgreSQL issues have been disclosed today:
<http://www.postgresql.org/docs/techdocs.52>
My analysis so far:
* CVE-2006-2313
High impact (because UTF-8 is affected and widely used). Fix is
straightforward as far as UTF-8 is concerned, but will break some
applications which write certain forms of invalid UTF-8 to the
database. If necessary, a dump and reload to switch to SQL_ASCII on
the server side will fix this. However, PostgreSQL already rejects
some forms of invalid UTF-8. Therefore, a change
I don't know the impact on other multibyte encodings; it's probably
necessary to ask upstream.
* CVE-2006-2314
This is the really interesting one. It's restricted to certain
multi-byte encodings (that's why I think this bug is less severe, all
things considered). No real fix is possible as long as we preserve
the interface. The upstream fix outlawing "\'" breaks tons of legacy
PHP applications, but I have no better idea how to address it. 8-(
On the libpq side, I'd use "static __thread" instead of "static" for
the globals. That way, we gain at least some thread safety.
(Unless someone objects, I'm going to clone this for the various
PostgreSQL packages.)
--- End Message ---
--- Begin Message ---
Package: postgresql-7.4
Version: 1:7.4.13-1
I'm closing this bug in Sid, it was fixed in this version:
postgresql-7.4 (1:7.4.13-1) unstable; urgency=medium
* New upstream security and bug fix release:
- The server now rejects invalidly-encoded multibyte characters in all
cases to defend against SQL-injection attacks. [CVE-2006-2313]
- Reject unsafe uses of \' in string literals (for client encodings that
allow SQL injection with this, like SJIS, BIG5, GBK, GB18030, or UHC). A
new configuration parameter backslash_quote is available to adjust this
behavior when needed. [CVE-2006-2314]
- Modify libpq's string-escaping routines to be aware of encoding
considerations and standard_conforming_strings
This fixes libpq-using applications for the security issues
described in CVE-2006-2313 and CVE-2006-2314, and also
future-proofs them against the planned changeover to SQL-standard
string literal syntax. Applications that use multiple PostgreSQL
connections concurrently should migrate to PQescapeStringConn() and
PQescapeByteaConn() to ensure that escaping is done correctly for
the settings in use in each database connection. Applications that
do string escaping "by hand" should be modified to rely on library
routines instead.
- Various bug fixes, see upstream changelog for details.
-- Martin Pitt <[EMAIL PROTECTED]> Mon, 22 May 2006 10:35:58 +0200
Security update for Sarge is in the last stages of preparation.
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
--- End Message ---
