sean finney wrote: > executive summary for security team: not escaping query strings > can possibly result in SQL injection for apps that use pike+postgresql. > > i've developed a patch which cleanly applies to both the 7.2 and 7.6 > branches that exist in sarge. however, looking more closely at > what the patch actually *does*, it seems that it does nothing > but provide a new function which can do the escaping of query strings. > > (patch attached) > > therefore, i'm not sure that this is even really a valid security issue > worth an update, at least by itself. unless this function is somehow > automatically invoked when code uses the postgres module, it has no > effect on any application that uses pike/postgres, and thus has no > improvement on security apart from offering pike developers in sarge > access to the function in question. > > so, i propose that either (a) in addition to supplying the fix we audit > all pike+postgres apps using postgresql, or (b) consider dropping the > issue entirely. > > okay, i just did (a), and it doesn't look like there are any > pike+postgres apps in the archive for sarge at all. so given that, > what say you security team?
I wonder if this problem relates to updates in the PostgreSQL server to fix quoting issues, i.e. see: http://lists.debian.org/debian-release/2006/06/msg00024.html If so, then an update may go into stable via proposed-updates. If it's an unrelated issue, we should probably fix this via security. Regards, Joey -- Unix is user friendly ... It's just picky about its friends. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
