Hi, FYI, a while ago I asked upstream about this issue, since the release announcement was not really helpful to track down the issue.
So basically upstream confirms that this is the same quoting fix as
applied to other PostgreSQL client packages (he just got the CVE
wrong; CVE-2006-2313 was an internal PostgreSQL server issue while
CVE-2006-2314 is the client quoting bug).
HTH,
Martin
----- Forwarded message from Martin Pitt <[EMAIL PROTECTED]> -----
From: Martin Pitt <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: Vendor Security <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED], Vendor Security <[EMAIL PROTECTED]>
Mail-Followup-To: [EMAIL PROTECTED], Vendor Security <[EMAIL PROTECTED]>
Subject: [vendor-sec] Question about PostgreSQL SQL injection fix in 7.6.86
Date: Thu, 17 Aug 2006 09:41:40 +0200
X-Spam-Status: No, score=0.0 required=4.0 tests=AWL,BAYES_50,
RCVD_IN_SORBS_WEB autolearn=no version=3.0.3
Hi Pike developers,
The 7.6.86 announcement advertises a "Fix for potential SQL injection
vulnerability in Postgres." Mitre assigned CVE-2006-4041 to this, but
there is very little information about the vulnerability.
I found this in CVS:
----------------------------
/cvs/Pike/7.6/lib/modules/Sql.pmod/Sql.pike
revision 1.26
date: 2006/06/06 03:25:59; author: adam; state: Exp; lines: +4 -2
Make Sql.postgres objects use the safe quote() method if available.
----------------------------
/cvs/Pike/7.6/src/modules/Postgres/
revision 1.25
date: 2006/05/24 17:49:56; author: adam; state: Exp; lines: +5 -2
backport SQL injection fix from 7.7
revision 1.40
date: 2006/05/24 17:49:56; author: adam; state: Exp; lines: +39 -2
backport SQL injection fix from 7.7
----------------------------
which seems to be the fix for the recent general PostgreSQL/MySQL
\' -> '' quote escaping issue (CVE-2006-2314 for PostgreSQL). Does
that announcement refer to this quoting fix (it would match the
description)?
Thank you,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
----- End forwarded message -----
----- Forwarded message from Adam Montague <[EMAIL PROTECTED]> -----
From: Adam Montague <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], Vendor Security <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: [vendor-sec] Re: Question about PostgreSQL SQL injection fix in 7.6.86
Date: Thu, 17 Aug 2006 11:35:50 -0400
X-Spam-Status: No, score=0.5 required=4.0 tests=AWL,BAYES_60 autolearn=no
version=3.0.3
Martin Pitt <[EMAIL PROTECTED]> wrote:
> ----------------------------
> /cvs/Pike/7.6/lib/modules/Sql.pmod/Sql.pike
> revision 1.26
> date: 2006/06/06 03:25:59; author: adam; state: Exp; lines: +4 -2
> Make Sql.postgres objects use the safe quote() method if available.
This makes Sql.postgres use the right quote() method. This didn't get
into a release though, so Sql.postgres is still unsafe in 7.6.86, only
Postgres.postgres is safe. We really should do a new release with this
fix in it.
> ----------------------------
> /cvs/Pike/7.6/src/modules/Postgres/
> revision 1.25
> date: 2006/05/24 17:49:56; author: adam; state: Exp; lines: +5 -2
> backport SQL injection fix from 7.7
>
> revision 1.40
> date: 2006/05/24 17:49:56; author: adam; state: Exp; lines: +39 -2
> backport SQL injection fix from 7.7
> ----------------------------
>
> which seems to be the fix for the recent general PostgreSQL/MySQL
> \' -> '' quote escaping issue (CVE-2006-2314 for PostgreSQL). Does
> that announcement refer to this quoting fix (it would match the
> description)?
No, its actually for CVE-2006-2313, but it adds a safe quoting method to
the Postgres.postgres module which uses the postgresql library's escaping
functions. So as long as you have a postgresql version that fixes
CVE-2006-2314 when you compile the pike postgresql module, then it will
be safe too. Any future problems with encodings shouldn't require changes
to the pike module either.
Adam
_______________________________________________
Vendor Security mailing list
Vendor [EMAIL PROTECTED]
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
----- End forwarded message -----
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
