Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts - sarge security update finished
Hi Joey, Martin Schulze [2006-05-28 19:37 +0200]: [1] http://people.debian.org/~mpitt/psql-sarge/ [2] http://people.debian.org/~mpitt/psql-sarge/postgresql_7.4.7-6sarge2.debdiff Thanks a lot. However, could you redo the (source) package without the arch crap inside? There is no arch stuff inside (I don't even use arch any more). I also cleaned the debdiff (I just checked again). However, the -sarge1 version had arch stuff, maybe you did a debdiff on your own and stumbled over that? Martin -- Martin Pitthttp://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates? signature.asc Description: Digital signature
Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts - sarge security update finished
Martin Pitt wrote: Hi Joey, Martin Schulze [2006-05-28 19:37 +0200]: [1] http://people.debian.org/~mpitt/psql-sarge/ [2] http://people.debian.org/~mpitt/psql-sarge/postgresql_7.4.7-6sarge2.debdiff Thanks a lot. However, could you redo the (source) package without the arch crap inside? There is no arch stuff inside (I don't even use arch any more). I also cleaned the debdiff (I just checked again). However, the -sarge1 version had arch stuff, maybe you did a debdiff on your own and stumbled over that? Yup. I see. In that case the arch stuff should be kept so the patch is not cluttered. Regards, Joey -- Ten years and still binary compatible. -- XFree86 Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts - sarge security update finished
Hi, Martin Schulze [2006-05-29 15:25 +0200]: Martin Pitt wrote: Hi Joey, Martin Schulze [2006-05-28 19:37 +0200]: [1] http://people.debian.org/~mpitt/psql-sarge/ [2] http://people.debian.org/~mpitt/psql-sarge/postgresql_7.4.7-6sarge2.debdiff Thanks a lot. However, could you redo the (source) package without the arch crap inside? There is no arch stuff inside (I don't even use arch any more). I also cleaned the debdiff (I just checked again). However, the -sarge1 version had arch stuff, maybe you did a debdiff on your own and stumbled over that? Yup. I see. In that case the arch stuff should be kept so the patch is not cluttered. I can't, sorry. I killed the arch repo months ago. The debdiff in [2] does not contain arch spewage. Martin -- Martin Pitthttp://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates? signature.asc Description: Digital signature
Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts - sarge security update finished
Hi security team, I backported the relevant changes from 7.4.13 and put the sarge security update to [1]. This time, just putting 7.4.13 into sarge-security would even have been safer IMHO, and that's what users would want anyway, but we already had this discussion several times, so I only ported the security fixes and a very simple, but important bug fix. The debdiff is available [2], but believe me, you do not really want to look at it. You have been warned! :) The package passes the upstream test suite, the same patches thrown onto 7.4.8 (which Ubuntu uses in version 5.04) pass my own test suite in postgresql-common, and the exploit does not work any more, so I'm fairly sure that it doesn't break too much. Please feel free to just upload the provided package, or tell me how to proceed. Thank you! Martin [1] http://people.debian.org/~mpitt/psql-sarge/ [2] http://people.debian.org/~mpitt/psql-sarge/postgresql_7.4.7-6sarge2.debdiff -- Martin Pitthttp://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates? signature.asc Description: Digital signature
Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts - sarge security update finished
Martin Pitt wrote: Hi security team, I backported the relevant changes from 7.4.13 and put the sarge security update to [1]. This time, just putting 7.4.13 into sarge-security would even have been safer IMHO, and that's what users would want anyway, but we already had this discussion several times, so I only ported the security fixes and a very simple, but important bug fix. The debdiff is available [2], but believe me, you do not really want to look at it. You have been warned! :) The package passes the upstream test suite, the same patches thrown onto 7.4.8 (which Ubuntu uses in version 5.04) pass my own test suite in postgresql-common, and the exploit does not work any more, so I'm fairly sure that it doesn't break too much. Please feel free to just upload the provided package, or tell me how to proceed. Thank you! Martin [1] http://people.debian.org/~mpitt/psql-sarge/ [2] http://people.debian.org/~mpitt/psql-sarge/postgresql_7.4.7-6sarge2.debdiff Thanks a lot. However, could you redo the (source) package without the arch crap inside? Regards, Joey -- A mathematician is a machine for converting coffee into theorems. Paul Erdös Please always Cc to me when replying to me on the lists.
Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts
Martin Pitt wrote: Hi Florian, hi security team, hi everyone else, just for the record, sid has updated packages already. I'm 70% into completing the security update for sarge. However, due to the nature of the vulns, the patches are enormous, and thus require meticulous porting and testing. Unfortunately I will be away from now until Sunday. I hope to have fixed packages ready on Sunday. I will report back when I'm done. Oh dear! Thanks a lot. Regards, Joey Given enough thrust pigs will fly, but it's not necessarily a good idea. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts
Hi Florian, hi security team, hi everyone else, just for the record, sid has updated packages already. I'm 70% into completing the security update for sarge. However, due to the nature of the vulns, the patches are enormous, and thus require meticulous porting and testing. Unfortunately I will be away from now until Sunday. I hope to have fixed packages ready on Sunday. I will report back when I'm done. Thanks, Martin -- Martin Pitthttp://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates? signature.asc Description: Digital signature
Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts
Package: postgresql Version: 7.4.7-6sarge1 Tags: security Severity: grave A couple of PostgreSQL issues have been disclosed today: http://www.postgresql.org/docs/techdocs.52 My analysis so far: * CVE-2006-2313 High impact (because UTF-8 is affected and widely used). Fix is straightforward as far as UTF-8 is concerned, but will break some applications which write certain forms of invalid UTF-8 to the database. If necessary, a dump and reload to switch to SQL_ASCII on the server side will fix this. However, PostgreSQL already rejects some forms of invalid UTF-8. Therefore, a change I don't know the impact on other multibyte encodings; it's probably necessary to ask upstream. * CVE-2006-2314 This is the really interesting one. It's restricted to certain multi-byte encodings (that's why I think this bug is less severe, all things considered). No real fix is possible as long as we preserve the interface. The upstream fix outlawing \' breaks tons of legacy PHP applications, but I have no better idea how to address it. 8-( On the libpq side, I'd use static __thread instead of static for the globals. That way, we gain at least some thread safety. (Unless someone objects, I'm going to clone this for the various PostgreSQL packages.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts
Florian Weimer wrote: (Unless someone objects, I'm going to clone this for the various PostgreSQL packages.) Packages are already being uploaded, so don't waste everyone's time. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts
Peter Eisentraut wrote: Florian Weimer wrote: (Unless someone objects, I'm going to clone this for the various PostgreSQL packages.) Packages are already being uploaded, so don't waste everyone's time. Correction: packages have already been uploaded, so we only need to wait for the security team's approval of the stable upload. (Yes, there is a secret club that coordinates these things before the publication of the security issue.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]