Debian Bug report logs -
#369230
psycopg: Insecure quote escaping [CVE-2006-2314]
Reported by: Martin Pitt <mpitt@debian.org>
Date: Sun, 28 May 2006 14:03:01 UTC
Severity: important
Tags: patch, security
Found in version psycopg/1.1.21-3
Fixed in version psycopg/1.1.21-5
Done: Fabio Tranchitella <kobold@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Fabio Tranchitella <kobold@debian.org>:
Bug#369230; Package psycopg.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
New Bug report received and forwarded. Copy sent to Fabio Tranchitella <kobold@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: psycopg
Version: 1.1.21-3
Severity: important
Tags: security, patch
Hi!
Recently, a security hole has been discovered in PostgreSQL client
applications, see http://www.postgresql.org/docs/techdocs.50 for
details. In short, using \' for quote escaping is insecure and now not
allowed any more in some encodings which are prone to this SQL
injection attack.
Quotes in normal strings are already correctly escaped as '', but the
psycopg.Binary() function still uses \'. This patch fixes that:
http://patches.ubuntu.com/patches/psycopg.CVE-2006-2314.diff
Please see the Ubuntu bug https://launchpad.net/bugs/46473 for some
more details (including a small test program).
Please mention the CVE number in the changelog when you fix this.
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Reply sent to Fabio Tranchitella <kobold@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Martin Pitt <mpitt@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 369230-close@bugs.debian.org (full text, mbox, reply):
Source: psycopg
Source-Version: 1.1.21-5
We believe that the bug you reported is fixed in the latest version of
psycopg, which is due to be installed in the Debian FTP archive:
psycopg_1.1.21-5.diff.gz
to pool/main/p/psycopg/psycopg_1.1.21-5.diff.gz
psycopg_1.1.21-5.dsc
to pool/main/p/psycopg/psycopg_1.1.21-5.dsc
python-psycopg_1.1.21-5_i386.deb
to pool/main/p/psycopg/python-psycopg_1.1.21-5_i386.deb
python2.3-psycopg_1.1.21-5_i386.deb
to pool/main/p/psycopg/python2.3-psycopg_1.1.21-5_i386.deb
python2.4-psycopg_1.1.21-5_i386.deb
to pool/main/p/psycopg/python2.4-psycopg_1.1.21-5_i386.deb
zope-psycopgda_1.1.21-5_all.deb
to pool/main/p/psycopg/zope-psycopgda_1.1.21-5_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 369230@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabio Tranchitella <kobold@debian.org> (supplier of updated psycopg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 30 May 2006 22:15:06 +0200
Source: psycopg
Binary: python-psycopg python2.3-psycopg zope-psycopgda python2.4-psycopg
Architecture: source all i386
Version: 1.1.21-5
Distribution: unstable
Urgency: high
Maintainer: Fabio Tranchitella <kobold@debian.org>
Changed-By: Fabio Tranchitella <kobold@debian.org>
Description:
python-psycopg - Python module for PostgreSQL [dummy package]
python2.3-psycopg - Python 2.3 module for PostgreSQL
python2.4-psycopg - Python 2.4 module for PostgreSQL
zope-psycopgda - Zope database adapter based on python-psycopg
Closes: 369230
Changes:
psycopg (1.1.21-5) unstable; urgency=high
.
* ypemod.c, new_psyco_bufferobject():
- Escape quotes psycopg.Binary() results as '', not as \', since the
latter does not work any more with some client encodings with the latest
PostgreSQL (in some multi-byte encodings you can exploit \' escaping to
inject SQL code, see CVE-2006-2314). (Closes: #369230)
Thanks to Martin Pitt and Ubuntu security team for the patch.
Files:
63e7afb4c869bd449ac940dd994bfb11 812 python optional psycopg_1.1.21-5.dsc
bda1621716bee15839b3d3e9c403c293 6745 python optional psycopg_1.1.21-5.diff.gz
0ebea473a6c8ffc96ad2dedbb50aa548 19368 python optional zope-psycopgda_1.1.21-5_all.deb
27246f94c9cf51f9a85d76d747b2c28c 6220 python optional python-psycopg_1.1.21-5_i386.deb
060bd5cb6687cd24b83898d15f255571 141704 python optional python2.3-psycopg_1.1.21-5_i386.deb
979bdb0445bb91ecc0695942c7a3a624 140840 python optional python2.4-psycopg_1.1.21-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEfKf6K/juK3+WFWQRAsGgAKCGxmHbS4dAkwnckx/h5ll0eq5tKQCgkZsQ
lEc8CxFCKYRKPW+/xLaMEAs=
=jp2T
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 02:16:01 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Stefano Zacchiroli <zack@debian.org>
to control@bugs.debian.org.
(Sun, 10 Apr 2011 08:47:58 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 09 May 2011 07:37:39 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Oct 11 12:05:32 2017;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.