Debian Bug report logs -
#369359
dovecot-common: Insecure quote escaping in PostgreSQL backend
Reported by: Martin Pitt <mpitt@debian.org>
Date: Mon, 29 May 2006 11:18:17 UTC
Severity: important
Tags: security
Found in version dovecot/1.0.beta3-3
Fixed in version dovecot/1.0.beta8-4
Done: jaldhar@debian.org (Jaldhar H. Vyas)
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, jaldhar-dovecot@debian.org (Jaldhar H. Vyas):
Bug#369359; Package dovecot-common.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
New Bug report received and forwarded. Copy sent to jaldhar-dovecot@debian.org (Jaldhar H. Vyas).
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: dovecot-common
Severity: important
Version: 1.0.beta3-3
Tags: security
Hi!
Recently, a security hole has been discovered in PostgreSQL client
applications, see http://www.postgresql.org/docs/techdocs.50 for
details. In short, using \' for quote escaping is insecure and now not
allowed any more in some encodings which are prone to this SQL
injection attack. This has been assigned CVE-2006-2314.
src/lib/strescape.c, str_escape() currently uses \' to escape quoting.
This function is also used to escape SQL queries, which makes it
vulnerable against this attack with earlier PostgreSQL versions, and
will break with the current one (since it disables this method of
quote escaping by default in affected client encodings). The database
query quoting should be changed to use '' instead of \', but a better
fix is to completely replace custom quoting with an invocation of
PQescapeString() from libpq.
Please be aware that this also affects other database backends in
principle (unless they do not support the affected encodings). Also,
'' is the SQL standard escape for ', not \'.
Please also pass this to upstream.
Thank you!
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, jaldhar-dovecot@debian.org (Jaldhar H. Vyas):
Bug#369359; Package dovecot-common.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to jaldhar-dovecot@debian.org (Jaldhar H. Vyas).
(full text, mbox, link).
Message #10 received at 369359@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi again,
Florian raised an important point here; sorry for the initial
misinformation.
Please pass this information to upstream, too.
Thank you,
Martin
----- Forwarded message from Florian Weimer <fw@deneb.enyo.de> -----
From: Florian Weimer <fw@deneb.enyo.de>
To: Martin Pitt <martin@piware.de>
Cc: 369351@bugs.debian.org
Subject: Re: Bug#369351: exim4-daemon-heavy: Insecure quote escaping in PostgreSQL backend
Date: Mon, 29 May 2006 20:49:57 +0200
X-Spam-Status: No, score=0.6 required=4.0 tests=AWL,BAYES_50 autolearn=no
version=3.0.3
* Martin Pitt:
> ./src/lookups/pgsql.c, pgsql_quote() currently uses \' to
> escape quoting, which makes it vulnerable against this attack with
> earlier PostgreSQL versions, and will break with the current one
> (since it disables this method of quote escaping by default in
> affected client encodings). A quick fix is to change the function to
> use '' instead of \', but a better fix is to completely replace the
> loop with an invocation of PQescapeString() from libpq.
PQescapeString is deprecated because given its interface, the security
bug cannot be closed completely. You really should use
PQescapeStringConn.
Would you add this information to the other bug reports, too?
----- End forwarded message -----
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, jaldhar-dovecot@debian.org (Jaldhar H. Vyas):
Bug#369359; Package dovecot-common.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to jaldhar-dovecot@debian.org (Jaldhar H. Vyas).
(full text, mbox, link).
Message #15 received at 369359@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Florian,
Florian Weimer [2006-05-29 20:49 +0200]:
> * Martin Pitt:
>
> > ./src/lookups/pgsql.c, pgsql_quote() currently uses \' to
> > escape quoting, which makes it vulnerable against this attack with
> > earlier PostgreSQL versions, and will break with the current one
> > (since it disables this method of quote escaping by default in
> > affected client encodings). A quick fix is to change the function to
> > use '' instead of \', but a better fix is to completely replace the
> > loop with an invocation of PQescapeString() from libpq.
>
> PQescapeString is deprecated because given its interface, the security
> bug cannot be closed completely. You really should use
> PQescapeStringConn.
Thanks for the reminder, sorry that I forgot that. However, this is
just necessary if the application uses several postmaster connections
concurrently. With a single connection (which should be the usual
case) PQescapeString() and PQescapeBytea() will do the right thing.
> Would you add this information to the other bug reports, too?
Done.
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, jaldhar-dovecot@debian.org (Jaldhar H. Vyas):
Bug#369359; Package dovecot-common.
(full text, mbox, link).
Acknowledgement sent to Timo Sirainen <tss@iki.fi>:
Extra info received and forwarded to list. Copy sent to jaldhar-dovecot@debian.org (Jaldhar H. Vyas).
(full text, mbox, link).
Message #20 received at 369359@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, 2006-05-30 at 07:58 +0200, Martin Pitt wrote:
> > > ./src/lookups/pgsql.c, pgsql_quote() currently uses \' to
> > > escape quoting, which makes it vulnerable against this attack with
> > > earlier PostgreSQL versions, and will break with the current one
> > > (since it disables this method of quote escaping by default in
> > > affected client encodings). A quick fix is to change the function to
> > > use '' instead of \', but a better fix is to completely replace the
> > > loop with an invocation of PQescapeString() from libpq.
Upstream fixes here:
http://dovecot.org/list/dovecot-cvs/2006-May/005621.html
http://dovecot.org/list/dovecot-cvs/2006-May/005623.html
Although my testing hasn't got further than "it compiles" yet..
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, jaldhar-dovecot@debian.org (Jaldhar H. Vyas):
Bug#369359; Package dovecot-common.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to jaldhar-dovecot@debian.org (Jaldhar H. Vyas).
(full text, mbox, link).
Message #25 received at 369359@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Timo, hi Jaldhar, hi security team,
thanks for the upstream fixes. I ported them to 1.0beta3 (what we have
in Ubuntu 6.06) and verified that they work fine with PostgreSQL.
Indeed using the db client library functions for string escaping is
the only real sane and safe thing to do.
However, they totally don't apply to 0.99.14 (Sarge). It appears that
the whole authentication code saw a total rework betweek 0.99 and 1.0.
Luckily, though, 0.99.14 uses str_escape() *only* for escaping SQL
queries, so my 0.99.14 patch just fixes this function to use ''
instead, which will plug the hole, too (much less elegantly, but only
minimally intrusive).
Also, the user name is the only string input ever passed to the
database, and by default, insecure characters like ' aren't allowed
anyway (the admin explicitly has to change auth_username_chars --
THANK YOU, dovecot author, for having security in mind!!!!). So after
all, this is only a very minor issue in dovecot.
1.0beta3 patch (just FYI, not needed in Debian):
http://patches.ubuntu.com/patches/dovecot-1.0beta3.CVE-2006-2314.diff
0.99.14 patch for sarge-security:
http://patches.ubuntu.com/patches/dovecot-0.99.14.CVE-2006-2314.diff
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Reply sent to jaldhar@debian.org (Jaldhar H. Vyas):
You have taken responsibility.
(full text, mbox, link).
Notification sent to Martin Pitt <mpitt@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #30 received at 369359-close@bugs.debian.org (full text, mbox, reply):
Source: dovecot
Source-Version: 1.0.beta8-3
We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive:
dovecot-common_1.0.beta8-3_i386.deb
to pool/main/d/dovecot/dovecot-common_1.0.beta8-3_i386.deb
dovecot-imapd_1.0.beta8-3_i386.deb
to pool/main/d/dovecot/dovecot-imapd_1.0.beta8-3_i386.deb
dovecot-pop3d_1.0.beta8-3_i386.deb
to pool/main/d/dovecot/dovecot-pop3d_1.0.beta8-3_i386.deb
dovecot_1.0.beta8-3.diff.gz
to pool/main/d/dovecot/dovecot_1.0.beta8-3.diff.gz
dovecot_1.0.beta8-3.dsc
to pool/main/d/dovecot/dovecot_1.0.beta8-3.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 369359@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jaldhar H. Vyas <jaldhar@debian.org> (supplier of updated dovecot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 11 Jun 2006 15:33:55 -0400
Source: dovecot
Binary: dovecot-common dovecot-pop3d dovecot-imapd
Architecture: source i386
Version: 1.0.beta8-3
Distribution: unstable
Urgency: high
Maintainer: Jaldhar H. Vyas <jaldhar-dovecot@debian.org>
Changed-By: Jaldhar H. Vyas <jaldhar@debian.org>
Description:
dovecot-common - secure mail server that supports mbox and maildir mailboxes
dovecot-imapd - secure IMAP server that supports mbox and maildir mailboxes
dovecot-pop3d - secure POP3 server that supports mbox and maildir mailboxes
Closes: 369359
Changes:
dovecot (1.0.beta8-3) unstable; urgency=high
.
* [SECURITY] SQL injection could occur in the postgresql module with
certain client character encodings. (See CVE-2006-2314)
Used the patch from upstream and Martin Pitt <martin.pitt@ubuntu.com>.
Thanks Martin. (Closes: #369359)
Files:
bae43616adb458972092d184b2e4d34e 1182 mail optional dovecot_1.0.beta8-3.dsc
8bb7bdd92a92c9b91f38f0ba0f239a12 120717 mail optional dovecot_1.0.beta8-3.diff.gz
f6fdaeaa8cd3b5f283aa52b8581f7440 949558 mail optional dovecot-common_1.0.beta8-3_i386.deb
1ee17fb2256881c25e01ba9fd80ce3a0 528768 mail optional dovecot-imapd_1.0.beta8-3_i386.deb
1d038fd94883320608259fac9f595891 497444 mail optional dovecot-pop3d_1.0.beta8-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iQEVAwUBRIx4VXfkL4T3NBWpAQItggf/YqW3e4Hc43l0iwF5h/nwiclxbMcXhZva
20HvQX+to3JkYIpMmpg5ONQ17JHMUu8F93rS4vrUaJs7OXSCdzpSJ2v5zk4aHBZR
HqfxHk72zHCTJHKekXZmkoy4umlEojUBd6j1+NbOQ9idEIhkprSGnav7W5d4hO+Q
+3ikUj5qpHpufJKo98zCNggSCDF1/J50Vqtgjkdzg43NCQE2BJHwmqS8VM7smkND
1ubjE1K2pNIaiXNtGLHhjqf/KqxdZ6XpH8QAXp8s7XvQmbt3L3uVkd1VLsHRmObh
cxRglil1juDeMMtgpePAGoxdIzBHDtcMrLM5y31lEsnzwWVMty1SwA==
=Q63R
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, jaldhar-dovecot@debian.org (Jaldhar H. Vyas):
Bug#369359; Package dovecot-common.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to jaldhar-dovecot@debian.org (Jaldhar H. Vyas).
(full text, mbox, link).
Message #35 received at 369359@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
reopen 369359
thanks
Hi Jaldhar!
I'm terribly sorry, but during backporting the upstream patch I made a
mistake. Can you please apply the attached debdiff on top of the
current package to unbreak mysql auth?
Please see https://launchpad.net/bugs/49601 for details.
Thank you!
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[dovecot.fixmysql.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Bug reopened, originator not changed.
Request was from Martin Pitt <mpitt@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, jaldhar-dovecot@debian.org (Jaldhar H. Vyas):
Bug#369359; Package dovecot-common.
(full text, mbox, link).
Acknowledgement sent to "Jaldhar H. Vyas" <jaldhar-dovecot@debian.org>:
Extra info received and forwarded to list. Copy sent to jaldhar-dovecot@debian.org (Jaldhar H. Vyas).
(full text, mbox, link).
Message #42 received at 369359@bugs.debian.org (full text, mbox, reply):
On Tue, 13 Jun 2006, Martin Pitt wrote:
> reopen 369359
> thanks
>
> Hi Jaldhar!
>
> I'm terribly sorry, but during backporting the upstream patch I made a
> mistake. Can you please apply the attached debdiff on top of the
> current package to unbreak mysql auth?
>
> Please see https://launchpad.net/bugs/49601 for details.
>
Thanks Martin. It's applied and a new package is on its way.
--
Jaldhar H. Vyas <jaldhar-dovecot@debian.org>
La Salle Debain - http://www.braincells.com/debian/
Reply sent to jaldhar@debian.org (Jaldhar H. Vyas):
You have taken responsibility.
(full text, mbox, link).
Notification sent to Martin Pitt <mpitt@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #47 received at 369359-close@bugs.debian.org (full text, mbox, reply):
Source: dovecot
Source-Version: 1.0.beta8-4
We believe that the bug you reported is fixed in the latest version of
dovecot, which is due to be installed in the Debian FTP archive:
dovecot-common_1.0.beta8-4_i386.deb
to pool/main/d/dovecot/dovecot-common_1.0.beta8-4_i386.deb
dovecot-imapd_1.0.beta8-4_i386.deb
to pool/main/d/dovecot/dovecot-imapd_1.0.beta8-4_i386.deb
dovecot-pop3d_1.0.beta8-4_i386.deb
to pool/main/d/dovecot/dovecot-pop3d_1.0.beta8-4_i386.deb
dovecot_1.0.beta8-4.diff.gz
to pool/main/d/dovecot/dovecot_1.0.beta8-4.diff.gz
dovecot_1.0.beta8-4.dsc
to pool/main/d/dovecot/dovecot_1.0.beta8-4.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 369359@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jaldhar H. Vyas <jaldhar@debian.org> (supplier of updated dovecot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 11 Jun 2006 16:27:43 -0400
Source: dovecot
Binary: dovecot-common dovecot-pop3d dovecot-imapd
Architecture: source i386
Version: 1.0.beta8-4
Distribution: unstable
Urgency: high
Maintainer: Jaldhar H. Vyas <jaldhar-dovecot@debian.org>
Changed-By: Jaldhar H. Vyas <jaldhar@debian.org>
Description:
dovecot-common - secure mail server that supports mbox and maildir mailboxes
dovecot-imapd - secure IMAP server that supports mbox and maildir mailboxes
dovecot-pop3d - secure POP3 server that supports mbox and maildir mailboxes
Closes: 369359 373227
Changes:
dovecot (1.0.beta8-4) unstable; urgency=high
.
* Unfortunately, the patch in the last version broke the mysql module.
Fixed thanks to Martin Pitt. (Closes: #369359, #373227)
Files:
26722f52bc9418544e3e6daa037a6abd 1182 mail optional dovecot_1.0.beta8-4.dsc
f5125d8d82ead00162bca0b9f0a37ce7 120809 mail optional dovecot_1.0.beta8-4.diff.gz
adb5da2e0fbd20dcc9e17fc95ad0399a 949622 mail optional dovecot-common_1.0.beta8-4_i386.deb
b951a114a438bfdc28842b09d922d624 528802 mail optional dovecot-imapd_1.0.beta8-4_i386.deb
ec8da8d2ab51b0246a100a63b419f7db 497480 mail optional dovecot-pop3d_1.0.beta8-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iQEVAwUBRI8MOnfkL4T3NBWpAQIIAgf6Alu7Jd55my4Il8iJEoQGp4dHOKlPy3yP
ZO/+QM7QU4RhSGlIw3WfDK3F6j1pIuLbu7WPLP8WKLVlezaRFKCTGG5ayKLfdlWI
FAnDUGHin7TwMq5lTXlb9adGjMFnLG4M6UpmJRsR0WWfmtpLeqDkUrVI86GGC6J8
TCPMlbKcW4xEtXwpUWkuxiVWqS8nH0+XOikXlfHqPrxza7q3GlXk5qfOIZV01g6U
EkJTZgOE3HJpkNfqYh21jXx+418vsUW7WwRTPpeC3tXz5SPOMiFan5I4i7HZDlnY
BExcibgmH9fRtXSN7JDHO7PBkRnMu+yBjPc6ZUFelkYoc3tFC7mYnQ==
=BsET
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 02:04:49 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Stefano Zacchiroli <zack@debian.org>
to control@bugs.debian.org.
(Sun, 10 Apr 2011 08:48:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 09 May 2011 07:44:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Oct 11 12:06:46 2017;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.