[Pkg-nagios-devel] Bug#369362: Fwd: Re: Insecure quote escaping in PostgreSQL backend

Martin Pitt mpitt at debian.org
Tue May 30 05:52:28 UTC 2006


Hi again,

Florian raised an important point here; sorry for the initial
misinformation. 

Please pass this information to upstream, too.

Thank you,

Martin

----- Forwarded message from Florian Weimer <fw at deneb.enyo.de> -----

From: Florian Weimer <fw at deneb.enyo.de>
To: Martin Pitt <martin at piware.de>
Cc: 369351 at bugs.debian.org
Subject: Re: Bug#369351: exim4-daemon-heavy: Insecure quote escaping in PostgreSQL backend
Date: Mon, 29 May 2006 20:49:57 +0200
X-Spam-Status: No, score=0.6 required=4.0 tests=AWL,BAYES_50 autolearn=no 
	version=3.0.3

* Martin Pitt:

> ./src/lookups/pgsql.c, pgsql_quote() currently uses \' to
> escape quoting, which makes it vulnerable against this attack with
> earlier PostgreSQL versions, and will break with the current one
> (since it disables this method of quote escaping by default in
> affected client encodings). A quick fix is to change the function to
> use '' instead of \', but a better fix is to completely replace the
> loop with an invocation of PQescapeString() from libpq. 

PQescapeString is deprecated because given its interface, the security
bug cannot be closed completely.  You really should use
PQescapeStringConn.

Would you add this information to the other bug reports, too?

----- End forwarded message -----

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20060530/734c6203/attachment.pgp


More information about the Pkg-nagios-devel mailing list