[mpitt at debian.org: [Pkg-nagios-devel] Bug#369362: Fwd: Re: Insecure quote escaping in PostgreSQL backend]

sean finney seanius at seanius.net
Tue May 30 18:09:29 CEST 2006 

and here's some more info, requested to be forwarded on.


	sean

----- Forwarded message from Martin Pitt <mpitt at debian.org> -----

Date: Tue, 30 May 2006 07:52:28 +0200
From: Martin Pitt <mpitt at debian.org>
To: 369349 at bugs.debian.org, 369362 at bugs.debian.org, 369359 at bugs.debian.org
Subject: [Pkg-nagios-devel] Bug#369362: Fwd: Re: Insecure quote escaping in
	PostgreSQL backend

Hi again,

Florian raised an important point here; sorry for the initial
misinformation. 

Please pass this information to upstream, too.

Thank you,

Martin

----- Forwarded message from Florian Weimer <fw at deneb.enyo.de> -----

From: Florian Weimer <fw at deneb.enyo.de>
To: Martin Pitt <martin at piware.de>
Cc: 369351 at bugs.debian.org
Subject: Re: Bug#369351: exim4-daemon-heavy: Insecure quote escaping in PostgreSQL backend
Date: Mon, 29 May 2006 20:49:57 +0200
X-Spam-Status: No, score=0.6 required=4.0 tests=AWL,BAYES_50 autolearn=no 
	version=3.0.3

* Martin Pitt:

> ./src/lookups/pgsql.c, pgsql_quote() currently uses \' to
> escape quoting, which makes it vulnerable against this attack with
> earlier PostgreSQL versions, and will break with the current one
> (since it disables this method of quote escaping by default in
> affected client encodings). A quick fix is to change the function to
> use '' instead of \', but a better fix is to completely replace the
> loop with an invocation of PQescapeString() from libpq. 

PQescapeString is deprecated because given its interface, the security
bug cannot be closed completely.  You really should use
PQescapeStringConn.

Would you add this information to the other bug reports, too?

----- End forwarded message -----

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?



_______________________________________________
Pkg-nagios-devel mailing list
Pkg-nagios-devel at lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-nagios-devel


----- End forwarded message -----

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20060530/e38f0a42/attachment.sig>

More information about the Developers mailing list