CVE-2006-2313, CVE-2006-2314: encoding conflicts

Debian Bug report logs - #368645
CVE-2006-2313, CVE-2006-2314: encoding conflicts

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: submit@bugs.debian.org

Subject: CVE-2006-2313, CVE-2006-2314: encoding conflicts

Date: Tue, 23 May 2006 20:39:14 +0200

Package: postgresql
Version: 7.4.7-6sarge1
Tags: security
Severity: grave

A couple of PostgreSQL issues have been disclosed today:

  <http://www.postgresql.org/docs/techdocs.52>

My analysis so far:

* CVE-2006-2313

High impact (because UTF-8 is affected and widely used).  Fix is
straightforward as far as UTF-8 is concerned, but will break some
applications which write certain forms of invalid UTF-8 to the
database.  If necessary, a dump and reload to switch to SQL_ASCII on
the server side will fix this.  However, PostgreSQL already rejects
some forms of invalid UTF-8.  Therefore, a change

I don't know the impact on other multibyte encodings; it's probably
necessary to ask upstream.

* CVE-2006-2314

This is the really interesting one.  It's restricted to certain
multi-byte encodings (that's why I think this bug is less severe, all
things considered).  No real fix is possible as long as we preserve
the interface.  The upstream fix outlawing "\'" breaks tons of legacy
PHP applications, but I have no better idea how to address it. 8-(

On the libpq side, I'd use "static __thread" instead of "static" for
the globals.  That way, we gain at least some thread safety.

(Unless someone objects, I'm going to clone this for the various
PostgreSQL packages.)

Message #10 received at 368645@bugs.debian.org (full text, mbox, reply):

From: Peter Eisentraut <peter_e@gmx.net>

To: Florian Weimer <fw@deneb.enyo.de>, 368645@bugs.debian.org

Subject: Re: Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts

Date: Tue, 23 May 2006 21:17:55 +0200

Florian Weimer wrote:
> (Unless someone objects, I'm going to clone this for the various
> PostgreSQL packages.)

Packages are already being uploaded, so don't waste everyone's time.

Message #15 received at 368645@bugs.debian.org (full text, mbox, reply):

From: Peter Eisentraut <peter_e@gmx.net>

To: Florian Weimer <fw@deneb.enyo.de>

Cc: 368645@bugs.debian.org

Subject: Re: Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts

Date: Tue, 23 May 2006 21:22:20 +0200

Peter Eisentraut wrote:
> Florian Weimer wrote:
> > (Unless someone objects, I'm going to clone this for the various
> > PostgreSQL packages.)
>
> Packages are already being uploaded, so don't waste everyone's time.

Correction: packages have already been uploaded, so we only need to wait 
for the security team's approval of the stable upload.

(Yes, there is a secret club that coordinates these things before the 
publication of the security issue.)

Message #20 received at 368645@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: 368645@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>, security@debian.org

Subject: Re: CVE-2006-2313, CVE-2006-2314: encoding conflicts

Date: Wed, 24 May 2006 19:12:40 +0200

[Message part 1 (text/plain, inline)]

Hi Florian, hi security team, hi everyone else,

just for the record, sid has updated packages already.

I'm 70% into completing the security update for sarge. However, due to
the nature of the vulns, the patches are enormous, and thus require
meticulous porting and testing.

Unfortunately I will be away from now until Sunday. I hope to have
fixed packages ready on Sunday. I will report back when I'm done.

Thanks,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 368645@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Martin Pitt <mpitt@debian.org>

Cc: 368645@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>, security@debian.org

Subject: Re: CVE-2006-2313, CVE-2006-2314: encoding conflicts

Date: Thu, 25 May 2006 18:27:14 +0200

Martin Pitt wrote:
> Hi Florian, hi security team, hi everyone else,
> 
> just for the record, sid has updated packages already.
> 
> I'm 70% into completing the security update for sarge. However, due to
> the nature of the vulns, the patches are enormous, and thus require
> meticulous porting and testing.
> 
> Unfortunately I will be away from now until Sunday. I hope to have
> fixed packages ready on Sunday. I will report back when I'm done.

Oh dear!  Thanks a lot.

Regards,

	Joey

Given enough thrust pigs will fly, but it's not necessarily a good idea.

Please always Cc to me when replying to me on the lists.

Message #30 received at 368645-done@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: 368645-done@bugs.debian.org

Subject: Re: Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts

Date: Sun, 28 May 2006 11:40:37 +0200

[Message part 1 (text/plain, inline)]

Package: postgresql-7.4
Version: 1:7.4.13-1

I'm closing this bug in Sid, it was fixed in this version:

postgresql-7.4 (1:7.4.13-1) unstable; urgency=medium

  * New upstream security and bug fix release:
    - The server now rejects invalidly-encoded multibyte characters in all
      cases to defend against SQL-injection attacks. [CVE-2006-2313]
    - Reject unsafe uses of \' in string literals (for client encodings that
      allow SQL injection with this, like SJIS, BIG5, GBK, GB18030, or UHC). A
      new configuration parameter backslash_quote is available to adjust this
      behavior when needed. [CVE-2006-2314]
    - Modify libpq's string-escaping routines to be aware of encoding
      considerations and standard_conforming_strings
      This fixes libpq-using applications for the security issues
      described in CVE-2006-2313 and CVE-2006-2314, and also
      future-proofs them against the planned changeover to SQL-standard
      string literal syntax. Applications that use multiple PostgreSQL
      connections concurrently should migrate to PQescapeStringConn() and
      PQescapeByteaConn() to ensure that escaping is done correctly for
      the settings in use in each database connection. Applications that
      do string escaping "by hand" should be modified to rely on library
      routines instead.
    - Various bug fixes, see upstream changelog for details.

 -- Martin Pitt <mpitt@debian.org>  Mon, 22 May 2006 10:35:58 +0200

Security update for Sarge is in the last stages of preparation.

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 368645@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Florian Weimer <fw@deneb.enyo.de>, 368645@bugs.debian.org, security@debian.org

Subject: Re: Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts - sarge security update finished

Date: Sun, 28 May 2006 14:06:36 +0200

[Message part 1 (text/plain, inline)]

Hi security team,

I backported the relevant changes from 7.4.13 and put the sarge
security update to [1]. This time, just putting 7.4.13 into
sarge-security would even have been safer IMHO, and that's what users
would want anyway, but we already had this discussion several times,
so I only ported the security fixes and a very simple, but important
bug fix.

The debdiff is available [2], but believe me, you do not really want
to look at it. You have been warned! :)

The package passes the upstream test suite, the same patches thrown
onto 7.4.8 (which Ubuntu uses in version 5.04) pass my own test suite
in postgresql-common, and the exploit does not work any more, so I'm
fairly sure that it doesn't break too much.

Please feel free to just upload the provided package, or tell me how
to proceed.

Thank you!

Martin

[1] http://people.debian.org/~mpitt/psql-sarge/
[2] http://people.debian.org/~mpitt/psql-sarge/postgresql_7.4.7-6sarge2.debdiff

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 368645@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Martin Pitt <mpitt@debian.org>

Cc: Florian Weimer <fw@deneb.enyo.de>, 368645@bugs.debian.org, security@debian.org

Subject: Re: Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts - sarge security update finished

Date: Sun, 28 May 2006 19:37:29 +0200

Martin Pitt wrote:
> Hi security team,
> 
> I backported the relevant changes from 7.4.13 and put the sarge
> security update to [1]. This time, just putting 7.4.13 into
> sarge-security would even have been safer IMHO, and that's what users
> would want anyway, but we already had this discussion several times,
> so I only ported the security fixes and a very simple, but important
> bug fix.
> 
> The debdiff is available [2], but believe me, you do not really want
> to look at it. You have been warned! :)
> 
> The package passes the upstream test suite, the same patches thrown
> onto 7.4.8 (which Ubuntu uses in version 5.04) pass my own test suite
> in postgresql-common, and the exploit does not work any more, so I'm
> fairly sure that it doesn't break too much.
> 
> Please feel free to just upload the provided package, or tell me how
> to proceed.
> 
> Thank you!
> 
> Martin
> 
> [1] http://people.debian.org/~mpitt/psql-sarge/
> [2] http://people.debian.org/~mpitt/psql-sarge/postgresql_7.4.7-6sarge2.debdiff

Thanks a lot.  However, could you redo the (source) package without
the arch crap inside?

Regards,

	Joey

-- 
A mathematician is a machine for converting coffee into theorems.   Paul Erdös

Please always Cc to me when replying to me on the lists.

Message #45 received at 368645@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Martin Schulze <joey@infodrom.org>, 368645@bugs.debian.org

Cc: Florian Weimer <fw@deneb.enyo.de>, security@debian.org

Subject: Re: Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts - sarge security update finished

Date: Mon, 29 May 2006 09:54:29 +0200

[Message part 1 (text/plain, inline)]

Hi Joey,

Martin Schulze [2006-05-28 19:37 +0200]:
> > [1] http://people.debian.org/~mpitt/psql-sarge/
> > [2] http://people.debian.org/~mpitt/psql-sarge/postgresql_7.4.7-6sarge2.debdiff
> 
> Thanks a lot.  However, could you redo the (source) package without
> the arch crap inside?

There is no arch stuff inside (I don't even use arch any more). I also
cleaned the debdiff (I just checked again).
However, the -sarge1 version had arch stuff, maybe you did a debdiff
on your own and stumbled over that?

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

[signature.asc (application/pgp-signature, inline)]

Message #50 received at 368645@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Martin Pitt <mpitt@debian.org>

Cc: 368645@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>, security@debian.org

Subject: Re: Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts - sarge security update finished

Date: Mon, 29 May 2006 15:25:24 +0200

Martin Pitt wrote:
> Hi Joey,
> 
> Martin Schulze [2006-05-28 19:37 +0200]:
> > > [1] http://people.debian.org/~mpitt/psql-sarge/
> > > [2] http://people.debian.org/~mpitt/psql-sarge/postgresql_7.4.7-6sarge2.debdiff
> > 
> > Thanks a lot.  However, could you redo the (source) package without
> > the arch crap inside?
> 
> There is no arch stuff inside (I don't even use arch any more). I also
> cleaned the debdiff (I just checked again).
> However, the -sarge1 version had arch stuff, maybe you did a debdiff
> on your own and stumbled over that?

Yup.  I see.  In that case the arch stuff should be kept so the patch
is not cluttered.

Regards,

	Joey

-- 
Ten years and still binary compatible.  -- XFree86

Please always Cc to me when replying to me on the lists.

Message #55 received at 368645@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <martin.pitt@canonical.com>

To: Martin Schulze <joey@infodrom.org>

Cc: 368645@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>, security@debian.org

Subject: Re: Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts - sarge security update finished

Date: Mon, 29 May 2006 15:46:02 +0200

[Message part 1 (text/plain, inline)]

Hi,

Martin Schulze [2006-05-29 15:25 +0200]:
> Martin Pitt wrote:
> > Hi Joey,
> > 
> > Martin Schulze [2006-05-28 19:37 +0200]:
> > > > [1] http://people.debian.org/~mpitt/psql-sarge/
> > > > [2] http://people.debian.org/~mpitt/psql-sarge/postgresql_7.4.7-6sarge2.debdiff
> > > 
> > > Thanks a lot.  However, could you redo the (source) package without
> > > the arch crap inside?
> > 
> > There is no arch stuff inside (I don't even use arch any more). I also
> > cleaned the debdiff (I just checked again).
> > However, the -sarge1 version had arch stuff, maybe you did a debdiff
> > on your own and stumbled over that?
> 
> Yup.  I see.  In that case the arch stuff should be kept so the patch
> is not cluttered.

I can't, sorry. I killed the arch repo months ago. The debdiff in [2]
does not contain arch spewage.

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.