Debian Bug report logs -
#368645
CVE-2006-2313, CVE-2006-2314: encoding conflicts
Reported by: Florian Weimer <fw@deneb.enyo.de>
Date: Tue, 23 May 2006 18:48:01 UTC
Severity: grave
Tags: security
Found in version postgresql/7.4.7-6sarge1
Fixed in version postgresql-7.4/1:7.4.13-1
Done: Martin Pitt <mpitt@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, secure-testing-team@lists.alioth.debian.org, Martin Pitt <mpitt@debian.org>
:
Bug#368645
; Package postgresql
.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>
:
New Bug report received and forwarded. Copy sent to secure-testing-team@lists.alioth.debian.org, Martin Pitt <mpitt@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: postgresql
Version: 7.4.7-6sarge1
Tags: security
Severity: grave
A couple of PostgreSQL issues have been disclosed today:
<http://www.postgresql.org/docs/techdocs.52>
My analysis so far:
* CVE-2006-2313
High impact (because UTF-8 is affected and widely used). Fix is
straightforward as far as UTF-8 is concerned, but will break some
applications which write certain forms of invalid UTF-8 to the
database. If necessary, a dump and reload to switch to SQL_ASCII on
the server side will fix this. However, PostgreSQL already rejects
some forms of invalid UTF-8. Therefore, a change
I don't know the impact on other multibyte encodings; it's probably
necessary to ask upstream.
* CVE-2006-2314
This is the really interesting one. It's restricted to certain
multi-byte encodings (that's why I think this bug is less severe, all
things considered). No real fix is possible as long as we preserve
the interface. The upstream fix outlawing "\'" breaks tons of legacy
PHP applications, but I have no better idea how to address it. 8-(
On the libpq side, I'd use "static __thread" instead of "static" for
the globals. That way, we gain at least some thread safety.
(Unless someone objects, I'm going to clone this for the various
PostgreSQL packages.)
Information forwarded to debian-bugs-dist@lists.debian.org, Martin Pitt <mpitt@debian.org>
:
Bug#368645
; Package postgresql
.
(full text, mbox, link).
Acknowledgement sent to Peter Eisentraut <peter_e@gmx.net>
:
Extra info received and forwarded to list. Copy sent to Martin Pitt <mpitt@debian.org>
.
(full text, mbox, link).
Message #10 received at 368645@bugs.debian.org (full text, mbox, reply):
Florian Weimer wrote:
> (Unless someone objects, I'm going to clone this for the various
> PostgreSQL packages.)
Packages are already being uploaded, so don't waste everyone's time.
Information forwarded to debian-bugs-dist@lists.debian.org, Martin Pitt <mpitt@debian.org>
:
Bug#368645
; Package postgresql
.
(full text, mbox, link).
Acknowledgement sent to Peter Eisentraut <peter_e@gmx.net>
:
Extra info received and forwarded to list. Copy sent to Martin Pitt <mpitt@debian.org>
.
(full text, mbox, link).
Message #15 received at 368645@bugs.debian.org (full text, mbox, reply):
Peter Eisentraut wrote:
> Florian Weimer wrote:
> > (Unless someone objects, I'm going to clone this for the various
> > PostgreSQL packages.)
>
> Packages are already being uploaded, so don't waste everyone's time.
Correction: packages have already been uploaded, so we only need to wait
for the security team's approval of the stable upload.
(Yes, there is a secret club that coordinates these things before the
publication of the security issue.)
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#368645
; Package postgresql
.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #20 received at 368645@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Florian, hi security team, hi everyone else,
just for the record, sid has updated packages already.
I'm 70% into completing the security update for sarge. However, due to
the nature of the vulns, the patches are enormous, and thus require
meticulous porting and testing.
Unfortunately I will be away from now until Sunday. I hope to have
fixed packages ready on Sunday. I will report back when I'm done.
Thanks,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Martin Pitt <mpitt@debian.org>
:
Bug#368645
; Package postgresql
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Martin Pitt <mpitt@debian.org>
.
(full text, mbox, link).
Message #25 received at 368645@bugs.debian.org (full text, mbox, reply):
Martin Pitt wrote:
> Hi Florian, hi security team, hi everyone else,
>
> just for the record, sid has updated packages already.
>
> I'm 70% into completing the security update for sarge. However, due to
> the nature of the vulns, the patches are enormous, and thus require
> meticulous porting and testing.
>
> Unfortunately I will be away from now until Sunday. I hope to have
> fixed packages ready on Sunday. I will report back when I'm done.
Oh dear! Thanks a lot.
Regards,
Joey
Given enough thrust pigs will fly, but it's not necessarily a good idea.
Please always Cc to me when replying to me on the lists.
Reply sent to Martin Pitt <mpitt@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Florian Weimer <fw@deneb.enyo.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #30 received at 368645-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: postgresql-7.4
Version: 1:7.4.13-1
I'm closing this bug in Sid, it was fixed in this version:
postgresql-7.4 (1:7.4.13-1) unstable; urgency=medium
* New upstream security and bug fix release:
- The server now rejects invalidly-encoded multibyte characters in all
cases to defend against SQL-injection attacks. [CVE-2006-2313]
- Reject unsafe uses of \' in string literals (for client encodings that
allow SQL injection with this, like SJIS, BIG5, GBK, GB18030, or UHC). A
new configuration parameter backslash_quote is available to adjust this
behavior when needed. [CVE-2006-2314]
- Modify libpq's string-escaping routines to be aware of encoding
considerations and standard_conforming_strings
This fixes libpq-using applications for the security issues
described in CVE-2006-2313 and CVE-2006-2314, and also
future-proofs them against the planned changeover to SQL-standard
string literal syntax. Applications that use multiple PostgreSQL
connections concurrently should migrate to PQescapeStringConn() and
PQescapeByteaConn() to ensure that escaping is done correctly for
the settings in use in each database connection. Applications that
do string escaping "by hand" should be modified to rely on library
routines instead.
- Various bug fixes, see upstream changelog for details.
-- Martin Pitt <mpitt@debian.org> Mon, 22 May 2006 10:35:58 +0200
Security update for Sarge is in the last stages of preparation.
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#368645
; Package postgresql
.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #35 received at 368645@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi security team,
I backported the relevant changes from 7.4.13 and put the sarge
security update to [1]. This time, just putting 7.4.13 into
sarge-security would even have been safer IMHO, and that's what users
would want anyway, but we already had this discussion several times,
so I only ported the security fixes and a very simple, but important
bug fix.
The debdiff is available [2], but believe me, you do not really want
to look at it. You have been warned! :)
The package passes the upstream test suite, the same patches thrown
onto 7.4.8 (which Ubuntu uses in version 5.04) pass my own test suite
in postgresql-common, and the exploit does not work any more, so I'm
fairly sure that it doesn't break too much.
Please feel free to just upload the provided package, or tell me how
to proceed.
Thank you!
Martin
[1] http://people.debian.org/~mpitt/psql-sarge/
[2] http://people.debian.org/~mpitt/psql-sarge/postgresql_7.4.7-6sarge2.debdiff
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Martin Pitt <mpitt@debian.org>
:
Bug#368645
; Package postgresql
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Martin Pitt <mpitt@debian.org>
.
(full text, mbox, link).
Message #40 received at 368645@bugs.debian.org (full text, mbox, reply):
Martin Pitt wrote:
> Hi security team,
>
> I backported the relevant changes from 7.4.13 and put the sarge
> security update to [1]. This time, just putting 7.4.13 into
> sarge-security would even have been safer IMHO, and that's what users
> would want anyway, but we already had this discussion several times,
> so I only ported the security fixes and a very simple, but important
> bug fix.
>
> The debdiff is available [2], but believe me, you do not really want
> to look at it. You have been warned! :)
>
> The package passes the upstream test suite, the same patches thrown
> onto 7.4.8 (which Ubuntu uses in version 5.04) pass my own test suite
> in postgresql-common, and the exploit does not work any more, so I'm
> fairly sure that it doesn't break too much.
>
> Please feel free to just upload the provided package, or tell me how
> to proceed.
>
> Thank you!
>
> Martin
>
> [1] http://people.debian.org/~mpitt/psql-sarge/
> [2] http://people.debian.org/~mpitt/psql-sarge/postgresql_7.4.7-6sarge2.debdiff
Thanks a lot. However, could you redo the (source) package without
the arch crap inside?
Regards,
Joey
--
A mathematician is a machine for converting coffee into theorems. Paul Erdös
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#368645
; Package postgresql
.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <mpitt@debian.org>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #45 received at 368645@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Joey,
Martin Schulze [2006-05-28 19:37 +0200]:
> > [1] http://people.debian.org/~mpitt/psql-sarge/
> > [2] http://people.debian.org/~mpitt/psql-sarge/postgresql_7.4.7-6sarge2.debdiff
>
> Thanks a lot. However, could you redo the (source) package without
> the arch crap inside?
There is no arch stuff inside (I don't even use arch any more). I also
cleaned the debdiff (I just checked again).
However, the -sarge1 version had arch stuff, maybe you did a debdiff
on your own and stumbled over that?
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Martin Pitt <mpitt@debian.org>
:
Bug#368645
; Package postgresql
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Martin Pitt <mpitt@debian.org>
.
(full text, mbox, link).
Message #50 received at 368645@bugs.debian.org (full text, mbox, reply):
Martin Pitt wrote:
> Hi Joey,
>
> Martin Schulze [2006-05-28 19:37 +0200]:
> > > [1] http://people.debian.org/~mpitt/psql-sarge/
> > > [2] http://people.debian.org/~mpitt/psql-sarge/postgresql_7.4.7-6sarge2.debdiff
> >
> > Thanks a lot. However, could you redo the (source) package without
> > the arch crap inside?
>
> There is no arch stuff inside (I don't even use arch any more). I also
> cleaned the debdiff (I just checked again).
> However, the -sarge1 version had arch stuff, maybe you did a debdiff
> on your own and stumbled over that?
Yup. I see. In that case the arch stuff should be kept so the patch
is not cluttered.
Regards,
Joey
--
Ten years and still binary compatible. -- XFree86
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Martin Pitt <mpitt@debian.org>
:
Bug#368645
; Package postgresql
.
(full text, mbox, link).
Acknowledgement sent to Martin Pitt <martin.pitt@canonical.com>
:
Extra info received and forwarded to list. Copy sent to Martin Pitt <mpitt@debian.org>
.
(full text, mbox, link).
Message #55 received at 368645@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Martin Schulze [2006-05-29 15:25 +0200]:
> Martin Pitt wrote:
> > Hi Joey,
> >
> > Martin Schulze [2006-05-28 19:37 +0200]:
> > > > [1] http://people.debian.org/~mpitt/psql-sarge/
> > > > [2] http://people.debian.org/~mpitt/psql-sarge/postgresql_7.4.7-6sarge2.debdiff
> > >
> > > Thanks a lot. However, could you redo the (source) package without
> > > the arch crap inside?
> >
> > There is no arch stuff inside (I don't even use arch any more). I also
> > cleaned the debdiff (I just checked again).
> > However, the -sarge1 version had arch stuff, maybe you did a debdiff
> > on your own and stumbled over that?
>
> Yup. I see. In that case the arch stuff should be kept so the patch
> is not cluttered.
I can't, sorry. I killed the arch repo months ago. The debdiff in [2]
does not contain arch spewage.
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 25 Jun 2007 11:00:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:31:47 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.