Re: Bug#369351: exim4-daemon-heavy: Insecure quote escaping in Pos=
Posted: Tue May 30, 2006 8:09 am
--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
and here's some more info, requested to be forwarded on.
sean
----- Forwarded message from Martin Pitt -----
Date: Tue, 30 May 2006 07:52:28 +0200
=46rom: Martin Pitt
To: [email protected], [email protected], [email protected]
Subject: [Pkg-nagios-devel] Bug#369362: Fwd: Re: Insecure quote escaping in
PostgreSQL backend
Hi again,
Florian raised an important point here; sorry for the initial
misinformation.=20
Please pass this information to upstream, too.
Thank you,
Martin
----- Forwarded message from Florian Weimer -----
=46rom: Florian Weimer
To: Martin Pitt
Cc: [email protected]
Subject: Re: Bug#369351: exim4-daemon-heavy: Insecure quote escaping in Pos=
tgreSQL backend
Date: Mon, 29 May 2006 20:49:57 +0200
X-Spam-Status: No, score=3D0.6 required=3D4.0 tests=3DAWL,BAYES_50 autolear=
n=3Dno=20
version=3D3.0.3
* Martin Pitt:
> ./src/lookups/pgsql.c, pgsql_quote() currently uses \' to
> escape quoting, which makes it vulnerable against this attack with
> earlier PostgreSQL versions, and will break with the current one
> (since it disables this method of quote escaping by default in
> affected client encodings). A quick fix is to change the function to
> use '' instead of \', but a better fix is to completely replace the
> loop with an invocation of PQescapeString() from libpq.=20
PQescapeString is deprecated because given its interface, the security
bug cannot be closed completely. You really should use
PQescapeStringConn.
Would you add this information to the other bug reports, too?
----- End forwarded message -----
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
_______________________________________________
Pkg-nagios-devel mailing list
[email protected]
http://lists.alioth.debian.org/mailman/ ... gios-devel
----- End forwarded message -----
--=20
--sdtB3X0nJg68CQEu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEfG45ynjLPm522B0RAiTwAJ4qD7MQQ/q1tymO9lxwtDymkqkCCACeI2mF
kjQyrbq12eH3hGxgsxHjStg=
=THJl
-----END PGP SIGNATURE-----
--sdtB3X0nJg68CQEu--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
and here's some more info, requested to be forwarded on.
sean
----- Forwarded message from Martin Pitt -----
Date: Tue, 30 May 2006 07:52:28 +0200
=46rom: Martin Pitt
To: [email protected], [email protected], [email protected]
Subject: [Pkg-nagios-devel] Bug#369362: Fwd: Re: Insecure quote escaping in
PostgreSQL backend
Hi again,
Florian raised an important point here; sorry for the initial
misinformation.=20
Please pass this information to upstream, too.
Thank you,
Martin
----- Forwarded message from Florian Weimer -----
=46rom: Florian Weimer
To: Martin Pitt
Cc: [email protected]
Subject: Re: Bug#369351: exim4-daemon-heavy: Insecure quote escaping in Pos=
tgreSQL backend
Date: Mon, 29 May 2006 20:49:57 +0200
X-Spam-Status: No, score=3D0.6 required=3D4.0 tests=3DAWL,BAYES_50 autolear=
n=3Dno=20
version=3D3.0.3
* Martin Pitt:
> ./src/lookups/pgsql.c, pgsql_quote() currently uses \' to
> escape quoting, which makes it vulnerable against this attack with
> earlier PostgreSQL versions, and will break with the current one
> (since it disables this method of quote escaping by default in
> affected client encodings). A quick fix is to change the function to
> use '' instead of \', but a better fix is to completely replace the
> loop with an invocation of PQescapeString() from libpq.=20
PQescapeString is deprecated because given its interface, the security
bug cannot be closed completely. You really should use
PQescapeStringConn.
Would you add this information to the other bug reports, too?
----- End forwarded message -----
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
_______________________________________________
Pkg-nagios-devel mailing list
[email protected]
http://lists.alioth.debian.org/mailman/ ... gios-devel
----- End forwarded message -----
--=20
--sdtB3X0nJg68CQEu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEfG45ynjLPm522B0RAiTwAJ4qD7MQQ/q1tymO9lxwtDymkqkCCACeI2mF
kjQyrbq12eH3hGxgsxHjStg=
=THJl
-----END PGP SIGNATURE-----
--sdtB3X0nJg68CQEu--
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]