CVE-2009-2940
Published: 22 October 2009
The pygresql module 3.8.1 and 4.0 for Python does not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings.
Notes
| Author | Note |
|---|---|
| jdstrand | 1:4.0-0ubuntu1 and higher has the fix affected versions have an escape_string() and escape_bytea() that uses PQescapeString() and PQescapeBytea() from PostgreSQL's libpq-fe.h. These are known to be problematic. The fix is to create pg_escape_string() and pg_escape_bytea() which use the safe PQescapeStringConn() and PQescapeByteaConn() functions, and then add them to the pgobj methods. Applications will have to be rewritten to use the new functions, specifically, something like this: cnx = pg.connect(...) ... escaped = pg.escape_string(str) to be: cnx = pg.connect(...) ... escaped = cnx.escape_string(str) |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
pygresql Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
| hardy |
Released
(1:3.8.1-2ubuntu0.1)
|
|
| intrepid |
Released
(1:3.8.1-3ubuntu0.1)
|
|
| jaunty |
Not vulnerable
(1:4.0-0ubuntu1)
|
|
| karmic |
Not vulnerable
|
|
| upstream |
Released
(1:4.0-1)
|
|
|
Patches: vendor: http://www.debian.org/security/2009/dsa-1911 |
||