Hi Moritz, hi stable team, Moritz Muehlenhoff [2006-07-06 0:10 +0200]: > Martin Pitt wrote: > > > Martin Pitt wrote: > > > > > a vulnerability of it's own or a fix required to cope with behaviour > > > > > changes due to the new escaping against the big5 injection attacks? > > > > > The latter ones have been handled with uploads to s-p-u and were acked > > > > > by the stable release managers. > > > > > > > > It's a regression (due to the new quoting behaviour) introduced in the > > > > previous security update which completely breaks database mirroring > > > > with DBMirror.pl. > > > > > > > > Therefore I'd strongly suggest to fix this in stable-security, since > > > > it broke due to a stable-security update. If we stick it into s-p-u, > > > > then stable users might not see it. However, it's your call, I can > > > > also change the upload target. > > > > > > So this is the same as for psychopg, python-pgsql, exim4 and dovecot, > > > correct? All these have been updated through spu so far. > > > > Well, not quite. The non-updated packages work fine with the > > postgresql security update in most cases. The only exception is if a > > rarely used client-encoding is used. OTOH, DBMirror.pl breaks for > > everybody. > > Which is only a small subsection of postgresql-contrib's functionality > as well. > > > > , but for now I guess the best is to go through the stable update, > > > which should happen really soon. > > > > Ok, fine for me. So shall I upload to s-p-u now? > > Please go ahead and keep debian-release@lists.debian.org posted. Alright, I uploaded to s-p-u and added d-r@ to CC. For your convenience, I attach the final debdiff again. BTW, the patch was reviewed and applied upstream now: http://developer.postgresql.org/cvsweb.cgi/pgsql/contrib/dbmirror/DBMirror.pl Thank you! Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
diff -u postgresql-7.4.7/debian/changelog postgresql-7.4.7/debian/changelog --- postgresql-7.4.7/debian/changelog +++ postgresql-7.4.7/debian/changelog @@ -1,3 +1,13 @@ +postgresql (7.4.7-6sarge3) stable-proposed-updates; urgency=low + + * debian/patches/57quote-escaping.patch: + - contrib/dbmirror/DBMirror.pl: Fix parsing of quotes escaped as '' in the + PendingData table to make the script work with the updated quoting + method introduced in 7.4.7-6sarge2 (using \' escaping is insecure). + - Closes: #372115 + + -- Martin Pitt <mpitt@debian.org> Thu, 6 Jul 2006 09:48:40 +0200 + postgresql (7.4.7-6sarge2) stable-security; urgency=high * SECURITY UPDATE: Remote SQL injection. Closes: #368645 diff -u postgresql-7.4.7/debian/patches/57quote-escaping.patch postgresql-7.4.7/debian/patches/57quote-escaping.patch --- postgresql-7.4.7/debian/patches/57quote-escaping.patch +++ postgresql-7.4.7/debian/patches/57quote-escaping.patch @@ -28,6 +28,15 @@ $updateQuery .= "'$quotedValue'"; } else { +@@ -852,7 +852,7 @@ + $matchString = $1; + $value .= substr $matchString,0,length($matchString)-1; + +- if($matchString =~ m/(\'$)/s) { ++ if($matchString =~ m/(\'$)/s and (substr $dataField,length($matchString),1) ne "'") { + # $1 runs to the end of the field value. + $dataField = substr $dataField,length($matchString)+1; + last; diff -ruN postgresql-7.4.7-old/contrib/dbmirror/pending.c postgresql-7.4.7/contrib/dbmirror/pending.c --- postgresql-7.4.7-old/contrib/dbmirror/pending.c 2003-09-29 18:16:48.000000000 +0000 +++ postgresql-7.4.7/contrib/dbmirror/pending.c 2006-05-24 17:20:52.000000000 +0000
Attachment:
signature.asc
Description: Digital signature