Hi Moritz, hi stable team, Moritz Muehlenhoff [2006-07-06 0:10 +0200]: > Martin Pitt wrote: > > > Martin Pitt wrote: > > > > > a vulnerability of it's own or a fix required to cope with behaviour > > > > > changes due to the new escaping against the big5 injection attacks? > > > > > The latter ones have been handled with uploads to s-p-u and were acked > > > > > by the stable release managers. > > > > > > > > It's a regression (due to the new quoting behaviour) introduced in the > > > > previous security update which completely breaks database mirroring > > > > with DBMirror.pl. > > > > > > > > Therefore I'd strongly suggest to fix this in stable-security, since > > > > it broke due to a stable-security update. If we stick it into s-p-u, > > > > then stable users might not see it. However, it's your call, I can > > > > also change the upload target. > > > > > > So this is the same as for psychopg, python-pgsql, exim4 and dovecot, > > > correct? All these have been updated through spu so far. > > > > Well, not quite. The non-updated packages work fine with the > > postgresql security update in most cases. The only exception is if a > > rarely used client-encoding is used. OTOH, DBMirror.pl breaks for > > everybody. > > Which is only a small subsection of postgresql-contrib's functionality > as well. > > > > , but for now I guess the best is to go through the stable update, > > > which should happen really soon. > > > > Ok, fine for me. So shall I upload to s-p-u now? > > Please go ahead and keep debian-release@lists.debian.org posted. Alright, I uploaded to s-p-u and added d-r@ to CC. For your convenience, I attach the final debdiff again. BTW, the patch was reviewed and applied upstream now: http://developer.postgresql.org/cvsweb.cgi/pgsql/contrib/dbmirror/DBMirror.pl Thank you! Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
diff -u postgresql-7.4.7/debian/changelog postgresql-7.4.7/debian/changelog
--- postgresql-7.4.7/debian/changelog
+++ postgresql-7.4.7/debian/changelog
@@ -1,3 +1,13 @@
+postgresql (7.4.7-6sarge3) stable-proposed-updates; urgency=low
+
+ * debian/patches/57quote-escaping.patch:
+ - contrib/dbmirror/DBMirror.pl: Fix parsing of quotes escaped as '' in the
+ PendingData table to make the script work with the updated quoting
+ method introduced in 7.4.7-6sarge2 (using \' escaping is insecure).
+ - Closes: #372115
+
+ -- Martin Pitt <mpitt@debian.org> Thu, 6 Jul 2006 09:48:40 +0200
+
postgresql (7.4.7-6sarge2) stable-security; urgency=high
* SECURITY UPDATE: Remote SQL injection. Closes: #368645
diff -u postgresql-7.4.7/debian/patches/57quote-escaping.patch postgresql-7.4.7/debian/patches/57quote-escaping.patch
--- postgresql-7.4.7/debian/patches/57quote-escaping.patch
+++ postgresql-7.4.7/debian/patches/57quote-escaping.patch
@@ -28,6 +28,15 @@
$updateQuery .= "'$quotedValue'";
}
else {
+@@ -852,7 +852,7 @@
+ $matchString = $1;
+ $value .= substr $matchString,0,length($matchString)-1;
+
+- if($matchString =~ m/(\'$)/s) {
++ if($matchString =~ m/(\'$)/s and (substr $dataField,length($matchString),1) ne "'") {
+ # $1 runs to the end of the field value.
+ $dataField = substr $dataField,length($matchString)+1;
+ last;
diff -ruN postgresql-7.4.7-old/contrib/dbmirror/pending.c postgresql-7.4.7/contrib/dbmirror/pending.c
--- postgresql-7.4.7-old/contrib/dbmirror/pending.c 2003-09-29 18:16:48.000000000 +0000
+++ postgresql-7.4.7/contrib/dbmirror/pending.c 2006-05-24 17:20:52.000000000 +0000
Attachment:
signature.asc
Description: Digital signature