Ubuntu
psycopg package

psycopg needs quoting fix

Bug #46473 reported by Stuart Bishop
256
Affects Status Importance Assigned to Milestone
psycopg (Ubuntu)
Fix Released
Critical
Martin Pitt

Bug Description

psycopg quotes the ' character in strings as \' , meaning it is vulnerable to the recent multibyte encoding SQL injection attack that prompted the release of PostgreSQL 8.1.4 and other security fixes.

Revision history for this message
Stuart Bishop (stub) wrote :

http://www.postgresql.org/docs/techdocs.52

Matt Zimmerman (mdz)
Changed in psycopg:
assignee: nobody → pitti
Simon Law (sfllaw)
Changed in psycopg:
status: Unconfirmed → Confirmed
Revision history for this message
Martin Pitt (pitti) wrote :

For the record: current dapper psycopg only uses \' for the psycopg.Binary() function. Normal strings are already escaped with ''.

Changed in psycopg:
status: Confirmed → In Progress
Revision history for this message
Martin Pitt (pitti) wrote : test program

just for having a publicly archived demo, this is the test program that I used. It tests both normal string and binary escaping (correctness should be verified in postgresql log).

Revision history for this message
Martin Pitt (pitti) wrote :

http://patches.ubuntu.com/patches/psycopg.CVE-2006-2314.diff

Revision history for this message
Martin Pitt (pitti) wrote :

Fixed in dapper:

 psycopg (1.1.21-3ubuntu3) dapper; urgency=low
 .
   * typemod.c, new_psyco_bufferobject():
     - Escape quotes psycopg.Binary() results as '', not as \', since the
       latter does not work any more with some client encodings with the latest
       PostgreSQL (in some multi-byte encodings you can exploit \' escaping to
       inject SQL code, see CVE-2006-2314).
     - Closes: https://launchpad.net/bugs/46473

Revision history for this message
Martin Pitt (pitti) wrote :

updates for stables have been prepared, will release the USN tomorrow morning, when all packages are complete.

Changed in psycopg:
status: In Progress → Fix Committed
Revision history for this message
Martin Pitt (pitti) wrote :

This has been fixed a while ago in USN-288-1.

Changed in psycopg:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.