Hi again, Florian raised an important point here; sorry for the initial misinformation.
Please pass this information to upstream, too.
Thank you,
Martin
----- Forwarded message from Florian Weimer <[EMAIL PROTECTED]> -----
From: Florian Weimer <[EMAIL PROTECTED]>
To: Martin Pitt <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: Bug#369351: exim4-daemon-heavy: Insecure quote escaping in
PostgreSQL backend
Date: Mon, 29 May 2006 20:49:57 +0200
X-Spam-Status: No, score=0.6 required=4.0 tests=AWL,BAYES_50 autolearn=no
version=3.0.3
* Martin Pitt:
> ./src/lookups/pgsql.c, pgsql_quote() currently uses \' to
> escape quoting, which makes it vulnerable against this attack with
> earlier PostgreSQL versions, and will break with the current one
> (since it disables this method of quote escaping by default in
> affected client encodings). A quick fix is to change the function to
> use '' instead of \', but a better fix is to completely replace the
> loop with an invocation of PQescapeString() from libpq.
PQescapeString is deprecated because given its interface, the security
bug cannot be closed completely. You really should use
PQescapeStringConn.
Would you add this information to the other bug reports, too?
----- End forwarded message -----
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
