Hello Debian security team, hello Olivier,
Olivier Bornet [2006-06-08 12:30 +0200]:
> Package: postgresql-contrib
> Version: 7.4.7-6sarge2
> Severity: critical
> Justification: causes serious data loss
>
>
> Hello,
>
> using version 7.4.7-6sarge2 of postgresql-contrib cause trouble in
> database replication using /usr/lib/postgresql/bin/DBMirror.pl
>
> The problem I have found is if there is a ' character (the single quote)
> in the data. In this case, the single quote (') is replaced by two
> single quotes ('') in the table PendingData. This cause the replication
> process to stop with a message "Error in PendingData Sequence Id XXX".Short summary for the security team: This regression was due to the change of quote escaping in the 7.4.7-6sarge2 security update (\' -> '') which was necessary to close an SQL injection vulnerability in some encodings. However, DBMirror.pl's parser did not work with '' encoding. I prepared an updated package to fix this regression, debdiff attached. The new version makes DBMirror work again here, and upstream acknowledged the patch. Permission to upload to sarge-security? Thank you, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
diff -u postgresql-7.4.7/debian/changelog postgresql-7.4.7/debian/changelog
--- postgresql-7.4.7/debian/changelog
+++ postgresql-7.4.7/debian/changelog
@@ -1,3 +1,13 @@
+postgresql (7.4.7-6sarge3) stable-security; urgency=low
+
+ * debian/patches/57quote-escaping.patch:
+ - contrib/dbmirror/DBMirror.pl: Fix parsing of quotes escaped as '' in the
+ PendingData table. The version before 7.4.7-6sarge2 used \' escaping,
+ but this is insecure.
+ - Closes: #372115
+
+ -- Martin Pitt <[EMAIL PROTECTED]> Wed, 28 Jun 2006 08:20:13 +0200
+
postgresql (7.4.7-6sarge2) stable-security; urgency=high
* SECURITY UPDATE: Remote SQL injection. Closes: #368645
diff -u postgresql-7.4.7/debian/patches/57quote-escaping.patch
postgresql-7.4.7/debian/patches/57quote-escaping.patch
--- postgresql-7.4.7/debian/patches/57quote-escaping.patch
+++ postgresql-7.4.7/debian/patches/57quote-escaping.patch
@@ -1,6 +1,6 @@
diff -ruN postgresql-7.4.7-old/contrib/dbmirror/DBMirror.pl
postgresql-7.4.7/contrib/dbmirror/DBMirror.pl
---- postgresql-7.4.7-old/contrib/dbmirror/DBMirror.pl 2003-05-14
03:25:55.000000000 +0000
-+++ postgresql-7.4.7/contrib/dbmirror/DBMirror.pl 2006-05-24
17:20:52.000000000 +0000
+--- postgresql-7.4.7-old/contrib/dbmirror/DBMirror.pl 2003-05-14
05:25:55.000000000 +0200
++++ postgresql-7.4.7/contrib/dbmirror/DBMirror.pl 2006-06-28
08:19:41.000000000 +0200
@@ -402,7 +402,7 @@
if(defined $recordValues{$column}) {
my $quotedValue = $recordValues{$column};
@@ -28,9 +28,18 @@
$updateQuery .= "'$quotedValue'";
}
else {
+@@ -852,7 +852,7 @@
+ $matchString = $1;
+ $value .= substr $matchString,0,length($matchString)-1;
+
+- if($matchString =~ m/(\'$)/s) {
++ if($matchString =~ m/(\'$)/s and (substr
$dataField,length($matchString),1) ne "'") {
+ # $1 runs to the end of the field value.
+ $dataField = substr $dataField,length($matchString)+1;
+ last;
diff -ruN postgresql-7.4.7-old/contrib/dbmirror/pending.c
postgresql-7.4.7/contrib/dbmirror/pending.c
--- postgresql-7.4.7-old/contrib/dbmirror/pending.c 2003-09-29
18:16:48.000000000 +0000
+++ postgresql-7.4.7/contrib/dbmirror/pending.c 2006-05-24
17:20:52.000000000 +0000
signature.asc
Description: Digital signature
