5

USN-870-1: PyGreSQL vulnerability

view full story
linux-howto

http://www.ubuntu.com – Referenced CVEs:  CVE-2009-2940 Description:  =========================================================== Ubuntu Security Notice USN-870-1 December 11, 2009 pygresql vulnerability CVE-2009-2940 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: python-pygresql 1:3.8.1-2ubuntu0.1 Ubuntu 8.10: python-pygresql 1:3.8.1-3ubuntu0.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Steffen Joeris discovered that PyGreSQL 3.8 did not use PostgreSQL's safe string and bytea functions in its own escaping functions. As a result, applications written to use PyGreSQL's escaping functions are vulnerable to SQL injections when processing certain multi-byte character sequences. Because the safe functions require a database connection, to maintain backwards compatibility, pg.escape_string() and pg.escape_bytea() are still available, but applications will have to be adjusted to use the new pyobj.escape_string() and pyobj.escape_bytea() functions. For example, code containing: import pg connection = pg.connect(...) escaped = pg.escape_string(untrusted_input) should be adjusted to use: import pg connection = pg.connect(...) escaped = connection.escape_string(untrusted_input) (Distributions)