Bug#369351: exim4-daemon-heavy: Insecure quote escaping in
PostgreSQL backend
Marc Haber
mh+debian-packages at zugschlus.de
Fri Jul 7 14:05:08 UTC 2006
tags #369351 help
thanks
On Mon, May 29, 2006 at 08:49:57PM +0200, Florian Weimer wrote:
> * Martin Pitt:
> > ./src/lookups/pgsql.c, pgsql_quote() currently uses \' to
> > escape quoting, which makes it vulnerable against this attack with
> > earlier PostgreSQL versions, and will break with the current one
> > (since it disables this method of quote escaping by default in
> > affected client encodings). A quick fix is to change the function to
> > use '' instead of \', but a better fix is to completely replace the
> > loop with an invocation of PQescapeString() from libpq.
>
> PQescapeString is deprecated because given its interface, the security
> bug cannot be closed completely. You really should use
> PQescapeStringConn.
>
> Would you add this information to the other bug reports, too?
We need help to have this solved upsteam. See
http://www.exim.org/bugzilla/show_bug.cgi?id=107
To me, it looks like the issue is that PQescapeStringConn needs an
established connection to the database daemon, while exim needs the
escape function well before it actually talks to the database due to
its design.
The PostgreSQL code for exim was contributed by a third party and
upstream doesn't exactly know how to solve the issue at hand.
If anybody having PostgreSQL programming experience, please give help
either here or in upsteam's bugzilla.
Any help will be appreciated.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
More information about the Pkg-exim4-maintainers
mailing list