From: Ron G. <ro...@fo...> - 2006-05-24 00:04:19
|
I would appreciate any comments from Logicalware on the recent Security Release for Postgres (http://www.postgresql.org/about/news.561). Is MM vulnerable? Ron |
From: Kevin C. <ke...@lo...> - 2006-05-24 13:34:28
|
On Wed, May 24, 2006 at 08:05:28AM +0800, Ron Goodwin wrote: > I would appreciate any comments from Logicalware on the recent Security > Release for Postgres (http://www.postgresql.org/about/news.561). > > Is MM vulnerable? Ron, The problem in question is quite complex, and I haven't had much time to go over this in depth. It would appear that MailManager may be vulnerable in the case that the database encoding is set to a multibyte encoding type. This will depend on your distribution's configuration of postgres, and can be checked using the command \l+ in the psql command line client. For now, if this security vulnerability is a concern I would advise that you upgrade to the latest version of postgres, which should resolve the issue. Looking at the DTML layer in Zope, it appears to use the '' string escaping method which should be safe for all encoding types with postgres 8.1.4. Our SQL layer which we introduced to allow us to convert and wrap queries should mean that any exploit can be prevented from within MailManager itself, rather than having to rely on a fix in Zope's DTML layer or in Postgres. I will investigate this properly and issue a fix if necessary asap. Regards, Kevin -- Kevin Campbell Logicalware Ltd GPG Key: F480EC23 |
From: Kevin C. <ke...@lo...> - 2006-05-24 13:49:52
|
On Wed, May 24, 2006 at 01:51:41PM +0100, Kevin Campbell wrote: > On Wed, May 24, 2006 at 08:05:28AM +0800, Ron Goodwin wrote: > > I would appreciate any comments from Logicalware on the recent Security > > Release for Postgres (http://www.postgresql.org/about/news.561). > > > > Is MM vulnerable? > > Ron, > > The problem in question is quite complex, and I haven't had much time to > go over this in depth. It would appear that MailManager may be vulnerable > in the case that the database encoding is set to a multibyte encoding type. > This will depend on your distribution's configuration of postgres, and can > be checked using the command \l+ in the psql command line client. > > For now, if this security vulnerability is a concern I would advise that > you upgrade to the latest version of postgres, which should resolve the > issue. Looking at the DTML layer in Zope, it appears to use the '' string > escaping method which should be safe for all encoding types with postgres > 8.1.4. > > Our SQL layer which we introduced to allow us to convert and wrap queries > should mean that any exploit can be prevented from within MailManager > itself, rather than having to rely on a fix in Zope's DTML layer or in > Postgres. I will investigate this properly and issue a fix if necessary > asap. As a follow up to this, I've created a bug on sourceforge in case you wish to track the progress on this. The bug reference is #1494281 - Postgres encoding security hole. Regards, Kevin -- Kevin Campbell Logicalware Ltd GPG Key: F480EC23 |
From: Kevin C. <ke...@lo...> - 2006-05-24 16:28:00
|
On Wed, May 24, 2006 at 02:48:40PM +0100, Kevin Campbell wrote: > On Wed, May 24, 2006 at 01:51:41PM +0100, Kevin Campbell wrote: > > On Wed, May 24, 2006 at 08:05:28AM +0800, Ron Goodwin wrote: > > > I would appreciate any comments from Logicalware on the recent Security > > > Release for Postgres (http://www.postgresql.org/about/news.561). > > > > > > Is MM vulnerable? > > > > Ron, > > > > The problem in question is quite complex, and I haven't had much time to > > go over this in depth. It would appear that MailManager may be vulnerable > > in the case that the database encoding is set to a multibyte encoding type. > > This will depend on your distribution's configuration of postgres, and can > > be checked using the command \l+ in the psql command line client. > > > > For now, if this security vulnerability is a concern I would advise that > > you upgrade to the latest version of postgres, which should resolve the > > issue. Looking at the DTML layer in Zope, it appears to use the '' string > > escaping method which should be safe for all encoding types with postgres > > 8.1.4. > > > > Our SQL layer which we introduced to allow us to convert and wrap queries > > should mean that any exploit can be prevented from within MailManager > > itself, rather than having to rely on a fix in Zope's DTML layer or in > > Postgres. I will investigate this properly and issue a fix if necessary > > asap. > > As a follow up to this, I've created a bug on sourceforge in case you wish > to track the progress on this. The bug reference is #1494281 - Postgres > encoding security hole. Ron, There is now a fix in the 2.0 branch in subversion for this. It will require a migration in order to reset some SQL methods. I haven't had the oppertunity to test the migration from all previous versions, but I would expect it should work correctly against them. Please could you give this a try and let me know if you have any problems with it. I will release 2.0.10 shortly in order to have an properly published update for this, although that may not be until later this evening/tomorrow morning as there are other critical bugs I need to address at present. Regards, Kevin -- Kevin Campbell Logicalware Ltd GPG Key: F480EC23 |