[Pypgsql-devel] [ pypgsql-Bugs-1501951 ] Insecure quote escaping [CVE-2006-2314]

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Bugs item #1501951, was opened at 2006-06-07 10:59
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=116528&aid=1501951&group_id=16528

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libpq
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Ben Burton (bab)
Assigned to: Nobody/Anonymous (nobody)
Summary: Insecure quote escaping [CVE-2006-2314]

Initial Comment:
Hi,

There was a recent security hole in PostgreSQL
involving the escaping of quotes (\' vs '').  It is a
little unfortunate that the relevant pypgsql patch came
out around the same time as your 2.5 release (and
therefore didn't make the release); anyway, the patch
is included here.

>From the original debian bug report (#369250):

Recently, a security hole has been discovered in
PostgreSQL client applications, see
http://www.postgresql.org/docs/techdocs.50 for
details. In short, using \' for quote escaping is
insecure and now not allowed any more in some encodings
which are prone to this SQL injection attack.

Quotes in python-pgsql are escaped with \'.  The
attached patch fixes that to use '' instead.

Thanks to Martin Pitt for the patch.

The relevant CVE number is CVE-2006-2314.

Ben.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=116528&aid=1501951&group_id=16528