** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Martin Joey Schulze reported that mod-auth-pgsql insufficiently escapes and potentially allows SQL injections. The pgsql module still uses some manual escaping. With the new patch, it uses PQescapeStringConn() instead and also sets the encoding with PQsetClientEncoding(). http://www.postgresql.org/docs/7.3/static/libpq-exec.html Please note that you might have an older version of the postgresql header files, where pg_encoding_to_char() isn't declared (check your libpq-fe.h file). In that case either only check the call of PQsetClientEncoding() or add the needed code from libpq-fe.h to the module.
We have a patch, so we could do prestable testing and commit on the embargo date. However, I don't know if upstream reviewed or approved the patch.
Created attachment 178578 [details, diff] mod_auth_pgsql-CVE-2008-2385.patch
so if this is confidential until 01-19, should i commit that patch with an obfuscated filename?
Confidential means to not commit the patch to CVS. If you accept the patch, then please attach an ebuild applying it to this bug and we'll cc arch liaisons to test it. Then you can commit it straight to stable on embargo date.
The last entry in upstream's changelog is from 2006... is this still maintained at all?
The embargo date is long over, I'd like to CC apache & postgres and open the bug, is that ok with everyone?
CCing current postgresql herd maintainers to clarify this issue
Package has been removed. commit 31bd551b4294b9dfd39858efc1e8a44b013da966 Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Mon Mar 21 12:08:19 2016 -0400 www-apache/mod_auth_pgsql: Removal www-apache/mod_auth_pgsql was removed per bug 548974. It hasn’t been updated for somewhere around 10 years and has been superseded by mod_authn_dbd for quite some time. Additionally, mod_auth_pgsql is susceptible to severe security bug(s) that have gone unresolved by upstream, which has also disappeared. If you’re still using mod_auth_pgsql, may God have mercy on your soul. Bug: 255033, 548974
CVE is still reserved and the embargo date is far gone. Package has been removed from the tree. GLSA Vote: No. (In reply to Aaron W. Swenson from comment #8) > Package has been removed. > > commit 31bd551b4294b9dfd39858efc1e8a44b013da966 > Author: Aaron W. Swenson <titanofold@gentoo.org> > Date: Mon Mar 21 12:08:19 2016 -0400 > > www-apache/mod_auth_pgsql: Removal > > www-apache/mod_auth_pgsql was removed per bug 548974. It hasn’t been > updated for somewhere around 10 years and has been superseded by > mod_authn_dbd for quite some time. > > Additionally, mod_auth_pgsql is susceptible to severe security bug(s) > that have gone unresolved by upstream, which has also disappeared. > > If you’re still using mod_auth_pgsql, may God have mercy on your soul. > > Bug: 255033, 548974 Awesome commit msg, btw :)
