Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 255033 (CVE-2008-2385)

Summary: www-apache/mod_auth_pgsql SQL injection vulnerability (CVE-2008-2385)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED OBSOLETE    
Severity: normal CC: patrick, titanofold
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
mod_auth_pgsql-CVE-2008-2385.patch none

Description Robert Buchholz (RETIRED) gentoo-dev 2009-01-15 12:23:54 UTC 
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Martin Joey Schulze reported that mod-auth-pgsql insufficiently escapes and potentially allows SQL injections. The pgsql module still uses some manual escaping. With the new patch, it uses PQescapeStringConn() instead and also sets the encoding with PQsetClientEncoding().

http://www.postgresql.org/docs/7.3/static/libpq-exec.html

Please note that you might have an older version of the postgresql header 
files, where pg_encoding_to_char() isn't declared (check your libpq-fe.h 
file). In that case either only check the call of PQsetClientEncoding() or add 
the needed code from libpq-fe.h to the module.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-01-15 12:25:59 UTC 
We have a patch, so we could do prestable testing and commit on the embargo date. However, I don't know if upstream reviewed or approved the patch.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-01-15 12:26:32 UTC 
Created attachment 178578 [details, diff]
mod_auth_pgsql-CVE-2008-2385.patch
Comment 3 Benedikt Böhm (RETIRED) gentoo-dev 2009-01-15 13:28:36 UTC 
so if this is confidential until 01-19, should i commit that patch with an obfuscated filename?
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-01-15 17:28:38 UTC 
Confidential means to not commit the patch to CVS. If you accept the patch, then please attach an ebuild applying it to this bug and we'll cc arch liaisons to test it. Then you can commit it straight to stable on embargo date.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-19 18:16:08 UTC 
The last entry in upstream's changelog is from 2006... is this still maintained at all?
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-07 06:12:39 UTC 
The embargo date is long over, I'd like to CC apache & postgres and open the bug, is that ok with everyone?
Comment 7 Sergey Popov (RETIRED) gentoo-dev 2013-08-24 05:19:29 UTC 
CCing current postgresql herd maintainers to clarify this issue
Comment 8 Aaron W. Swenson gentoo-dev 2016-03-21 16:18:47 UTC 
Package has been removed.

commit 31bd551b4294b9dfd39858efc1e8a44b013da966
Author: Aaron W. Swenson <titanofold@gentoo.org>
Date:   Mon Mar 21 12:08:19 2016 -0400

    www-apache/mod_auth_pgsql: Removal
    
    www-apache/mod_auth_pgsql was removed per bug 548974. It hasn’t been
    updated for somewhere around 10 years and has been superseded by
    mod_authn_dbd for quite some time.
    
    Additionally, mod_auth_pgsql is susceptible to severe security bug(s)
    that have gone unresolved by upstream, which has also disappeared.
    
    If you’re still using mod_auth_pgsql, may God have mercy on your soul.
    
    Bug: 255033, 548974
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-07-18 03:32:28 UTC 
CVE is still reserved and the embargo date is far gone.  Package has been removed from the tree.

GLSA Vote: No.

(In reply to Aaron W. Swenson from comment #8)
> Package has been removed.
> 
> commit 31bd551b4294b9dfd39858efc1e8a44b013da966
> Author: Aaron W. Swenson <titanofold@gentoo.org>
> Date:   Mon Mar 21 12:08:19 2016 -0400
> 
>     www-apache/mod_auth_pgsql: Removal
>     
>     www-apache/mod_auth_pgsql was removed per bug 548974. It hasn’t been
>     updated for somewhere around 10 years and has been superseded by
>     mod_authn_dbd for quite some time.
>     
>     Additionally, mod_auth_pgsql is susceptible to severe security bug(s)
>     that have gone unresolved by upstream, which has also disappeared.
>     
>     If you’re still using mod_auth_pgsql, may God have mercy on your soul.
>     
>     Bug: 255033, 548974

Awesome commit msg, btw :)