Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 289222 (CVE-2009-2943)

Summary: =dev-ml/postgresql-ocaml-1.12.1: Missing escape function (CVE-2009-2943)
Product: Gentoo Security Reporter: Martin Alexander Neumann <hotpotatorouting>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: ml
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.auscert.org.au/render.html?it=11808
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Martin Alexander Neumann 2009-10-15 17:37:21 UTC 
It was discovered that postgresql-ocaml, OCaml bindings to PostgreSQL's
libpq, was missing a function to call PQescapeStringConn(). This is
needed, because PQescapeStringConn() honours the charset of the
connection and prevents insufficient escaping, when certain multibyte
character encodings are used. The added function is called
escape_string_conn() and takes the established database connection as a
first argument. The old escape_string() was kept for backwards
compatibility.

Developers using these bindings are encouraged to adjust their code to
use the new function.

Reproducible: Didn't try
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-23 09:48:26 UTC 
CVE-2009-2943 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2943):
  The postgresql-ocaml bindings 1.5.4, 1.7.0, and 1.12.1 for PostgreSQL
  libpq do not properly support the PQescapeStringConn function, which
  might allow remote attackers to leverage escaping issues involving
  multibyte character encodings.
Comment 2 Alexis Ballier gentoo-dev 2009-10-23 10:18:12 UTC 
2009-09-18:  Fixed serious bug in new escape_string method.

             PLEASE UPGRADE!!!

2009-09-08:  API-change: deleted "escape_string" function.

             There is now a method "escape_string" in the connection
             class, which is not deprecated and hence safer.



???

I see no mention of latest version in those cve & bug reports.
Comment 3 Aaron W. Swenson gentoo-dev 2011-04-22 00:58:46 UTC 
Time to revisit this. None of the versions available in the tree are listed in the CVE.

1.7.0 was removed three years ago. (A year and half before this bug was reported.)
1.12.1 was removed a year ago.

1.5.4 never was in the tree. According to the ChangeLog anyway.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-01-12 00:43:22 UTC 
Vulnerable version removed 09 Apr 2010. Closing noglsa.