Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 289228 (CVE-2009-2940)

Summary: <dev-db/pygresql-4.1.1 : Missing escape function (CVE-2009-2940)
Product: Gentoo Security Reporter: Martin Alexander Neumann <hotpotatorouting>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: pgsql-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.auscert.org.au/render.html?it=11808
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Martin Alexander Neumann 2009-10-15 17:45:39 UTC 
It was discovered that pygresql, a PostgreSQL module for Python, was
missing a function to call PQescapeStringConn(). This is needed, because
PQescapeStringConn() honours the charset of the connection and prevents
insufficient escaping, when certain multibyte character encodings are
used. The new function is called pg_escape_string(), which takes the
database connection as a first argument. The old function
escape_string() has been preserved as well for backwards compatibility.

Developers using these bindings are encouraged to adjust their code to
use the new function.

Reproducible: Didn't try
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-15 17:53:32 UTC 
Sorry, arches.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-23 09:48:32 UTC 
CVE-2009-2940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2940):
  The pygresql module 3.8.1 and 4.0 for Python does not properly
  support the PQescapeStringConn function, which might allow remote
  attackers to leverage escaping issues involving multibyte character
  encodings.
Comment 3 Aaron W. Swenson gentoo-dev 2014-01-16 11:44:56 UTC 
Please stabilize:
=dev-db/pygresql-4.1.1
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-01-16 14:06:52 UTC 
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2014-01-16 20:16:00 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-01-16 20:17:46 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-01-17 20:41:01 UTC 
ppc stable
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2014-01-19 04:41:30 UTC 
3.8.1 Branch is vulnerable as per CVE are you going to patch it as well, or just migrate to 4.x branch.
Comment 9 Agostino Sarubbo gentoo-dev 2014-01-19 13:48:06 UTC 
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-01-26 11:49:51 UTC 
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-01-26 12:00:41 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Aaron W. Swenson gentoo-dev 2014-01-27 02:01:24 UTC 
(In reply to Yury German from comment #8)
> 3.8.1 Branch is vulnerable as per CVE are you going to patch it as well, or
> just migrate to 4.x branch.

We're stabling 4.1.1 to remove the vulnerable versions from the tree.
Comment 13 Aaron W. Swenson gentoo-dev 2014-01-27 11:35:20 UTC 
  27 Jan 2014; Aaron W. Swenson <titanofold@gentoo.org> -pygresql-3.8.1.ebuild,
  -pygresql-4.0.ebuild:
  Clean out old versions.
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-27 11:48:03 UTC 
GLSA vote: no
Comment 15 Sergey Popov gentoo-dev 2014-01-27 11:48:52 UTC 
GLSA vote: no

Closing as noglsa