Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 289228 (CVE-2009-2940) - <dev-db/pygresql-4.1.1 : Missing escape function (CVE-2009-2940)
Summary: <dev-db/pygresql-4.1.1 : Missing escape function (CVE-2009-2940)
Alias: CVE-2009-2940
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2009-10-15 17:45 UTC by Martin Alexander Neumann
Modified: 2014-01-27 11:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Martin Alexander Neumann 2009-10-15 17:45:39 UTC
It was discovered that pygresql, a PostgreSQL module for Python, was
missing a function to call PQescapeStringConn(). This is needed, because
PQescapeStringConn() honours the charset of the connection and prevents
insufficient escaping, when certain multibyte character encodings are
used. The new function is called pg_escape_string(), which takes the
database connection as a first argument. The old function
escape_string() has been preserved as well for backwards compatibility.

Developers using these bindings are encouraged to adjust their code to
use the new function.

Reproducible: Didn't try
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-10-15 17:53:32 UTC
Sorry, arches. 
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-10-23 09:48:32 UTC
CVE-2009-2940 (
  The pygresql module 3.8.1 and 4.0 for Python does not properly
  support the PQescapeStringConn function, which might allow remote
  attackers to leverage escaping issues involving multibyte character

Comment 3 Aaron W. Swenson gentoo-dev 2014-01-16 11:44:56 UTC
Please stabilize:
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-01-16 14:06:52 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2014-01-16 20:16:00 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-01-16 20:17:46 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-01-17 20:41:01 UTC
ppc stable
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2014-01-19 04:41:30 UTC
3.8.1 Branch is vulnerable as per CVE are you going to patch it as well, or just migrate to 4.x branch.
Comment 9 Agostino Sarubbo gentoo-dev 2014-01-19 13:48:06 UTC
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-01-26 11:49:51 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-01-26 12:00:41 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Aaron W. Swenson gentoo-dev 2014-01-27 02:01:24 UTC
(In reply to Yury German from comment #8)
> 3.8.1 Branch is vulnerable as per CVE are you going to patch it as well, or
> just migrate to 4.x branch.

We're stabling 4.1.1 to remove the vulnerable versions from the tree.
Comment 13 Aaron W. Swenson gentoo-dev 2014-01-27 11:35:20 UTC
  27 Jan 2014; Aaron W. Swenson <> -pygresql-3.8.1.ebuild,
  Clean out old versions.
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-01-27 11:48:03 UTC
GLSA vote: no
Comment 15 Sergey Popov gentoo-dev 2014-01-27 11:48:52 UTC
GLSA vote: no

Closing as noglsa