Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 289226 (CVE-2009-2942) - <dev-ml/ocaml-mysql-1.1.1: Missing escape function (CVE-2009-2942)
Summary: <dev-ml/ocaml-mysql-1.1.1: Missing escape function (CVE-2009-2942)
Status: RESOLVED FIXED
Alias: CVE-2009-2942
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.auscert.org.au/render.html...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-15 17:42 UTC by Martin Alexander Neumann
Modified: 2013-09-22 14:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Alexander Neumann 2009-10-15 17:42:40 UTC
It was discovered that mysql-ocaml, OCaml bindings for MySql, was
missing a function to call mysql_real_escape_string(). This is needed,
because mysql_real_escape_string() honours the charset of the connection
and prevents insufficient escaping, when certain multibyte character
encodings are used. The added function is called real_escape() and
takes the established database connection as a first argument. The old
escape_string() was kept for backwards compatibility.

Developers using these bindings are encouraged to adjust their code to
use the new function.

Reproducible: Always
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-15 17:54:03 UTC
Sorry arches.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-23 09:48:16 UTC
CVE-2009-2942 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2942):
  The mysql-ocaml bindings 1.0.4 for MySQL do not properly support the
  mysql_real_escape_string function, which might allow remote attackers
  to leverage escaping issues involving multibyte character encodings.

Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-28 23:05:25 UTC
Why on earth is this one still unhandled... x86 team, please test and stabilize =dev-ml/ocaml-mysql-1.1.1.
Comment 4 Agostino Sarubbo gentoo-dev 2013-08-30 18:52:08 UTC
(In reply to Chris Reffett from comment #3)
> Why on earth is this one still unhandled... x86 team, please test and
> stabilize =dev-ml/ocaml-mysql-1.1.1.

ppc too

Anyway, why C3?
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-30 18:55:10 UTC
Don't ask me, I didn't sort it.
Comment 6 Agostino Sarubbo gentoo-dev 2013-09-01 15:52:06 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-09-22 13:53:45 UTC
x86 stable
Comment 8 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-22 14:00:12 UTC
GLSA vote: no.
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-22 14:01:35 UTC
GLSA vote: no.

Closing noglsa.