On Fri, Jul 07, 2006 at 03:48:00PM +0200, Marc Haber wrote: > Hi, > > I am the maintainer of Debian's packages for exim4, a powerful and > versatile Mail Transfer Agent developed in Cambridge and in wide use > throughout the Free Software Community (http://www.exim.org/). > > One of our daemon flavours has PostgreSQL support. Our security guys > have found a flaw in exim regarding quote escaping for PostgreSQL. The > bug is filed in Debian's BTS as http://bugs.debian.org/369351 and was > transferred to exim's Bugzilla installation as > http://www.exim.org/bugzilla/show_bug.cgi?id=107. Whether or not the quick fix works for you depends entirly on the encoding used by the client to talk to the database. If the connection is encoded using UTF-8 or any of the Latin series, then it will be fine. The only time it does not work is if the encoding is an encoding where the quote or backslash character can appear as the second character of a multibyte char. This doesn't happen with UTF-8 or any latin encoding. http://www.postgresql.org/docs/techdocs.50 This bit may be useful also (especially the second point): There are a number of mitigating factors that may keep particular applications from being subject to these security risks: * If application always sends untrusted strings as out-of-line parameters, instead of embedding them into SQL commands, it is not vulnerable. * If client_encoding is a single-byte encoding (e.g., one of the LATINx family), there is no vulnerability. * If application cannot pass invalidly encoded data to the server, there is no vulnerability (this probably includes all Java applications, for example, because of Java's handling of Unicode strings). The easiest may be to simply always set the client encoding to something like UTF-8 and work the escaping rules so they work with that. Hope this helps, -- Martijn van Oosterhout <kleptog@xxxxxxxxx> http://svana.org/kleptog/ > From each according to his ability. To each according to his ability to litigate.
Attachment:
signature.asc
Description: Digital signature
