CVE-2009-2940

Priority
Description
The pygresql module 3.8.1 and 4.0 for Python does not properly support the
PQescapeStringConn function, which might allow remote attackers to leverage
escaping issues involving multibyte character encodings.
Assigned-to
jdstrand
Notes
jdstrand1:4.0-0ubuntu1 and higher has the fix
affected versions have an escape_string() and escape_bytea() that
uses PQescapeString() and PQescapeBytea() from PostgreSQL's libpq-fe.h.
These are known to be problematic. The fix is to create pg_escape_string()
and pg_escape_bytea() which use the safe PQescapeStringConn() and
PQescapeByteaConn() functions, and then add them to the pgobj methods.
Applications will have to be rewritten to use the new functions,
specifically, something like this:
cnx = pg.connect(...)
...
escaped = pg.escape_string(str)
to be:
cnx = pg.connect(...)
...
escaped = cnx.escape_string(str)
Package
Upstream:released (1:4.0-1)
Patches:
Vendor:http://www.debian.org/security/2009/dsa-1911
More Information

Updated: 2019-12-05 20:53:38 UTC (commit 0aa5e7c87c8b55d2ec5c7f4ca1179cf75de91961)