CVE-2009-2940 (retired)

Priority
Description
The pygresql module 3.8.1 and 4.0 for Python does not properly support the
PQescapeStringConn function, which might allow remote attackers to leverage
escaping issues involving multibyte character encodings.
Notes
 jdstrand> 1:4.0-0ubuntu1 and higher has the fix
 jdstrand> affected versions have an escape_string() and escape_bytea() that
  uses PQescapeString() and PQescapeBytea() from PostgreSQL's libpq-fe.h.
  These are known to be problematic. The fix is to create pg_escape_string()
  and pg_escape_bytea() which use the safe PQescapeStringConn() and
  PQescapeByteaConn() functions, and then add them to the pgobj methods.
  Applications will have to be rewritten to use the new functions,
  specifically, something like this:
  cnx = pg.connect(...)
  ...
  escaped = pg.escape_string(str)
  to be:
  cnx = pg.connect(...)
  ...
  escaped = cnx.escape_string(str)
Assigned-to
jdstrand
Package
Upstream:released (1:4.0-1)
Patches:
Vendor:http://www.debian.org/security/2009/dsa-1911
More Information

Updated: 2019-03-26 11:48:47 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)