Your submission was sent successfully! Close

USN-870-1: PyGreSQL vulnerability

11 December 2009

PyGreSQL vulnerability

Releases

Packages

Details

Steffen Joeris discovered that PyGreSQL 3.8 did not use PostgreSQL's safe
string and bytea functions in its own escaping functions. As a result,
applications written to use PyGreSQL's escaping functions are vulnerable to
SQL injections when processing certain multi-byte character sequences.
Because the safe functions require a database connection, to maintain
backwards compatibility, pg.escape_string() and pg.escape_bytea() are still
available, but applications will have to be adjusted to use the new
pyobj.escape_string() and pyobj.escape_bytea() functions. For example, code
containing:

import pg
connection = pg.connect(...)
escaped = pg.escape_string(untrusted_input)

should be adjusted to use:

import pg
connection = pg.connect(...)
escaped = connection.escape_string(untrusted_input)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 8.10
Ubuntu 8.04

In general, a standard system upgrade is sufficient to effect the
necessary changes.

References