[Secure-testing-team] Bug#368645: CVE-2006-2313,
CVE-2006-2314: encoding conflicts
Florian Weimer
fw at deneb.enyo.de
Tue May 23 18:39:14 UTC 2006
Package: postgresql
Version: 7.4.7-6sarge1
Tags: security
Severity: grave
A couple of PostgreSQL issues have been disclosed today:
<http://www.postgresql.org/docs/techdocs.52>
My analysis so far:
* CVE-2006-2313
High impact (because UTF-8 is affected and widely used). Fix is
straightforward as far as UTF-8 is concerned, but will break some
applications which write certain forms of invalid UTF-8 to the
database. If necessary, a dump and reload to switch to SQL_ASCII on
the server side will fix this. However, PostgreSQL already rejects
some forms of invalid UTF-8. Therefore, a change
I don't know the impact on other multibyte encodings; it's probably
necessary to ask upstream.
* CVE-2006-2314
This is the really interesting one. It's restricted to certain
multi-byte encodings (that's why I think this bug is less severe, all
things considered). No real fix is possible as long as we preserve
the interface. The upstream fix outlawing "\'" breaks tons of legacy
PHP applications, but I have no better idea how to address it. 8-(
On the libpq side, I'd use "static __thread" instead of "static" for
the globals. That way, we gain at least some thread safety.
(Unless someone objects, I'm going to clone this for the various
PostgreSQL packages.)
More information about the Secure-testing-team
mailing list