Florian Weimer
2006-May-23 18:52 UTC
[Secure-testing-team] Bug#368645: CVE-2006-2313, CVE-2006-2314: encoding conflicts
Package: postgresql Version: 7.4.7-6sarge1 Tags: security Severity: grave A couple of PostgreSQL issues have been disclosed today: <http://www.postgresql.org/docs/techdocs.52> My analysis so far: * CVE-2006-2313 High impact (because UTF-8 is affected and widely used). Fix is straightforward as far as UTF-8 is concerned, but will break some applications which write certain forms of invalid UTF-8 to the database. If necessary, a dump and reload to switch to SQL_ASCII on the server side will fix this. However, PostgreSQL already rejects some forms of invalid UTF-8. Therefore, a change I don''t know the impact on other multibyte encodings; it''s probably necessary to ask upstream. * CVE-2006-2314 This is the really interesting one. It''s restricted to certain multi-byte encodings (that''s why I think this bug is less severe, all things considered). No real fix is possible as long as we preserve the interface. The upstream fix outlawing "\''" breaks tons of legacy PHP applications, but I have no better idea how to address it. 8-( On the libpq side, I''d use "static __thread" instead of "static" for the globals. That way, we gain at least some thread safety. (Unless someone objects, I''m going to clone this for the various PostgreSQL packages.)