-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: postgresql
Announcement ID: SUSE-SA:2006:030
Date: Fri, 09 Jun 2006 16:00:00 +0000
Affected Products: SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SUSE LINUX 9.1
SUSE SLES 9
Vulnerability Type: remote code execution
Severity (1-10): 7
SUSE Default Package: no
Cross-References: CVE-2006-2313, CVE-2006-2314
Content of This Advisory:
1) Security Vulnerability Resolved:
PostgreSQL SQL injection problems due to encoding problems
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Two character set encoding related security problems were fixed in the
PostgreSQL database server:
CVE-2006-2313:
Akio Ishida and Yasuo Ohgaki discovered a weakness in the handling
of invalidly-encoded multibyte text data. If a client application
processed untrusted input without respecting its encoding and
applied standard string escaping techniques (such as replacing a
single quote >>'<< with >>\'<< or >>''<<), the PostgreSQL server
could interpret the resulting string in a way that allowed an
attacker to inject arbitrary SQL commands into the resulting SQL
query. The PostgreSQL server has been modified to reject such
invalidly encoded strings now, which completely fixes the problem
for some 'safe' multibyte encodings like UTF-8.
CVE-2006-2314:
However, there are some less popular and client-only multibyte
encodings (such as SJIS, BIG5, GBK, GB18030, and UHC) which
contain valid multibyte characters that end with the byte 0x5c,
which is the representation of the backslash character >>\<< in
ASCII. Many client libraries and applications use the non-standard,
but popular way of escaping the >>'<< character by replacing all
occurrences of it with >>\'<<. If a client application uses one of
the affected encodings and does not interpret multibyte characters,
and an attacker supplies a specially crafted byte sequence as an
input string parameter, this escaping method would then produce a
validly-encoded character and an excess >>'<< character which would
end the string. All subsequent characters would then be interpreted
as SQL code, so the attacker could execute arbitrary SQL commands.
To fix this vulnerability end-to-end, client-side applications
must be fixed to properly interpret multibyte encodings and use
>>''<< instead of >>\'<<. However, as a precautionary measure,
the sequence >>\'<< is now regarded as invalid when one of the
affected client encodings is in use. If you depend on the previous
behavior, you can restore it by setting 'backslash_quote = on'
in postgresql.conf. However, please be aware that this could
render you vulnerable again.
This issue does not affect you if you only use single-byte (like
SQL_ASCII or the ISO-8859-X family) or unaffected multibyte
(like UTF-8) encodings.
Please see for further
details.
Unfortunately we are not yet able to provide back ported patches for
the PostgreSQL included in SUSE Linux Enterprise Server 8 at this
time. We are working on a solution for this problem.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
If you are running a PostgreSQL server please make sure that it
is stopped or at least doesn't have any client connections during
the update.
If you are running or using a PostgreSQL server please carefully follow
the instructions in /usr/share/doc/packages/postgresql/SECURITY-NOTICE
to complete this security update
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv
to apply the update, replacing with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
8fb5e2f12fb4db3b468a735be55902bc
fd229189b9b93d90cf223fbe29ecf937
278a5823adcc686131b55cad9984f34c
a91427f863badb6edc03ae27b3e5f15e
ea7ce106f0bc482469e96e27b8e544bc
56a69980760509bb49de4868315d5baa
ed388e0c0a524559d13050eb1dfdc9c1
SUSE LINUX 10.0:
923404a774e7cabec9df64c62da88a27
85b25723f9d67a70b04e0ce3811cc85c
50e5a977ed8b9120768bc5e603961f98
e45faf70ef7def2aade7b94ba89bd864
36b5719ca00eaf3cddb4c2d506d1d2fa
318081f3601d5f7baf872c94b104b2fc
05d154dcc296a9c7e956e9138a312108
SUSE LINUX 9.3:
a260aec2aef3ea77694a76a0201044ae
37b5114bbbb78f6e80ffb1b89401e8da
a61d1e17cd2ccc61f6b4975520ab7e9f
841b0470d29b9170b18bbfbaafe41435
78ef824e90a62d24d6bb2deaa9b74ab9
733a5aa1b89477c2011910d0fa72e166
f688fedcc332b893e0ac9e5154d977c1
SUSE LINUX 9.2:
ea88d118184c182bfacb7544d48f34c6
ce7b90c42fb477b97c0dbc64c147b5e0
1bcfeb756fe5c5d5e347a5ff4ccf84fe
890c3a7ced118229ec9bc640cb057800
b7ec99237d6fe4e8682c78f7a8bcdb63
96a4e10fee0a465819a07ee2e89b03e2
5ca65525e7d340e4e98a3a59dac1cbe3
SUSE LINUX 9.1:
34eed42fd77148c86ec86c086a18af0d
e05064dbdfba0a0a0ca43b745f2a6402
8ecb634c77035ccac12cee347c632f99
f3ac880c647474f1bee6c72fec75b550
92e1ed36148af0b98691296b5f20074d
76c494f41f4cc6d31d181c0d672b85db
77dddc495feae1c6b0f926b0169585af
e1def686b4da15034ecdba05ae52d317
Power PC Platform:
SUSE LINUX 10.1:
20bf4b672950391a885c39647be3fd29
a438d0c348de0e2352a24ba34f1b3efd
a24d09f29f4dc635420a4cf44d01de7a
733ebb4b98b47c4ae645b2a6d3f5f127
2e2a884eb58f654bad8b4986f8347d63
afb35a53b9dad8e2b7f193eb59265c94
e26756896b6023f3b7a56edf504508e0
3e7b5e34ab551a15adf87a4533f71919
SUSE LINUX 10.0:
1f0d19658278ce363a02f34c8408badc
ab128f5681367e3260f28007f1eb223b
4934796258b5095bde35d82dcce8400e
c6ed5f891260a707ff34d2c0d6bc8dd5
11eae2961bc6806c81144f980cf47c26
84d1d74b1be2fa9bc3814347e48d666a
7c2091e7324d055d584d18de5d016b02
565f8479ac8b992cc6dee514d009c6a0
ppc64:
SUSE LINUX 10.1:
eaaea2f30a115beed208a33fb7985319
SUSE LINUX 10.0:
a16b451535c8a819814fc0081a6a3855
x86-64 Platform:
SUSE LINUX 10.1:
7037db2dbb3d7d251f74a383a8779ebd
efc0a6e5c729fa83995b24ac9cb248de
dba4d4671e306ea3f610576b8e455152
ad4d0ceb06de8f4a66506ce8822752f9
4ee45efb63361bba98e6d65d07187afa
c5a016add913fdaad2b5157d705e3fe4
109a82fdb9ba89bd72323906d03ef0a8
e2100dbf6917d14f375d7860275d35e5
SUSE LINUX 10.0:
aeae0da5a394b4c24d8cda8560f18dbb
10e6615d3c4648b9cc9d0c69e10a5e23
42fa8a74543ba2dc5983829e87f9cf03
f39ed20c68895151c7540224bfa733e5
694a1886b2d287fe91b7182d5d9a6cd2
07a3202ef0840ebd64c797570ad37959
d16750bdb4d6c7c8c9a4d770db05224f
f16b518aa08e10c7afea31b294cfc778
SUSE LINUX 9.3:
3e1d2b7a5f48312f45629ef1e2aca09e
c93b8d25d8c1c8d3ff71330148b0bfe1
7282ec73b022c0a64df4131449ffa03e
6555bbcb2dece1509ce34689e6866089
b3bb611cbe68ca215f5dddad9c5427a6
01e3fa4fe1de5c07c923f86b8b6edfe1
b19f8062671374939259f1a283736622
691e3d79c8fd58acd3e754b3ac3085b1
SUSE LINUX 9.2:
e4b11cc66197cf5f186f07ee9928e66e
c6b41d5cbf22749909f787a4618037da
1f0119c73b50f3a5da6d31e2eea35369
9a8f7959d081395e312ca02a8a7a5fc3
2ddf607af4ce09f4269cbca02ec03a7d
272ef016cd23ae673b803b5767a1554c
51523699fb995488a1dbded7eb5fe2cc
897a20ab9ea122d43f89567e485ff500
SUSE LINUX 9.1:
a38b622178a32cdd06233c842327295d
085aab7d5729e3f27dbab7fb9e420254
4691be0aa24c42eeaa50c092353bd6f4
5bc0a01514247c29c765b3c8938c795d
c12dc2877ec65c6a3f988b51157b5ab7
83fa45b8a322910a38f071e9bd0d9031
79ad3926185107da714ab3754aa889e7
Sources:
SUSE LINUX 10.1:
44f36fd35b82cea18e01a4fe667ad40d
f189f8e0fca64e0e3991c7d4f928327f
SUSE LINUX 10.0:
361ca18474faf36146a84236618afaf2
5a7a5a8af3c4bc930300c908413d8fe0
SUSE LINUX 9.3:
384b25b835cfd3990395967571ae2b05
a1155e3cadf7907178c57fc20a3b2aa1
SUSE LINUX 9.2:
186111c9f577a1583725aef28da96636
fb124cb2d1424d21035040847423e7b6
SUSE LINUX 9.1:
7a76decace79f6dcb7d183f461626b2e
4739e9d6fee0bee6934be76870d4ce51
7fadd3d1bed3c30759d94af7cd924800
a357ff94aec54e5ebb08c7fd758fbdeb
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE SLES 9
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify
replacing with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team "
where is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig
to verify the signature of the package, replacing with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security@suse.de), the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security@suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
.
suse-security-announce@suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
.
For general information or the frequently asked questions (FAQ),
send mail to or
.
==================================================================== SUSE's security contact is or .
The public key is listed below.
====================================================================
