copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


ESB-2006.0387 -- [Win][UNIX/Linux][Debian] -- New PostgreSQL packages fix encoding vulnerabilities

Date: 05 June 2006

Click here for printable version
Click here for PGP verifiable version
Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

                ESB-2006.0387 -- [Win][UNIX/Linux][Debian]
           New PostgreSQL packages fix encoding vulnerabilities
                                5 June 2006


        AusCERT Security Bulletin Summary

Product:              postgresql
Publisher:            Debian
Operating System:     Debian GNU/Linux 3.1
                      UNIX variants (UNIX, Linux, OSX)
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2006-2314 CVE-2006-2313

Original Bulletin:

Comment: This advisory references vulnerabilities in products which run on
         platforms other than Debian. It is recommended that administrators
         running PostgreSQL check for an updated version of the software for
         their operating system at:

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 1087-1                                       Martin Schulze
June 3rd, 2006                
- - --------------------------------------------------------------------------

Package        : postgresql
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE IDs        : CVE-2006-2313 CVE-2006-2314

Several encoding problems have been discovered in PostgreSQL, a
popular SQL database.  The Common Vulnerabilities and Exposures
project identifies the following problems:


    Akio Ishida and Yasuo Ohgaki discovered a weakness in the handling
    of invalidly-encoded multibyte text data which could allow an
    attacker to inject arbitrary SQL commands.


    A similar problem exists in client-side encodings (such as SJIS,
    BIG5, GBK, GB18030, and UHC) which contain valid multibyte
    characters that end with the backslash character.  An attacker
    could supply a specially crafted byte sequence that is able to
    inject arbitrary SQL commands.

    This issue does not affect you if you only use single-byte (like
    SQL_ASCII or the ISO-8859-X family) or unaffected multibyte (like
    UTF-8) encodings.

    psycopg and python-pgsql use the old encoding for binary data and
    may have to be updated.

The old stable distribution (woody) is affected by these problems but
we're unable to correct the package.

For the stable distribution (sarge) these problems have been fixed in
version 7.4.7-6sarge2.

For the unstable distribution (sid) these problems have been fixed in
version 7.4.13-1.

We recommend that you upgrade your postgresql packages.

Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge
- - --------------------------------

  Source archives:
      Size/MD5 checksum:      985 78d63a976c27999c86bbd57f70eae80d
      Size/MD5 checksum:   189611 577fb231aac4f86692e935b6a30eb1f4
      Size/MD5 checksum:  9952102 d193c58aef02a745e8657c48038587ac

  Architecture independent components:
      Size/MD5 checksum:  2266882 86068a0b0bd5f3353746555933d29317

  Alpha architecture:
      Size/MD5 checksum:   239980 bb173b640c9f206c320d20b554d724fa
      Size/MD5 checksum:   104826 0d4a8d8aea91799bc70617f9e47b5b29
      Size/MD5 checksum:    82408 f4a3dad48412573e5b993c4d9e7400f1
      Size/MD5 checksum:    61972 7cc403fea81613636d180358568638ca
      Size/MD5 checksum:   139496 bede365b3e3505f79cb734747744fd5e
      Size/MD5 checksum:  4153162 86740fcfb886861702c8bccbcfb7a8be
      Size/MD5 checksum:   614270 16108bc1a5cc9d7d51337597e2f5090c
      Size/MD5 checksum:   701704 de550242e2d5cbbf0d9c24aad75a4977
      Size/MD5 checksum:   546150 d9c95cc8ac6e21509b13640d0589c46c

  AMD64 architecture:
      Size/MD5 checksum:   210208 602e081a5b8ef164d0d7114cfbb002e2
      Size/MD5 checksum:    96442 ecdcbc5b59750b9871d49e3319a18fb8
      Size/MD5 checksum:    79380 ca54542f754ac5da8c992f5889c12cc9
      Size/MD5 checksum:    56212 364aaa1ac5a22e12262b90314f060d33
      Size/MD5 checksum:   131638 82fcd52b9cb9c93afb1e9545df89ee28
      Size/MD5 checksum:  3887452 f408a28bc585b4f98e72e343813316be
      Size/MD5 checksum:   559516 2b31c9a4fc43ab7ca0d9dd2f55dd1bb9
      Size/MD5 checksum:   654962 0b5970688a0f4ed4476ea80196b3e33d
      Size/MD5 checksum:   519740 b291ff79aa9dcf4c94b4f544222b6e3c

  ARM architecture:
      Size/MD5 checksum:   216872 60267ccd42ebc905fbed60faf15ce7c8
      Size/MD5 checksum:    92170 6f866dbf0695c4857d73dbd9c538caa7
      Size/MD5 checksum:    76290 53279156767dd6b03ebde6a1a7a6e9d5
      Size/MD5 checksum:    56338 14809b9f1149cc9a09b2b7f65efffd07
      Size/MD5 checksum:   124098 72f5fa7ae580925a88a2d3dd8fc96c3d
      Size/MD5 checksum:  3789942 b819ecda4f08a2f321942e6efd760e35
      Size/MD5 checksum:   534538 b1cd2927aaf7a59ebe9274e9d88beff9
      Size/MD5 checksum:   628216 a94c9d9207b560b6eed5fd823bdd5406
      Size/MD5 checksum:   518454 db9f0c0c6ab0c0c3a504c5a1faf93d54

  Intel IA-32 architecture:
      Size/MD5 checksum:   207204 aafafd90bea915cfce42e4cc8997a7ae
      Size/MD5 checksum:    95146 fbccb71b54ddae5b4f0100262e546edd
      Size/MD5 checksum:    78032 c2199f8932f9af670103bae577da7928
      Size/MD5 checksum:    55678 ba9771127582d3c4d041d0ebd54714f8
      Size/MD5 checksum:   128310 fcdcfa9995f3929c4af97fa75540fdf8
      Size/MD5 checksum:  3799030 0d851c1ad83ba723ca81009464c69f71
      Size/MD5 checksum:   539660 c3511e4e1935e5e741e630b33828492f
      Size/MD5 checksum:   625940 32bb7a6139270dd119f72a7b708a6c54
      Size/MD5 checksum:   516050 9aa8818dec80c8830fde3b0d6849d310

  Intel IA-64 architecture:
      Size/MD5 checksum:   250406 02e0cd73738b871e12fe07d435f502e8
      Size/MD5 checksum:   117496 0b12feda47694da718abaa8b82e3a7df
      Size/MD5 checksum:    91804 c75fd48f53fa84033593c5000c4e2ba1
      Size/MD5 checksum:    60582 c81d60f2b9fcafc17bf2c890f62a67af
      Size/MD5 checksum:   152570 657268cc59f43720a4fbcd7401f68a51
      Size/MD5 checksum:  4408476 6b9c54e4e402f7f2dd0bab017b53b066
      Size/MD5 checksum:   682300 919925ab2e1e3f0214223ec4d557198f
      Size/MD5 checksum:   776054 17a52e7ee887815ea0eca17db214e143
      Size/MD5 checksum:   543558 304d71b16b2de34209431a6e4f5f47b4

  HP Precision architecture:
      Size/MD5 checksum:   217744 7ea61b426c2ead22a87d8e6b2b8cbc06
      Size/MD5 checksum:   104378 cb8adb9c1dd2bc415a6157fa12f928e5
      Size/MD5 checksum:    83740 3799d1cfececc128d9a6a790c08a86c7
      Size/MD5 checksum:    58682 3caab961a85db146b0d37f982af37622
      Size/MD5 checksum:   134686 5a730cd2793948c69aacb82d00124259
      Size/MD5 checksum:  4263326 56aa2f4f1caab2fddf15b8c0c960c426
      Size/MD5 checksum:   572462 2989c44d3ed16aff10af1bbdfee973f8
      Size/MD5 checksum:   686150 ad186c53d5cf30ec79bd5f7a8de97a7c
      Size/MD5 checksum:   523900 eb948f532e5cfdebe504925a73103c9d

  Motorola 680x0 architecture:
      Size/MD5 checksum:   194254 60cb0f51cdb1e8c270bf5092b8d8255c
      Size/MD5 checksum:    89926 557536dec7b52d56abd80da0e3395204
      Size/MD5 checksum:    76946 8d5b8aaaad2faef72647dab6bf74a706
      Size/MD5 checksum:    53920 d8a7c7dfde0b9848c9b820b1b021013b
      Size/MD5 checksum:   125348 e2a9707ad1ac5f7fe1c1f2455242bc2c
      Size/MD5 checksum:  3974176 da72953d869784679784c9753972128f
      Size/MD5 checksum:   510460 0c3be055f6a3e09377c5669e25ee6cc3
      Size/MD5 checksum:   608894 52181b4b31ca796c2a67737706c2d732
      Size/MD5 checksum:   507366 b47589dc8e2cba5f2484136ae1360bd8

  Big endian MIPS architecture:
      Size/MD5 checksum:   209612 24ecb0017cc2d0213c9ae14def963f7c
      Size/MD5 checksum:    95740 7bc16022786a15ce296cc450bad14690
      Size/MD5 checksum:    80856 4ae6337bf3f0749e5646398025b4ca3a
      Size/MD5 checksum:    56260 32e7db2cc80977c8202f4dd11e4d37c0
      Size/MD5 checksum:   128346 19627a5e0dab29be81b092ef9a064f1c
      Size/MD5 checksum:  4171356 e97e1b50aa6ce9f1b3963d9ab20eeacc
      Size/MD5 checksum:   582144 804d77b5e1089b5b39e57eb228836aca
      Size/MD5 checksum:   641800 4b006574dbeda3bcedc514ca12433b10
      Size/MD5 checksum:   521302 8d1b8b6bc9bc640761909527c425083a

  Little endian MIPS architecture:
      Size/MD5 checksum:   207620 1b974ad276e845a8b9da8afb88b20118
      Size/MD5 checksum:    95932 06b9e5d8fd2e82c622febe7faf7b2be7
      Size/MD5 checksum:    80612 7a2d7bbd54b8f08aa09c2cd307d3d2be
      Size/MD5 checksum:    56322 22475b9bc5de36f15ad8560795455133
      Size/MD5 checksum:   128422 f6fbc5968a69601bcf94d71ad0f88532
      Size/MD5 checksum:  3862226 e4424c77620f0c30beb7d8ac0e253d9f
      Size/MD5 checksum:   581426 ed5a9b2a615bdfcc7036287667502038
      Size/MD5 checksum:   641240 dc49d2bcf81a25280664c73b1af8797b
      Size/MD5 checksum:   521720 5ff500cb5542403582240c7e37bbcdda

  PowerPC architecture:
      Size/MD5 checksum:   210904 48e1dd207b4b025e80b35406d75b43ee
      Size/MD5 checksum:   100428 901be88d71fc0e06ccf3e50fb4151b93
      Size/MD5 checksum:    84596 72fbac10fd10eedcc4ef1673e5ad57b2
      Size/MD5 checksum:    55326 96fcce34e09b75e683c09e63d94b0ac2
      Size/MD5 checksum:   129898 6467b522f8bcf577a5a5eac47e695e5f
      Size/MD5 checksum:  4203052 1f019762641079d46b162b4ad2837458
      Size/MD5 checksum:   565430 a305cd9acfcec0d648edb56eaae2f605
      Size/MD5 checksum:   686040 3d34c6d9faf50a6c88c736364895cbdf
      Size/MD5 checksum:   516676 c2e91f20faa7669ab94fae166f94cac5

  IBM S/390 architecture:
      Size/MD5 checksum:   208296 1ceaec0962943f05b7cb930c5a8ec5f0
      Size/MD5 checksum:    97814 73b521d57581888ffa97f4c519aa2b78
      Size/MD5 checksum:    80456 704e9ef41e3f89e610f7400c998ce88c
      Size/MD5 checksum:    56994 b135a1197a5b47a4070a07ffceb33348
      Size/MD5 checksum:   133966 f80f2bfb7a971fd9ff4f3266c9fdddcd
      Size/MD5 checksum:  4161698 8dac213b26c2f64b394ead91cf796c8e
      Size/MD5 checksum:   549568 a82366bd7a49ca2e2c3f84a0f99b61b2
      Size/MD5 checksum:   665482 6d7faf109031c6f295966e65bd69ed79
      Size/MD5 checksum:   520664 3ebbbcd84b599632d3b74a6aa5cfbd9e

  Sun Sparc architecture:
      Size/MD5 checksum:   205870 9fe5eac55d9ecb77cde27081e43fa2e2
      Size/MD5 checksum:    93606 1ef27ddd79e25a9de9f65673076ccbed
      Size/MD5 checksum:    77926 525d22dd799578af00d5ee3e09718dbd
      Size/MD5 checksum:    56150 07daedfabe9931672c7fced5ef515708
      Size/MD5 checksum:   127594 e488f86dcbce2df62c3dbfe56766d1c2
      Size/MD5 checksum:  4091222 6c3cbbb9965d35a5813ea78abac52645
      Size/MD5 checksum:   535876 f914be88ee8da6b67cc3af31db4ef42b
      Size/MD5 checksum:   633208 f23620f4d6708b1946e85349372e3048
      Size/MD5 checksum:   514344 6d8417121070e1faa09936e6ac9b943f

  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>

Version: GnuPG v1.4.3 (GNU/Linux)


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.