Re: Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1

[Ludwig Nussel <ludwig.nussel () suse de>]

Robert Haas wrote:
> On Fri, Mar 30, 2012 at 8:51 AM, Ludwig Nussel <ludwig.nussel () suse de> wrote:
> > Postgresql 9.1 turned "standard conforming strings" on by default[1][2].
> > postgresql-jdbc before version 8.2-504 however did not know about that
> > kind of string and escaped single quotes with a backslash always. When
> > such an old version of postgresql-jdbc is used with a newer postgresql
> > server it not only breaks when strings contain single quotes, it also
> > allows for SQL injections[3].
> > The bug is neither in postgresql-jdbc as it was working correctly at the
> > time it was released, nor is it really postgresql 9.1's fault which I
> > guess doesn't expect and can't detect such an old jdbc adapter. The
> > security issue arises when mixing the old adapter and the new server.
>
> Right.  This issue has been previously reported to pgsql-security.
> The position of the pgsql-jdbc project is that a client version should
> be used with a matching server version; therefore, the project views
> the proposed combination as an unsupported configuration.

Sure, no doubt about that. The postgresql-jdbc package should have been
updated a long time ago but obviously was forgotten. If we had updated
it a year ago we'd have created a normal version update due to EOL of
the old package with no security context at all. Now that it's known
that the unsupported combination of versions allows for SQL injection
however the update suddenly becomes security relevant.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)