-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 11 Feb 2025 11:27:41 +0100
Source: postgresql-13
Architecture: source
Version: 13.19-0+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
postgresql-13 (13.19-0+deb11u1) bullseye-security; urgency=medium
.
* New upstream version 13.19.
.
+ Harden PQescapeString and allied functions against invalidly-encoded
input strings (Andres Freund, Noah Misch)
.
Data-quoting functions supplied by libpq now fully check the encoding
validity of their input. If invalid characters are detected, they
report an error if possible. For the ones that lack an error return
convention, the output string is adjusted to ensure that the server will
report invalid encoding and no intervening processing will be fooled by
bytes that might happen to match single quote, backslash, etc.
.
The purpose of this change is to guard against SQL-injection attacks
that are possible if one of these functions is used to quote crafted
input. There is no hazard when the resulting string is sent directly to
a PostgreSQL server (which would check its encoding anyway), but there
is a risk when it is passed through psql or other client-side code.
Historically such code has not carefully vetted encoding, and in many
cases it's not clear what it should do if it did detect such a problem.
.
This fix is effective only if the data-quoting function, the server, and
any intermediate processing agree on the character encoding that's being
used. Applications that insert untrusted input into SQL commands should
take special care to ensure that that's true.
.
Applications and drivers that quote untrusted input without using these
libpq functions may be at risk of similar problems. They should first
confirm the data is valid in the encoding expected by the server.
.
The PostgreSQL Project thanks Stephen Fewer for reporting this problem.
(CVE-2025-1094)
Checksums-Sha1:
98a97881f52a4bcc15da09ffe5875c1becddb1b2 3703 postgresql-13_13.19-0+deb11u1.dsc
fdfc2048dbc2b6b8aeded608002f7a4594c420b6 21729020 postgresql-13_13.19.orig.tar.bz2
fc8e316229ff5f32837fa0f694b4cc88f585b1bb 35876 postgresql-13_13.19-0+deb11u1.debian.tar.xz
Checksums-Sha256:
59788cf29b344a3830aff5465f2655ed2ac2079b4b2a62d32473342d4e7c7ba1 3703 postgresql-13_13.19-0+deb11u1.dsc
482cce0a9f8d24c2447cfc7b2817e55f86d51afe5f7f1a85214bf93644e774ea 21729020 postgresql-13_13.19.orig.tar.bz2
bb2b70c1c2ce941c7aba34fc0824eaef33cd9ea241ef2967550150fb814f2733 35876 postgresql-13_13.19-0+deb11u1.debian.tar.xz
Files:
bf9857e3542200496aad91bbb3b671aa 3703 database optional postgresql-13_13.19-0+deb11u1.dsc
a567d0fbd4a993673a95ffb230dd6df1 21729020 database optional postgresql-13_13.19.orig.tar.bz2
7429cb64f21e70a4aed8afbd6144daf1 35876 database optional postgresql-13_13.19-0+deb11u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmeuG9cACgkQTFprqxLS
p64qXxAAkwCmxgL1Xlh3xInBvhFh9NLDTENz3Yi2tmtmuhqP7SisT61WLh2Qr7ac
i98wR/Prql2SzqTCARW1nIag+a8wmPXIh2qZUOFWeRD3ldaV/k786tnQY7q8YgfD
+sCFCzs09WtEbqgngM6YD1F6nCdmGSF8m1DjZzdsoXSB2kDFkObhE5Nn5aVnzOo6
+9uM+rhntHcGEAROCstKY+VUMWjLiO9ALTogK5JNjZd1Noaydhwrg2F+W/8bQPub
ThnbCvzfwh2w0G0ndCk1idw5VWJTzACLcNL5bfwSazp+zuXgyOv+P/2evwmgbod9
4UrT7kEq+504McYKPL+fbofG51uj5kKRZjuEVpXadaPjDiVGF+YAgyqGqksIbcfe
EQle70EJ8U+ifRM04GLlIR0KdWc/Ns7nXuP6PN1hEDL45JkkBxwYeUx3XjT0oLn3
qk+u/SQztVey6Zz96NYLwCjhAtObEbSaJrvDOp0PsoQ32dLyaPF/0OD5tguNkr8e
jTiD0geBfxzpbwk6ENfsNxLGlq8D3FyXS5oo8JgGSfP3BhtNSrSmC+8+O5rRwsK5
W2+ownh4Zd7Axw/4HIhnP78qpoZnVGAAzgrgf+2vMw85n5XCvPH4IVrd5vb+Oc9j
iQNwkVROwmVHesDxmJqpWP0wxF9lkptUWiaxcmMVJBNQnZkad3I=
=flla
-----END PGP SIGNATURE-----
