Ubuntu
pike7.4 package

[Dapper only] CVE-2006-4041: Pike Unspecified SQL Injection Vulnerability

Bug #58169 reported by Cody A.W. Somerville
256
Affects Status Importance Assigned to Milestone
Debian
Fix Released
Unknown
pike7.2 (Ubuntu)
Won't Fix
Undecided
Unassigned
pike7.4 (Ubuntu)
Won't Fix
Undecided
Unassigned
pike7.6 (Ubuntu)
Fix Released
Undecided
Unassigned
Hoary
Fix Released
Medium
Martin Pitt
Dapper
Fix Released
Medium
Unassigned

Bug Description

Summary: Not escaping query strings can possibly result in SQL injection for apps that use pike+postgresql.

I believe that this also applies to pike7.4, and pike 7.2.

This has been fixed upstream and is not found in version 7.6.87.

I think 7.6.87 is in Edgy and can be backported to correct this issue.

http://secunia.com/advisories/20494/
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=383766

P.S. This is my first bug report - sorry if I've made any mistakes in reporting this.

CVE References

Revision history for this message
Cody A.W. Somerville (cody-somerville) wrote :

I'm not sure if a patch is available yet for 7.4 branch.

Changed in pike7.6:
status: Unconfirmed → Confirmed
Changed in pike7.2:
status: Unconfirmed → Confirmed
Changed in pike7.6:
status: Confirmed → Fix Released
Changed in pike7.4:
status: Unconfirmed → Needs Info
Revision history for this message
Cody A.W. Somerville (cody-somerville) wrote :

I marked Pike7.6 as Fix Released since upgrading it would fix the issue.

I marked Pike7.4 as needs info as for some reason the debian bug report didn't specify if 7.4 was affected or not (Though I would assume it is).

I marked Pike7.2 as simply confirmed as the issue is confirmed but I'm not sure if the patch in the debian bug report actually fixs it or if the bug was fixed upstream in the 7.6 branch.

Revision history for this message
Cody A.W. Somerville (cody-somerville) wrote :

Changed Pike7.6 Fix Released -> Fix Commited as per proper bug triage procedure.

Changed in pike7.6:
status: Fix Released → Fix Committed
Revision history for this message
Martin Pitt (pitti) wrote :

Archive team: can you please sync 7.6.87 for edgy?

pike7.6 (7.6.87-2) unstable; urgency=low

  * Shortened the long descriptions of several binary packages
  * Added short description of pike, plus an url, to the description of
    the pike modules binary packages

 -- Marek Habersack <email address hidden> Sun, 9 Aug 2006 01:28:37 +0200

pike7.6 (7.6.87-1) unstable; urgency=low

  * The latest cvs snapshot

 -- Marek Habersack <email address hidden> Sun, 4 Jun 2006 22:21:07 +0200

pike7.6 (7.6.86-1) unstable; urgency=low

  * Release number bumped by export.pike.

 -- Marek Habersack <email address hidden> Sun, 4 Jun 2006 22:17:43 +0200

pike7.6 (7.6.85-1) unstable; urgency=low

  * The latest cvs snapshot

 -- Marek Habersack <email address hidden> Sun, 4 Jun 2006 15:33:52 +0200

pike7.6 (7.6.84-1) unstable; urgency=low

  * Release number bumped by export.pike.

 -- Marek Habersack <email address hidden> Sun, 4 Jun 2006 15:29:49 +0200

pike7.6 (7.6.83-1) unstable; urgency=low

  * The latest cvs snapshot

 -- Marek Habersack <email address hidden> Thu, 1 Jun 2006 10:29:09 +0200

pike7.6 (7.6.82-1) unstable; urgency=low

  * Release number bumped by export.pike.

 -- Marek Habersack <email address hidden> Thu, 1 Jun 2006 10:26:10 +0200

pike7.6 (7.6.81-1) unstable; urgency=low

  * The latest cvs snapshot

 -- Marek Habersack <email address hidden> Thu, 1 Jun 2006 9:42:41 +0200

pike7.6 (7.6.80-1) unstable; urgency=low

  * Release number bumped by export.pike.

 -- Marek Habersack <email address hidden> Thu, 1 Jun 2006 9:38:38 +0200

pike7.6 (7.6.79-1) unstable; urgency=low

  * The latest cvs snapshot

 -- Marek Habersack <email address hidden> Fri, 26 May 2006 8:03:10 +0200

pike7.6 (7.6.78-1) unstable; urgency=low

  * Release number bumped by export.pike.

 -- Marek Habersack <email address hidden> Fri, 26 May 2006 7:53:46 +0200

pike7.6 (7.6.77-1) unstable; urgency=low

  * The latest cvs snapshot

 -- Marek Habersack <email address hidden> Wed, 17 May 2006 10:58:45 +0200

pike7.6 (7.6.76-1) unstable; urgency=low

  * Release number bumped by export.pike.

 -- Marek Habersack <email address hidden> Wed, 17 May 2006 10:56:26 +0200

Revision history for this message
Martin Pitt (pitti) wrote :

pike7.6 is in main in Hoary only; all other pike versions, and pike7.6 in later Ubuntu releases are universe.

Revision history for this message
Martin Pitt (pitti) wrote :

reassigning edgy task for pike7.6, since this can be fixed with a sync.

Changed in pike7.6:
assignee: nobody → ubuntu-archive
Revision history for this message
Colin Watson (cjwatson) wrote :

[Updating] pike7.6 (7.6.75-3 [Ubuntu] < 7.6.87-2 [Debian])
 * Trying to add pike7.6...
  - <pike7.6_7.6.87-2.dsc: downloading from http://ftp.debian.org/debian/>
  - <pike7.6_7.6.87.orig.tar.gz: downloading from http://ftp.debian.org/debian/>
  - <pike7.6_7.6.87-2.diff.gz: downloading from http://ftp.debian.org/debian/>
I: pike7.6 [universe] -> pike7.6-image_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-pg_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-gtk_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-reference_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-manual_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-svg_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-sane_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-core_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-mysql_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-gl_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-perl_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-dev_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-pcre_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-meta_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-gdbm_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-doc_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-sdl_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-bzip2_7.6.75-3 [universe].
I: pike7.6 [universe] -> pike7.6-odbc_7.6.75-3 [universe].

Changed in pike7.6:
assignee: ubuntu-archive → kamion
status: Fix Committed → Fix Released
Martin Pitt (pitti)
Changed in pike7.6:
status: Confirmed → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

Fixed in USN-367-1.

Changed in pike7.6:
status: In Progress → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

pike7.6 (7.6.61-1ubuntu2.1) dapper-security; urgency=low

  * SECURITY UPDATE: SQL injections were possible via the postgres module.
  * Add 'debian/patches/10_postgres_string_quoting.diff' to add string
    quoting.
  * References
    http://pike.ida.liu.se/development/cvs/pike.xml?between=2006-05-24&and=2006-06-07
    CVE-2006-4041

 -- Kees Cook <email address hidden> Tue, 17 Oct 2006 13:12:03 -0700

Changed in pike7.6:
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for pike7.4 (Ubuntu) because there has been no activity for 60 days.]

Revision history for this message
Wouter Stomp (wouterstomp-deactivatedaccount) wrote :

Does this report need to stay open for 7.2?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Pike 7.2 and 7.4 are still affected, and I have re-opened pike7.4.

Only packages in the 'main' repository will receive security updates from Canonical. These packages are currently included in the Ubuntu 'universe' repository, which is community supported. For more information, please see https://wiki.ubuntu.com/SecurityUpdateProcedures.

Changed in pike7.4:
status: Invalid → Confirmed
Colin Watson (cjwatson)
Changed in pike7.6:
assignee: kamion → nobody
Revision history for this message
William Grant (wgrant) wrote :

This bug's status can only be properly represented when bug #162411 is fixed. I've retitled this bug to indicate the true extent of the current infestation.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. This bug was reported
against a release of Ubuntu which has reached EOL (End of Life) and
is therefore no longer supported. As a result, this bug is being marked
"Won't Fix". Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Changed in pike7.2 (Ubuntu):
status: Confirmed → Won't Fix
Changed in pike7.4 (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.