58115 – postgresql : Multiple issues (5.2)

Bug 58115 - postgresql : Multiple issues (5.2)

Summary: postgresql : Multiple issues (5.2)

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 5.2
Hardware:	Other Linux

Importance:	P3 normal
Target Milestone:	UCS 5.2-1-errata
Assignee:	Quality Assurance
QA Contact:	Felix Botner

URL:
Keywords:

Duplicates (1):	58100 (view as bug list)
Depends on:
Blocks:

Reported:	2025-03-25 08:25 CET by Felix Botner
Modified:	2025-04-17 12:00 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2025-03-25 08:25:55 CET

New Debian postgresql 15.12-0+deb12u2 fixes:
This update addresses the following issues:
* postgresql: PostgreSQL quoting APIs miss neutralizing quoting syntax
  in text that fails encoding validation (CVE-2025-1094)

Comment 1 Quality Assurance

2025-03-25 13:30:59 CET

--- mirror/ftp/pool/main/p/postgresql-15/postgresql-15_15.10-0+deb12u1A~5.2.0.202412132346.dsc
+++ apt/ucs_5.2-0-errata5.2-1/source/postgresql-15_15.12-0+deb12u2A~5.2.1.202503241435.dsc
@@ -1,7 +1,65 @@
-15.10-0+deb12u1A~5.2.0.202412132346 [Fri, 13 Dec 2024 23:47:01 -0000] Univention builddaemon <buildd@univention.de>:
+15.12-0+deb12u2A~5.2.1.202503241435 [Mon, 24 Mar 2025 14:59:18 -0000] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     00_version_bump.patch
+
+15.12-0+deb12u2 [Thu, 06 Mar 2025 11:38:37 +0100] Christoph Berg <myon@debian.org>:
+
+  * Grab base.tar.zst from failing 010_client_untar test on mipsel.
+
+15.12-0+deb12u1 [Tue, 18 Feb 2025 11:59:37 +0100] Christoph Berg <myon@debian.org>:
+
+  * New upstream version 15.12.
+
+    + Improve behavior of libpq's quoting functions (Andres Freund, Tom Lane)
+
+      The changes made for CVE-2025-1094 had one serious oversight:
+      PQescapeLiteral() and PQescapeIdentifier() failed to honor their string
+      length parameter, instead always reading to the input string's trailing
+      null.  This resulted in including unwanted text in the output, if the
+      caller intended to truncate the string via the length parameter.  With
+      very bad luck it could cause a crash due to reading off the end of
+      memory.
+
+      In addition, modify all these quoting functions so that when invalid
+      encoding is detected, an invalid sequence is substituted for just the
+      first byte of the presumed character, not all of it.  This reduces the
+      risk of problems if a calling application performs additional processing
+      on the quoted string.
+
+15.11-0+deb12u1 [Tue, 11 Feb 2025 11:27:41 +0100] Christoph Berg <myon@debian.org>:
+
+  * New upstream version 15.11.
+
+    + Harden PQescapeString and allied functions against invalidly-encoded
+      input strings (Andres Freund, Noah Misch)
+
+      Data-quoting functions supplied by libpq now fully check the encoding
+      validity of their input.  If invalid characters are detected, they
+      report an error if possible.  For the ones that lack an error return
+      convention, the output string is adjusted to ensure that the server will
+      report invalid encoding and no intervening processing will be fooled by
+      bytes that might happen to match single quote, backslash, etc.
+
+      The purpose of this change is to guard against SQL-injection attacks
+      that are possible if one of these functions is used to quote crafted
+      input.  There is no hazard when the resulting string is sent directly to
+      a PostgreSQL server (which would check its encoding anyway), but there
+      is a risk when it is passed through psql or other client-side code.
+      Historically such code has not carefully vetted encoding, and in many
+      cases it's not clear what it should do if it did detect such a problem.
+
+      This fix is effective only if the data-quoting function, the server, and
+      any intermediate processing agree on the character encoding that's being
+      used.  Applications that insert untrusted input into SQL commands should
+      take special care to ensure that that's true.
+
+      Applications and drivers that quote untrusted input without using these
+      libpq functions may be at risk of similar problems.  They should first
+      confirm the data is valid in the encoding expected by the server.
+
+      The PostgreSQL Project thanks Stephen Fewer for reporting this problem.
+      (CVE-2025-1094)
 
 15.10-0+deb12u1 [Tue, 19 Nov 2024 15:36:12 +0100] Christoph Berg <myon@debian.org>:
 

<http://piuparts.knut.univention.de/5.2-1/#8934948272454999217>

Comment 2 Felix Botner

2025-03-25 14:34:13 CET

OK: bug
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[5.2-1] d0130c42189 Bug #58115: postgresql 15.12-0+deb12u
 doc/errata/staging/postgresql-15.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

[5.2-1] c3381451e10 Bug #58115: postgresql 15.12-0+deb12u
 doc/errata/staging/postgresql-15.yaml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

Comment 3 Felix Botner

2025-03-26 16:47:10 CET

<https://errata.software-univention.de/#/?erratum=5.2x49>

Comment 4 Felix Botner

2025-04-17 12:00:53 CEST

*** Bug 58100 has been marked as a duplicate of this bug. ***