Your message dated Mon, 08 Aug 2022 13:34:59 +0000
with message-id <[email protected]>
and subject line Bug#1016662: fixed in libpgjava 42.4.1-1
has caused the Debian Bug report #1016662,
regarding libpgjava: CVE-2022-31197: SQL Injection in ResultSet.refreshRow()
with malicious column names
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1016662: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016662
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libpgjava
Version: 42.4.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libpgjava.
CVE-2022-31197[0]:
| PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to
| connect to a PostgreSQL database using standard, database independent
| Java code. The PGJDBC implementation of the
| `java.sql.ResultRow.refreshRow()` method is not performing escaping of
| column names so a malicious column name that contains a statement
| terminator, e.g. `;`, could lead to SQL injection. This could lead to
| executing additional SQL commands as the application's JDBC user. User
| applications that do not invoke the `ResultSet.refreshRow()` method
| are not impacted. User application that do invoke that method are
| impacted if the underlying database that they are querying via their
| JDBC application may be under the control of an attacker. The attack
| requires the attacker to trick the user into executing SQL against a
| table name who's column names would contain the malicious SQL and
| subsequently invoke the `refreshRow()` method on the ResultSet. Note
| that the application's JDBC user and the schema owner need not be the
| same. A JDBC application that executes as a privileged user querying
| database schemas owned by potentially malicious less-privileged users
| would be vulnerable. In that situation it may be possible for the
| malicious user to craft a schema that causes the application to
| execute commands as the privileged user. Patched versions will be
| released as `42.2.26` and `42.4.1`. Users are advised to upgrade.
| There are no known workarounds for this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-31197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31197
[1]
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libpgjava
Source-Version: 42.4.1-1
Done: Christoph Berg <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libpgjava, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Berg <[email protected]> (supplier of updated libpgjava package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 08 Aug 2022 14:53:28 +0200
Source: libpgjava
Architecture: source
Version: 42.4.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Christoph Berg <[email protected]>
Closes: 1016662
Changes:
libpgjava (42.4.1-1) unstable; urgency=medium
.
* New upstream version 42.4.1
.
Fixes SQL generated in PgResultSet.refresh() to escape column identifiers
so as to prevent SQL injection.
(Closes: #1016662, CVE-2022-31197, reported by Sho Kato)
.
Previously, the column names for both key and data columns in the table
were copied as-is into the generated SQL. This allowed a malicious table
with column names that include statement terminator to be parsed and
executed as multiple separate commands.
Checksums-Sha1:
38593061c6f546a2e58e17fe20bb907bc9954d9e 2565 libpgjava_42.4.1-1.dsc
24ceaca7673c07ae625a8f02341fa2b115e8478e 969554 libpgjava_42.4.1.orig.tar.gz
ce7c1d32d2a31320cd701cf9404577961b62d427 10228 libpgjava_42.4.1-1.debian.tar.xz
Checksums-Sha256:
7e0a77fe37b1ae197a50fd5e1e45272d99192eb136e68b150fed81603f3b1159 2565
libpgjava_42.4.1-1.dsc
edf1ead37f4d64f97e0d18a59b9a81f8d6cab7bdc523c9c4f20f742387d1d9af 969554
libpgjava_42.4.1.orig.tar.gz
eeb5438eec8284a7af4a876f149cdf4a77df02702d327db3ed111890253c493b 10228
libpgjava_42.4.1-1.debian.tar.xz
Files:
01f4d43ab2ed41aa61eaecc6619bef47 2565 java optional libpgjava_42.4.1-1.dsc
43b21d1f2511373d8182c517c3b4cb11 969554 java optional
libpgjava_42.4.1.orig.tar.gz
ded5f3dbae97f8f89387558a4299b1a0 10228 java optional
libpgjava_42.4.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmLxDZwACgkQTFprqxLS
p65/tg/9GcPXONKkBZJ8xaVTrDQgkGCdV5Cu0QIgSWia11nffsgD9YrojWeaWDhr
BS6dgRoWlkywslwEj8NhSt0vYV7crfMom7AFjaPV1ko27cYTkH6xGzh77iIwU1Tb
U+SHSVg6jIj6haO/FT4UhkGL37YoVvq1PdaxoG5B/vlqA/NZM4JqgRnjCjF/VpZW
OIlBuHXQ+6viQpUEqqHlAxuzDIlj9pnb/WE33S5xpRqxiK91wdAMgnqyWVKHSErO
3Ay6HjuQvnjbPwww5tGgIQ4fUSXW1s5hs6Sop0KB4YAQ9r9MLbPijQuXprtBjr56
yj5Bsio8BYTo65IDGM3Nqpjqo7lWHYMcm9I8dW+p1APmwHVqNzQ15/jQQnfKcQtJ
KqKkQL/04ff/BTei9neB16DF+3KYGPFnFxC7xtfC245qaYMpWKFhiBkpRDFW+BEL
6XqFMM01sWnkYdUfCm6izAZVU1wx3PjDNakK4NYSKL298jYZXpA/iXx7VjL3Ycor
RJX+kkJEIhNYfzIlmb2ss6fbtrOqPmpRdMlfn9Ry74u+XPimXNjvgy4x+MRSdtdt
g5k7/JsR5wY8e00Pn8xCuOsf98kbDJFR9z2iCmon4asqijYkBsXOEiAtZI+QYstl
GDHfCR8dfIG27jin7UqR0188niJ3wH4BnT9/3lLYFfmT8nqVuA4=
=BVZM
-----END PGP SIGNATURE-----
--- End Message ---
