Bug#641684: marked as done (Quote character not escaped correctly for Postgresql)

Debian Bug Tracking System Sun, 06 May 2012 00:27:17 -0700

Your message dated Sun, 6 May 2012 09:20:29 +0200
with message-id <20120506072029.ga8...@smithers.snow-crash.org>
and subject line Re: Bug#641684: Quote character not escaped correctly for 
Postgresql
has caused the Debian Bug report #641684,
regarding Quote character not escaped correctly for Postgresql
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
641684: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641684
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: icinga-idoutils
Version: 1.5.1-1
Severity: normal

IDO utils is incorrectly escaping characters such as ' for postgresql.

>From the postgresql logs (running 9.1):
2011-09-15 17:12:18 EST ERROR:  syntax error at or near "5" at character 184
2011-09-15 17:12:18 EST STATEMENT:  UPDATE icinga_servicestatus SET
instance_id=1, service_object_id=201,
status_update_time=FROM_UNIXTIME(1316070738), output='CPU Load 22% (5
min average)', long_output='', perfdata='\'5 min avg
Load\'=22%;80;90;0;100', current_state=0, has_been_checked=1,
should_be_scheduled=1, current_check_attempt=1, max_check_attempts=4,
last_check=FROM_UNIXTIME(1316070728),
next_check=FROM_UNIXTIME(1316071028), check_type=0,
last_state_change=FROM_UNIXTIME(1315926986),
last_hard_state_change=FROM_UNIXTIME(1315816267), last_hard_state=0,
last_time_ok=FROM_UNIXTIME(1316070728),
last_time_warning=FROM_UNIXTIME(1315926926),
last_time_unknown=FROM_UNIXTIME(0),
last_time_critical=FROM_UNIXTIME(1315815967), state_type=1,
last_notification=FROM_UNIXTIME(0),
next_notification=FROM_UNIXTIME(0), no_more_notifications=0,
notifications_enabled=1, problem_has_been_acknowledged=0,
acknowledgement_type=0, current_notification_number=0,
passive_checks_enabled=1, active_checks_enabled=1,
event_handler_enabled=1, flap_detection_enabled=1, is_flapping=0,
percent_state_change='0.000000', latency='0.816000',
execution_time='0.190820', scheduled_downtime_depth=0,
failure_prediction_enabled=1, process_performance_data=1,
obsess_over_service=1, modified_service_attributes=0,
event_handler='', check_command='my_check_nt!CPULOAD!-l 5,80,90',
normal_check_interval='5.000000', retry_check_interval='1.000000',
check_timeperiod_object_id=174 WHERE service_object_id=201

Running the command manually, sanitized and a few minutes after the logged run:
> /usr/lib/nagios/plugins/check_nt -H ###.###.###.### -v CPULOAD -l 5,80,90 -s 
> XXXX -p 12489
CPU Load 21% (5 min average) |   '5 min avg Load'=21%;80;90;0;100

Browsing the source it looks like escaping is done in db.c:2335
ido2db_db_escape_string() by adding a \ in front of a ' character.
Which is causing the problems, I believe postgresql wants a '' instead
of a \'.

It should however be done properly using libpq's PQescapeLiteral.  It
also protects against multibyte SQL injection attacks that the
previous method doesn't.  Chris Shiflett did a decent writeup of this
problem several years ago [1], the vulnerability looks to extend to
all the databases in use.

[1]: 
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string


David

-- System Information:
Debian Release: wheezy/sid
  APT prefers stable
  APT policy: (800, 'stable'), (750, 'testing'), (600, 'unstable'),
(500, 'oldstable'), (150, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.39+ (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages icinga-idoutils depends on:
ii  dbconfig-common            1.8.47        common framework for packaging dat
ii  debconf [debconf-2.0]      1.5.36.1      Debian configuration management sy
ii  icinga-common              1.5.1-1       host and network monitoring system
ii  libc6                      2.13-18       Embedded GNU C Library: Shared lib
ii  libdbd-mysql               0.8.3-1+s-2.1 MySQL database server driver for l
ii  libdbd-pgsql               0.8.3-1+s-2.1 PostgreSQL database server driver
ii  libdbi1                    0.8.4-5.1     DB Independent Abstraction Layer f
ii  lsb-base                   3.2-28        Linux Standard Base 3.2 init scrip
ii  ucf                        3.0025+nmu2   Update Configuration File: preserv

Versions of packages icinga-idoutils recommends:
ii  mysql-client-5.1 [mysql-clien 5.1.49-3   MySQL database client binaries
ii  postgresql-client             9.1+121    front-end programs for PostgreSQL
ii  postgresql-client-9.0 [postgr 9.0.4-2    front-end programs for PostgreSQL
ii  postgresql-client-9.1 [postgr 9.1~rc1-3  front-end programs for PostgreSQL

icinga-idoutils suggests no packages.

-- debconf information:
  icinga-idoutils/dbconfig-upgrade: true
  icinga-idoutils/mysql/method: unix socket
  icinga-idoutils/db/dbname: icinga
  icinga-idoutils/dbconfig-remove:
  icinga-idoutils/missing-db-package-error: abort
  icinga-idoutils/install-error: retry
  icinga-idoutils/pgsql/authmethod-admin: ident
  icinga-idoutils/pgsql/admin-user: postgres
  icinga-idoutils/internal/reconfiguring: false
  icinga-idoutils/purge: false
  icinga-idoutils/pgsql/changeconf: false
  icinga-idoutils/db/basepath:
  icinga-idoutils/database-type: pgsql
  icinga-idoutils/upgrade-error: abort
  icinga-idoutils/pgsql/method: unix socket
  icinga-idoutils/remote/port:
  icinga-idoutils/internal/skip-preseed: true
  icinga-idoutils/dbconfig-reinstall: false
  icinga-idoutils/upgrade-backup: true
  icinga-idoutils/remove-error: abort
* icinga-idoutils/dbconfig-install: false
  icinga-idoutils/pgsql/manualconf:
  icinga-idoutils/passwords-do-not-match:
  icinga-idoutils/pgsql/authmethod-user: password
  icinga-idoutils/pgsql/no-empty-passwords:
  icinga-idoutils/db/app-user: icingaidoutils
  icinga-idoutils/remote/host:
  icinga-idoutils/mysql/admin-user: root
  icinga-idoutils/remote/newhost:

--- End Message ---

--- Begin Message ---

David Tulloh schrieb am Thursday, den 15. September 2011:

> Package: icinga-idoutils
> Version: 1.5.1-1
> Severity: normal
> 
> IDO utils is incorrectly escaping characters such as ' for postgresql.
> 
> >From the postgresql logs (running 9.1):
> 2011-09-15 17:12:18 EST ERROR:  syntax error at or near "5" at character 184
> 2011-09-15 17:12:18 EST STATEMENT:  UPDATE icinga_servicestatus SET
> instance_id=1, service_object_id=201,
> status_update_time=FROM_UNIXTIME(1316070738), output='CPU Load 22% (5
> min average)', long_output='', perfdata='\'5 min avg
> Load\'=22%;80;90;0;100', current_state=0, has_been_checked=1,
> should_be_scheduled=1, current_check_attempt=1, max_check_attempts=4,
> last_check=FROM_UNIXTIME(1316070728),
> next_check=FROM_UNIXTIME(1316071028), check_type=0,
> last_state_change=FROM_UNIXTIME(1315926986),
> last_hard_state_change=FROM_UNIXTIME(1315816267), last_hard_state=0,
> last_time_ok=FROM_UNIXTIME(1316070728),
> last_time_warning=FROM_UNIXTIME(1315926926),
> last_time_unknown=FROM_UNIXTIME(0),
> last_time_critical=FROM_UNIXTIME(1315815967), state_type=1,
> last_notification=FROM_UNIXTIME(0),
> next_notification=FROM_UNIXTIME(0), no_more_notifications=0,
> notifications_enabled=1, problem_has_been_acknowledged=0,
> acknowledgement_type=0, current_notification_number=0,
> passive_checks_enabled=1, active_checks_enabled=1,
> event_handler_enabled=1, flap_detection_enabled=1, is_flapping=0,
> percent_state_change='0.000000', latency='0.816000',
> execution_time='0.190820', scheduled_downtime_depth=0,
> failure_prediction_enabled=1, process_performance_data=1,
> obsess_over_service=1, modified_service_attributes=0,
> event_handler='', check_command='my_check_nt!CPULOAD!-l 5,80,90',
> normal_check_interval='5.000000', retry_check_interval='1.000000',
> check_timeperiod_object_id=174 WHERE service_object_id=201
> 
> Running the command manually, sanitized and a few minutes after the logged 
> run:
> > /usr/lib/nagios/plugins/check_nt -H ###.###.###.### -v CPULOAD -l 5,80,90 
> > -s XXXX -p 12489
> CPU Load 21% (5 min average) |   '5 min avg Load'=21%;80;90;0;100
> 
> Browsing the source it looks like escaping is done in db.c:2335
> ido2db_db_escape_string() by adding a \ in front of a ' character.
> Which is causing the problems, I believe postgresql wants a '' instead
> of a \'.
> 
> It should however be done properly using libpq's PQescapeLiteral.  It
> also protects against multibyte SQL injection attacks that the
> previous method doesn't.  Chris Shiflett did a decent writeup of this
> problem several years ago [1], the vulnerability looks to extend to
> all the databases in use.
> 
> [1]: 
> http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
 
This bug will be finally fixed in 1.7.0, but with my last upload I created a
workaround. Therefore I close this bug now. If you find other postgresql
related problems, please come back.

Thanks
Alex

--- End Message ---

Bug#641684: marked as done (Quote character not escaped correctly for Postgresql)

Reply via email to