=============================
Ubuntu Security Notice USN-870-1          December 11, 2009
pygresql vulnerability
CVE-2009-2940
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
 python-pygresql                 1:3.8.1-2ubuntu0.1

Ubuntu 8.10:
 python-pygresql                 1:3.8.1-3ubuntu0.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Steffen Joeris discovered that PyGreSQL 3.8 did not use PostgreSQL's safe
string and bytea functions in its own escaping functions. As a result,
applications written to use PyGreSQL's escaping functions are vulnerable to
SQL injections when processing certain multi-byte character sequences.
Because the safe functions require a database connection, to maintain
backwards compatibility, pg.escape_string() and pg.escape_bytea() are still
available, but applications will have to be adjusted to use the new
pyobj.escape_string() and pyobj.escape_bytea() functions. For example, code
containing:

 import pg
 connection = pg.connect(...)
 escaped = pg.escape_string(untrusted_input)

should be adjusted to use:

 import pg
 connection = pg.connect(...)
 escaped = connection.escape_string(untrusted_input)