CVE-2009-2940

Name of the Vulnerable Software and Affected Versions: PyGreSQL versions 3.8.1 and 4.0

Description: The issue arises from improper support of the PQescapeStringConn function in the pygresql module, potentially allowing remote attackers to exploit escaping issues involving multibyte character encodings. This can lead to SQL injections when processing certain multi-byte character sequences. The problem is due to PyGreSQL not using PostgreSQL's safe string and bytea functions in its own escaping functions.

Recommendations: For PyGreSQL version 3.8.1, adjust applications to use the new connection.escape string() and connection.escape bytea() functions instead of pg.escape string() and pg.escape bytea(). For PyGreSQL version 4.0, adjust applications to use the new connection.escape string() and connection.escape bytea() functions instead of pg.escape string() and pg.escape bytea().