[sgift]

Just from the quote cited by octo_t I would read that you are still vulnerable: A malicious database user could craft a _connection string_ which contains a database name starting with -. There's no hint that the database has to exist on your server for this to work, so I would read it could be a complete bogus request and still damage your files.

[qompiler]

/* Is this all it takes? */

PQconnectdb("host=127.0.0.1 dbname=-exploit user=postgres password=postgres port=5432");

[jeltz]

Yes, but that wouldn't do anything harmful. Something like dbname="-r /var/lib/postgresql/9.1/main/pg_clog/0000" would be required to cause any harm. I have not tested it in practice but that should cause the server to overwrite the file with log output.

EDIT: They are not overwritten but just appended to.