[php-maint] Bug#554684: php5-pgsql: Suhosin alerts about heap overflows

Gunnar Wolf gwolf at gwolf.org
Thu Nov 5 22:34:03 UTC 2009 

Package: php5-pgsql
Version: 5.2.6.dfsg.1-1+lenny3
Severity: serious
Tags: security

I am not sure on the impact of this bug, but if the main PHP escaping
function for PostgreSQL is mis-escaping strings, it can
_quite_probably_ be a serious security bug. Feel free to adjust
severity. 

I have been getting the following message on my Apache logs:

[error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)

Note that 132.248.72.141 is the same server where this is reported,
and lines 363-365 of the reported file is:

function db_escape_string($text) {
  return pg_escape_string($text);
}

I cannot establish what user action is causing this to be triggered,
but -having a very limited dataset to judge from- its frequency has
been slightly increasing since I first detected it (August 18) - From
two weeks between first and second sight to about once a day.

I am looking at log files starting in early August. I am attaching
here (filename: alerts) the output of:

( zcat error.log.{18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2}.gz; cat error.log{.1,} ) | grep ALERT

The times of the log messages roughly match comment additions on the
Drupal system in question (which was completely open to spammers and I
have just closed for comments). I am attaching also a comment example
(filename: spammy) where the timestamp is closest to the latest
event - It does not look atypical in any way, but the result might
have not been properly received...

...Hmm, thinking about it over, I found this in the PostgreSQL log at
the right time:

2009-11-04 06:25:29 CST [30578]LOG:  connection received: host=127.0.0.1 port=39334
2009-11-04 06:25:29 CST [30578]LOG:  connection authorized: user=drupal_obela database=drupal_obela
2009-11-04 06:25:29 CST [30578]WARNING:  nonstandard use of \\ in a string literal at character 25
2009-11-04 06:25:29 CST [30578]HINT:  Use the escape string syntax for backslashes, e.g., E'\\'.
2009-11-04 06:25:29 CST [30578]WARNING:  nonstandard use of \\ in a string literal at character 90
2009-11-04 06:25:29 CST [30578]HINT:  Use the escape string syntax for backslashes, e.g., E'\\'.

And yes, that would support my theory, that pg_escape_string is
failing to escape _something_.

Thanks,

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (900, 'stable'), (200, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages php5-pgsql depends on:
ii  libapache2-mod-php 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii  libc6              2.7-18                GNU C Library: Shared libraries
ii  libpq5             8.3.8-0lenny1         PostgreSQL C client library
ii  php5-cgi [phpapi-2 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii  php5-cli [phpapi-2 5.2.6.dfsg.1-1+lenny3 command-line interpreter for the p
ii  php5-common        5.2.6.dfsg.1-1+lenny3 Common files for packages built fr

php5-pgsql recommends no packages.

php5-pgsql suggests no packages.

-- no debconf information
-------------- next part --------------
# SELECT * from comments where timestamp > 1257337500 and timestamp < 1257337600;
  cid  | pid | nid | uid |     subject      |                                                                                                                                                                                         comment                                                                                                                                                                                          |   hostname   | timestamp  | status | format | thread | name | mail | homepage
-------+-----+-----+-----+------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+------------+--------+--------+--------+------+------+----------
 91845 |   0 | 348 |   0 | YnRFrcYXCSacEMRs | Thank you for this article. <a href="http://thedigitallifestyle.com/cs/members/skimtube-skimtube-penny-porsche/default.aspx">penny porsche skimtube</a> beepgirl <a href="http://thedigitallifestyle.com/cs/members/tehvids-tehvid/default.aspx">tehvids</a> jimboy <a href="http://thedigitallifestyle.com/cs/members/tiava-ask-tiava/default.aspx">tiava tube isis love</a> tunquelen  | 94.102.63.32 | 1257337537 |      0 |      1 | 21ti/  |      |      |
(1 row)
-------------- next part --------------
[Tue Aug 18 04:25:04 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Mon Sep 28 06:05:04 2009] [error] [client 132.248.72.141] ALERT - linked list corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.inc', line 205)
[Tue Sep 29 01:05:02 2009] [error] [client 132.248.72.141] ALERT - linked list corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 138)
[Tue Sep 29 10:04:44 2009] [error] [client 132.248.72.141] ALERT - linked list corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.inc', line 205)
[Fri Oct 02 04:05:05 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Mon Oct 05 03:04:47 2009] [error] [client 132.248.72.141] ALERT - linked list corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file '/usr/share/drupal6/modules/search/search.module', line 292)
[Wed Oct 07 02:05:13 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Sun Oct 11 08:24:50 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Mon Oct 12 03:04:59 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Wed Oct 14 13:06:30 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Fri Oct 16 12:25:27 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Fri Oct 16 21:04:43 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Sun Oct 18 09:05:15 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Mon Oct 19 06:04:32 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Tue Oct 20 02:24:29 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Thu Oct 22 02:24:27 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Sun Nov 01 01:04:52 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Tue Nov 03 07:05:43 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Wed Nov 04 06:25:21 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)

More information about the pkg-php-maint mailing list