[Pkg-postgresql-private] Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)
Martin Pitt
247306@bugs.debian.org
Tue, 4 May 2004 15:51:58 +0200
--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi security team!
The bug report below just arrived. It does not contain a patch and=20
a quick glance to google did not reveal any either. I did not yet
examine the problem, I wanted to notify you as early as possible.
I came to psqlodbc by "accident" (I operated the source package out of
the main postgresql tree) and immediately RFA'ed it without much
response so far. Thus I have virtually no knowledge about it, I
appreciate any help.
I will also contact upstream now (maybe they can provide a
quick solution) and will report back if I have any news.
Thanks in advance and have a nice day!
Martin
----- Forwarded message from delman <delman@despammed.com> -----
Subject: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 byt=
es)
Reply-To: delman <delman@despammed.com>, 247306@bugs.debian.org
From: delman <delman@despammed.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Date: Tue, 04 May 2004 15:25:24 +0200
X-Spam-Status: No, hits=3D0.0 required=3D4.0 tests=3DSUBJ_BRACKET_BALANCED,
SUBJ_BRACKET_OFF,SUBJ_BRACKET_ON autolearn=3Dno version=3D2.61
Package: odbc-postgresql
Version: 1:07.03.0200-2
Severity: grave
Tags: security
Justification: user security hole
I noticed Apache segfaulting when I feed a simple form with long inputs:
[Tue May 4 11:32:10 2004] [notice] child pid 4084 exit signal Segmentatio=
n fault (11)
Such inputs are used by php function odbc_connect as username and password =
to connect to a DSN using postgresql driver:
$connection =3D @odbc_connect(DSN, $_POST['username'], $_POST['password'])
The output of gdb is:
(gdb) run -X -d apache
[...]
[Thread debugging using libthread_db enabled]
[...]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1076569920 (LWP 832)]
0x44c3d627 in SOCK_put_next_byte () from /usr/lib/postgresql/lib/psqlodbc.=
so
Or:
[same stuff here]
0x44c4c3d0 in strncpy_null () from /usr/lib/postgresql/lib/psqlodbc.so
I suspect a security issue because playing around with long input strings o=
f "A" I've been able to trigger in Apache error.log this message:
=09
free(): invalid pointer 0x41414141!
0x41 is obviously one of my "A"...
Other ODBC related messages found are:
=09
/usr/sbin/apache: relocation error: AAAA[...]AAA: symbol getDSNdefaults, v=
ersion not defined in file with link time reference
The SIGSEGV is triggered with input strings > 10000 bytes. I use Apache/1.3=
.29 (Debian GNU/Linux) PHP/4.3.4 mod_auth_pam/1.1.1 mod_ssl/2.8.16 OpenSSL/=
0.9.7c
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.4
Locale: LANG=3DC, LC_CTYPE=3DC
Versions of packages odbc-postgresql depends on:
ii libc6 2.3.2.ds1-11 GNU C Library: Shared librarie=
s an
ii odbcinst1 2.2.4-9 Support library and helper pro=
gram
-- no debconf information
----- End forwarded message -----
--=20
Martin Pitt Debian GNU/Linux Developer
martin@piware.de mpitt@debian.org
http://www.piware.de http://www.debian.org
--UlVJffcvxoiEqYs2
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAl5/8DecnbV4Fd/IRAhOzAKC1cF3kBF/M37n/c2/k3nsIstNEzgCfd+85
80v+cRf/pbvYGugbZIUKFns=
=3vfH
-----END PGP SIGNATURE-----
--UlVJffcvxoiEqYs2--