[Pkg-postgresql-private] Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)

Martin Pitt 247306@bugs.debian.org
Tue, 4 May 2004 15:51:58 +0200 

--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi security team!

The bug report below just arrived. It does not contain a patch and=20
a quick glance to google did not reveal any either. I did not yet
examine the problem, I wanted to notify you as early as possible.

I came to psqlodbc by "accident" (I operated the source package out of
the main postgresql tree) and immediately RFA'ed it without much
response so far. Thus I have virtually no knowledge about it, I
appreciate any help.

I will also contact upstream now (maybe they can provide a
quick solution) and will report back if I have any news.

Thanks in advance and have a nice day!

Martin

----- Forwarded message from delman <delman@despammed.com> -----

Subject: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 byt=
es)
Reply-To: delman <delman@despammed.com>, 247306@bugs.debian.org
From: delman <delman@despammed.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Date: Tue, 04 May 2004 15:25:24 +0200
X-Spam-Status: No, hits=3D0.0 required=3D4.0 tests=3DSUBJ_BRACKET_BALANCED,
	SUBJ_BRACKET_OFF,SUBJ_BRACKET_ON autolearn=3Dno version=3D2.61

Package: odbc-postgresql
Version: 1:07.03.0200-2
Severity: grave
Tags: security
Justification: user security hole


I noticed Apache segfaulting when I feed a simple form with long inputs:

	[Tue May  4 11:32:10 2004] [notice] child pid 4084 exit signal Segmentatio=
n fault (11)

Such inputs are used by php function odbc_connect as username and password =
to connect to a DSN using postgresql driver:

	$connection =3D @odbc_connect(DSN, $_POST['username'], $_POST['password'])

The output of gdb is:

	(gdb) run -X -d apache
	[...]
	[Thread debugging using libthread_db enabled]
	[...]
	Program received signal SIGSEGV, Segmentation fault.
	[Switching to Thread 1076569920 (LWP 832)]
	0x44c3d627 in SOCK_put_next_byte () from /usr/lib/postgresql/lib/psqlodbc.=
so

Or:
	[same stuff here]
	0x44c4c3d0 in strncpy_null () from /usr/lib/postgresql/lib/psqlodbc.so

I suspect a security issue because playing around with long input strings o=
f "A" I've been able to trigger in Apache error.log this message:
=09
	free(): invalid pointer 0x41414141!

0x41 is obviously one of my "A"...

Other ODBC related messages found are:
=09
	/usr/sbin/apache: relocation error: AAAA[...]AAA: symbol getDSNdefaults, v=
ersion not defined in file with link time reference

The SIGSEGV is triggered with input strings > 10000 bytes. I use Apache/1.3=
.29 (Debian GNU/Linux) PHP/4.3.4 mod_auth_pam/1.1.1 mod_ssl/2.8.16 OpenSSL/=
0.9.7c

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.4
Locale: LANG=3DC, LC_CTYPE=3DC

Versions of packages odbc-postgresql depends on:
ii  libc6                       2.3.2.ds1-11 GNU C Library: Shared librarie=
s an
ii  odbcinst1                   2.2.4-9      Support library and helper pro=
gram

-- no debconf information

----- End forwarded message -----

--=20
Martin Pitt                 Debian GNU/Linux Developer
martin@piware.de                      mpitt@debian.org
http://www.piware.de             http://www.debian.org

--UlVJffcvxoiEqYs2
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAl5/8DecnbV4Fd/IRAhOzAKC1cF3kBF/M37n/c2/k3nsIstNEzgCfd+85
80v+cRf/pbvYGugbZIUKFns=
=3vfH
-----END PGP SIGNATURE-----

--UlVJffcvxoiEqYs2--