Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)

From: Martin Pitt <martin(at)piware(dot)de>
To: pgsql-odbc(at)postgresql(dot)org
Subject: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)
Date: 2004-05-04 14:03:57
Message-ID: 20040504140357.GB5111@ifsr.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-odbc

Hi psqlodbc developers!

We (the Debian maintainers of postgresql) just got the following bug
report. Unfortunately I don't have any personal experience with the
package, I came to it more or less by accident (long story, does not
belong here).

Can anybody please affirm this and does anybody have a solution? A
patch against the current version 07.03.0200 would be greatly
appreciated!

The stable version of Debian still has PostgreSQL 7.2.1 which included
the odbc driver. Is this version affected as well?

Thank you very much in advance and have a nice day!

Martin

----- Forwarded message from delman <delman(at)despammed(dot)com> -----

Subject: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)
Reply-To: delman <delman(at)despammed(dot)com>, 247306(at)bugs(dot)debian(dot)org
From: delman <delman(at)despammed(dot)com>
To: Debian Bug Tracking System <submit(at)bugs(dot)debian(dot)org>
Date: Tue, 04 May 2004 15:25:24 +0200
X-Spam-Status: No, hits=0.0 required=4.0 tests=SUBJ_BRACKET_BALANCED,
SUBJ_BRACKET_OFF,SUBJ_BRACKET_ON autolearn=no version=2.61

Package: odbc-postgresql
Version: 1:07.03.0200-2
Severity: grave
Tags: security
Justification: user security hole

I noticed Apache segfaulting when I feed a simple form with long inputs:

[Tue May 4 11:32:10 2004] [notice] child pid 4084 exit signal Segmentation fault (11)

Such inputs are used by php function odbc_connect as username and password to connect to a DSN using postgresql driver:

$connection = @odbc_connect(DSN, $_POST['username'], $_POST['password'])

The output of gdb is:

(gdb) run -X -d apache
[...]
[Thread debugging using libthread_db enabled]
[...]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1076569920 (LWP 832)]
0x44c3d627 in SOCK_put_next_byte () from /usr/lib/postgresql/lib/psqlodbc.so

Or:
[same stuff here]
0x44c4c3d0 in strncpy_null () from /usr/lib/postgresql/lib/psqlodbc.so

I suspect a security issue because playing around with long input strings of "A" I've been able to trigger in Apache error.log this message:

free(): invalid pointer 0x41414141!

0x41 is obviously one of my "A"...

Other ODBC related messages found are:

/usr/sbin/apache: relocation error: AAAA[...]AAA: symbol getDSNdefaults, version not defined in file with link time reference

The SIGSEGV is triggered with input strings > 10000 bytes. I use Apache/1.3.29 (Debian GNU/Linux) PHP/4.3.4 mod_auth_pam/1.1.1 mod_ssl/2.8.16 OpenSSL/0.9.7c

-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.4
Locale: LANG=C, LC_CTYPE=C

Versions of packages odbc-postgresql depends on:
ii libc6 2.3.2.ds1-11 GNU C Library: Shared libraries an
ii odbcinst1 2.2.4-9 Support library and helper program

-- no debconf information

----- End forwarded message -----

--
Martin Pitt Debian GNU/Linux Developer
martin(at)piware(dot)de mpitt(at)debian(dot)org
http://www.piware.de http://www.debian.org

Browse pgsql-odbc by date

  From Date Subject
Next Message Martin Pitt 2004-05-05 14:24:43 Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)
Previous Message Simon Dobie 2004-05-03 06:26:12 No Current Record