Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)

Hi PostgreSQL developers!

A week ago we at Debian received the bug report below: due to a buffer
overflow in psqlodbc it is possible to crash (and possibly exploit)
apache. I already sent this mail to the psqlodbc list [1], but
unfortunately got no response so far. So maybe there are some hackers
here who can help with this?

I can reliably reproduce the error (using the small attached php4
script), but I do not know anything about the psqlodbc internals. I
would be glad if someone could assist me with that.

Thanks in advance and have a nice day!

Martin

[1] http://archives.postgresql.org/pgsql-odbc/2004-05/msg00006.php

----- Forwarded message from delman <delman(at)despammed(dot)com> -----

Subject: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)
Reply-To: delman <delman(at)despammed(dot)com>, 247306(at)bugs(dot)debian(dot)org
From: delman <delman(at)despammed(dot)com>
To: Debian Bug Tracking System <submit(at)bugs(dot)debian(dot)org>
Date: Tue, 04 May 2004 15:25:24 +0200
X-Spam-Status: No, hits=0.0 required=4.0 tests=SUBJ_BRACKET_BALANCED,
SUBJ_BRACKET_OFF,SUBJ_BRACKET_ON autolearn=no version=2.61

Package: odbc-postgresql
Version: 1:07.03.0200-2
Severity: grave
Tags: security
Justification: user security hole

I noticed Apache segfaulting when I feed a simple form with long inputs:

[Tue May 4 11:32:10 2004] [notice] child pid 4084 exit signal Segmentation fault (11)

Such inputs are used by php function odbc_connect as username and password to connect to a DSN using postgresql driver:

$connection = @odbc_connect(DSN, $_POST['username'], $_POST['password'])

The output of gdb is:

(gdb) run -X -d apache
[...]
[Thread debugging using libthread_db enabled]
[...]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1076569920 (LWP 832)]
0x44c3d627 in SOCK_put_next_byte () from /usr/lib/postgresql/lib/psqlodbc.so

Or:
[same stuff here]
0x44c4c3d0 in strncpy_null () from /usr/lib/postgresql/lib/psqlodbc.so

I suspect a security issue because playing around with long input strings of "A" I've been able to trigger in Apache error.log this message:

free(): invalid pointer 0x41414141!

0x41 is obviously one of my "A"...

Other ODBC related messages found are:

/usr/sbin/apache: relocation error: AAAA[...]AAA: symbol getDSNdefaults, version not defined in file with link time reference

The SIGSEGV is triggered with input strings > 10000 bytes. I use Apache/1.3.29 (Debian GNU/Linux) PHP/4.3.4 mod_auth_pam/1.1.1 mod_ssl/2.8.16 OpenSSL/0.9.7c

-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.4
Locale: LANG=C, LC_CTYPE=C

Versions of packages odbc-postgresql depends on:
ii libc6 2.3.2.ds1-11 GNU C Library: Shared libraries an
ii odbcinst1 2.2.4-9 Support library and helper program

-- no debconf information

----- End forwarded message -----

--
Martin Pitt Debian GNU/Linux Developer
martin(at)piware(dot)de mpitt(at)debian(dot)org
http://www.piware.de http://www.debian.org