Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)

Hi PostgreSQL developers!

A week ago we at Debian received the bug report below: due to a buffer
overflow in psqlodbc it is possible to crash (and possibly exploit)
apache. I already sent this mail to the psqlodbc list [1], but
unfortunately got no response so far. So maybe there are some hackers
here who can help with this?

I can reliably reproduce the error (using the small attached php4
script), but I do not know anything about the psqlodbc internals. I
would be glad if someone could assist me with that.

Thanks in advance and have a nice day!

Martin

[1] http://archives.postgresql.org/pgsql-odbc/2004-05/msg00006.php

----- Forwarded message from delman <delman@despammed.com> -----

Subject: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)
Reply-To: delman <delman@despammed.com>, 247306@bugs.debian.org
From: delman <delman@despammed.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Date: Tue, 04 May 2004 15:25:24 +0200
X-Spam-Status: No, hits=0.0 required=4.0 tests=SUBJ_BRACKET_BALANCED,
    SUBJ_BRACKET_OFF,SUBJ_BRACKET_ON autolearn=no version=2.61

Package: odbc-postgresql
Version: 1:07.03.0200-2
Severity: grave
Tags: security
Justification: user security hole


I noticed Apache segfaulting when I feed a simple form with long inputs:

    [Tue May  4 11:32:10 2004] [notice] child pid 4084 exit signal Segmentation fault (11)

Such inputs are used by php function odbc_connect as username and password to connect to a DSN using postgresql driver:

    $connection = @odbc_connect(DSN, $_POST['username'], $_POST['password'])

The output of gdb is:

    (gdb) run -X -d apache
    [...]
    [Thread debugging using libthread_db enabled]
    [...]
    Program received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 1076569920 (LWP 832)]
    0x44c3d627 in SOCK_put_next_byte () from /usr/lib/postgresql/lib/psqlodbc.so

Or:
    [same stuff here]
    0x44c4c3d0 in strncpy_null () from /usr/lib/postgresql/lib/psqlodbc.so

I suspect a security issue because playing around with long input strings of "A" I've been able to trigger in Apache
error.logthis message: 

    free(): invalid pointer 0x41414141!

0x41 is obviously one of my "A"...

Other ODBC related messages found are:

    /usr/sbin/apache: relocation error: AAAA[...]AAA: symbol getDSNdefaults, version not defined in file with link time
reference

The SIGSEGV is triggered with input strings > 10000 bytes. I use Apache/1.3.29 (Debian GNU/Linux) PHP/4.3.4
mod_auth_pam/1.1.1mod_ssl/2.8.16 OpenSSL/0.9.7c 

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.4
Locale: LANG=C, LC_CTYPE=C

Versions of packages odbc-postgresql depends on:
ii  libc6                       2.3.2.ds1-11 GNU C Library: Shared libraries an
ii  odbcinst1                   2.2.4-9      Support library and helper program

-- no debconf information

----- End forwarded message -----

--
Martin Pitt                 Debian GNU/Linux Developer
martin@piware.de                      mpitt@debian.org
http://www.piware.de             http://www.debian.org