Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)
От | Martin Pitt |
---|---|
Тема | Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes) |
Дата | |
Msg-id | 20040511100357.GA23102@ifsr.de обсуждение исходный текст |
Ответы |
Re: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)
(Peter Eisentraut <peter_e@gmx.net>)
Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)] (Martin Pitt <mpitt@debian.org>) |
Список | pgsql-bugs |
Hi PostgreSQL developers! A week ago we at Debian received the bug report below: due to a buffer overflow in psqlodbc it is possible to crash (and possibly exploit) apache. I already sent this mail to the psqlodbc list [1], but unfortunately got no response so far. So maybe there are some hackers here who can help with this? I can reliably reproduce the error (using the small attached php4 script), but I do not know anything about the psqlodbc internals. I would be glad if someone could assist me with that. Thanks in advance and have a nice day! Martin [1] http://archives.postgresql.org/pgsql-odbc/2004-05/msg00006.php ----- Forwarded message from delman <delman@despammed.com> ----- Subject: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes) Reply-To: delman <delman@despammed.com>, 247306@bugs.debian.org From: delman <delman@despammed.com> To: Debian Bug Tracking System <submit@bugs.debian.org> Date: Tue, 04 May 2004 15:25:24 +0200 X-Spam-Status: No, hits=0.0 required=4.0 tests=SUBJ_BRACKET_BALANCED, SUBJ_BRACKET_OFF,SUBJ_BRACKET_ON autolearn=no version=2.61 Package: odbc-postgresql Version: 1:07.03.0200-2 Severity: grave Tags: security Justification: user security hole I noticed Apache segfaulting when I feed a simple form with long inputs: [Tue May 4 11:32:10 2004] [notice] child pid 4084 exit signal Segmentation fault (11) Such inputs are used by php function odbc_connect as username and password to connect to a DSN using postgresql driver: $connection = @odbc_connect(DSN, $_POST['username'], $_POST['password']) The output of gdb is: (gdb) run -X -d apache [...] [Thread debugging using libthread_db enabled] [...] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1076569920 (LWP 832)] 0x44c3d627 in SOCK_put_next_byte () from /usr/lib/postgresql/lib/psqlodbc.so Or: [same stuff here] 0x44c4c3d0 in strncpy_null () from /usr/lib/postgresql/lib/psqlodbc.so I suspect a security issue because playing around with long input strings of "A" I've been able to trigger in Apache error.logthis message: free(): invalid pointer 0x41414141! 0x41 is obviously one of my "A"... Other ODBC related messages found are: /usr/sbin/apache: relocation error: AAAA[...]AAA: symbol getDSNdefaults, version not defined in file with link time reference The SIGSEGV is triggered with input strings > 10000 bytes. I use Apache/1.3.29 (Debian GNU/Linux) PHP/4.3.4 mod_auth_pam/1.1.1mod_ssl/2.8.16 OpenSSL/0.9.7c -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.4 Locale: LANG=C, LC_CTYPE=C Versions of packages odbc-postgresql depends on: ii libc6 2.3.2.ds1-11 GNU C Library: Shared libraries an ii odbcinst1 2.2.4-9 Support library and helper program -- no debconf information ----- End forwarded message ----- -- Martin Pitt Debian GNU/Linux Developer martin@piware.de mpitt@debian.org http://www.piware.de http://www.debian.org
Вложения
В списке pgsql-bugs по дате отправления:
Предыдущее
От: "PostgreSQL Bugs List"Дата:
Сообщение: BUG #1150: grant options not properly checked