Hi PostgreSQL developers! A week ago we at Debian received the bug report below: due to a buffer overflow in psqlodbc it is possible to crash (and possibly exploit) apache. I already sent this mail to the psqlodbc list [1], but unfortunately got no response so far. So maybe there are some hackers here who can help with this?
I can reliably reproduce the error (using the small attached php4 script), but I do not know anything about the psqlodbc internals. I would be glad if someone could assist me with that. Thanks in advance and have a nice day! Martin [1] http://archives.postgresql.org/pgsql-odbc/2004-05/msg00006.php ----- Forwarded message from delman <[EMAIL PROTECTED]> ----- Subject: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes) Reply-To: delman <[EMAIL PROTECTED]>, [EMAIL PROTECTED] From: delman <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Date: Tue, 04 May 2004 15:25:24 +0200 X-Spam-Status: No, hits=0.0 required=4.0 tests=SUBJ_BRACKET_BALANCED, SUBJ_BRACKET_OFF,SUBJ_BRACKET_ON autolearn=no version=2.61 Package: odbc-postgresql Version: 1:07.03.0200-2 Severity: grave Tags: security Justification: user security hole I noticed Apache segfaulting when I feed a simple form with long inputs: [Tue May 4 11:32:10 2004] [notice] child pid 4084 exit signal Segmentation fault (11) Such inputs are used by php function odbc_connect as username and password to connect to a DSN using postgresql driver: $connection = @odbc_connect(DSN, $_POST['username'], $_POST['password']) The output of gdb is: (gdb) run -X -d apache [...] [Thread debugging using libthread_db enabled] [...] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1076569920 (LWP 832)] 0x44c3d627 in SOCK_put_next_byte () from /usr/lib/postgresql/lib/psqlodbc.so Or: [same stuff here] 0x44c4c3d0 in strncpy_null () from /usr/lib/postgresql/lib/psqlodbc.so I suspect a security issue because playing around with long input strings of "A" I've been able to trigger in Apache error.log this message: free(): invalid pointer 0x41414141! 0x41 is obviously one of my "A"... Other ODBC related messages found are: /usr/sbin/apache: relocation error: AAAA[...]AAA: symbol getDSNdefaults, version not defined in file with link time reference The SIGSEGV is triggered with input strings > 10000 bytes. I use Apache/1.3.29 (Debian GNU/Linux) PHP/4.3.4 mod_auth_pam/1.1.1 mod_ssl/2.8.16 OpenSSL/0.9.7c -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.4 Locale: LANG=C, LC_CTYPE=C Versions of packages odbc-postgresql depends on: ii libc6 2.3.2.ds1-11 GNU C Library: Shared libraries an ii odbcinst1 2.2.4-9 Support library and helper program -- no debconf information ----- End forwarded message ----- -- Martin Pitt Debian GNU/Linux Developer [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.piware.de http://www.debian.org
odbccrash.php
Description: application/httpd-php
pgp00000.pgp
Description: PGP signature
