Debian Bug report logs - #247306
odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)

version graph

Package: odbc-postgresql; Maintainer for odbc-postgresql is Christoph Berg <myon@debian.org>; Source for odbc-postgresql is src:psqlodbc.

Reported by: delman <delman@despammed.com>

Date: Tue, 4 May 2004 13:33:06 UTC

Severity: grave

Tags: patch, sarge, security, sid, woody

Found in version 1:07.03.0200-2

Fixed in version psqlodbc/1:07.03.0200-3

Done: Martin Pitt <mpitt@debian.org>

Bug is archived. No further changes may be made.

Forwarded to pgsql-odbc@postgresql.org

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Martin Pitt <mpitt@debian.org>:
Bug#247306; Package odbc-postgresql. Full text and rfc822 format available.

Acknowledgement sent to delman <delman@despammed.com>:
New Bug report received and forwarded. Copy sent to Martin Pitt <mpitt@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: delman <delman@despammed.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)
Date: Tue, 04 May 2004 15:25:24 +0200
Package: odbc-postgresql
Version: 1:07.03.0200-2
Severity: grave
Tags: security
Justification: user security hole


I noticed Apache segfaulting when I feed a simple form with long inputs:

	[Tue May  4 11:32:10 2004] [notice] child pid 4084 exit signal Segmentation fault (11)

Such inputs are used by php function odbc_connect as username and password to connect to a DSN using postgresql driver:

	$connection = @odbc_connect(DSN, $_POST['username'], $_POST['password'])

The output of gdb is:

	(gdb) run -X -d apache
	[...]
	[Thread debugging using libthread_db enabled]
	[...]
	Program received signal SIGSEGV, Segmentation fault.
	[Switching to Thread 1076569920 (LWP 832)]
	0x44c3d627 in SOCK_put_next_byte () from /usr/lib/postgresql/lib/psqlodbc.so

Or:
	[same stuff here]
	0x44c4c3d0 in strncpy_null () from /usr/lib/postgresql/lib/psqlodbc.so

I suspect a security issue because playing around with long input strings of "A" I've been able to trigger in Apache error.log this message:
	
	free(): invalid pointer 0x41414141!

0x41 is obviously one of my "A"...

Other ODBC related messages found are:
	
	/usr/sbin/apache: relocation error: AAAA[...]AAA: symbol getDSNdefaults, version not defined in file with link time reference

The SIGSEGV is triggered with input strings > 10000 bytes. I use Apache/1.3.29 (Debian GNU/Linux) PHP/4.3.4 mod_auth_pam/1.1.1 mod_ssl/2.8.16 OpenSSL/0.9.7c

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.4
Locale: LANG=C, LC_CTYPE=C

Versions of packages odbc-postgresql depends on:
ii  libc6                       2.3.2.ds1-11 GNU C Library: Shared libraries an
ii  odbcinst1                   2.2.4-9      Support library and helper program

-- no debconf information



Tags added: sarge, sid Request was from Martin Pitt <mpitt@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Noted your statement that Bug has been forwarded to pgsql-odbc@postgresql.org. Request was from Martin Pitt <mpitt@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: help Request was from Martin Pitt <mpitt@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Martin Pitt <mpitt@debian.org>:
Bug#247306; Package odbc-postgresql. Full text and rfc822 format available.

Acknowledgement sent to 247306@bugs.debian.org, pgsql-bugs@postgresql.org:
Extra info received and forwarded to list. Copy sent to Martin Pitt <mpitt@debian.org>. Full text and rfc822 format available.

Message #16 received at 247306@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin@piware.de>
To: pgsql-bugs@postgresql.org
Cc: 247306@bugs.debian.org
Subject: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)
Date: Tue, 11 May 2004 12:03:58 +0200
[Message part 1 (text/plain, inline)]
Hi PostgreSQL developers!

A week ago we at Debian received the bug report below: due to a buffer
overflow in psqlodbc it is possible to crash (and possibly exploit)
apache. I already sent this mail to the psqlodbc list [1], but
unfortunately got no response so far. So maybe there are some hackers
here who can help with this?

I can reliably reproduce the error (using the small attached php4
script), but I do not know anything about the psqlodbc internals. I
would be glad if someone could assist me with that.

Thanks in advance and have a nice day!

Martin

[1] http://archives.postgresql.org/pgsql-odbc/2004-05/msg00006.php

----- Forwarded message from delman <delman@despammed.com> -----

Subject: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)
Reply-To: delman <delman@despammed.com>, 247306@bugs.debian.org
From: delman <delman@despammed.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Date: Tue, 04 May 2004 15:25:24 +0200
X-Spam-Status: No, hits=0.0 required=4.0 tests=SUBJ_BRACKET_BALANCED,
	SUBJ_BRACKET_OFF,SUBJ_BRACKET_ON autolearn=no version=2.61

Package: odbc-postgresql
Version: 1:07.03.0200-2
Severity: grave
Tags: security
Justification: user security hole


I noticed Apache segfaulting when I feed a simple form with long inputs:

	[Tue May  4 11:32:10 2004] [notice] child pid 4084 exit signal Segmentation fault (11)

Such inputs are used by php function odbc_connect as username and password to connect to a DSN using postgresql driver:

	$connection = @odbc_connect(DSN, $_POST['username'], $_POST['password'])

The output of gdb is:

	(gdb) run -X -d apache
	[...]
	[Thread debugging using libthread_db enabled]
	[...]
	Program received signal SIGSEGV, Segmentation fault.
	[Switching to Thread 1076569920 (LWP 832)]
	0x44c3d627 in SOCK_put_next_byte () from /usr/lib/postgresql/lib/psqlodbc.so

Or:
	[same stuff here]
	0x44c4c3d0 in strncpy_null () from /usr/lib/postgresql/lib/psqlodbc.so

I suspect a security issue because playing around with long input strings of "A" I've been able to trigger in Apache error.log this message:
	
	free(): invalid pointer 0x41414141!

0x41 is obviously one of my "A"...

Other ODBC related messages found are:
	
	/usr/sbin/apache: relocation error: AAAA[...]AAA: symbol getDSNdefaults, version not defined in file with link time reference

The SIGSEGV is triggered with input strings > 10000 bytes. I use Apache/1.3.29 (Debian GNU/Linux) PHP/4.3.4 mod_auth_pam/1.1.1 mod_ssl/2.8.16 OpenSSL/0.9.7c

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.4
Locale: LANG=C, LC_CTYPE=C

Versions of packages odbc-postgresql depends on:
ii  libc6                       2.3.2.ds1-11 GNU C Library: Shared libraries an
ii  odbcinst1                   2.2.4-9      Support library and helper program

-- no debconf information

----- End forwarded message -----

-- 
Martin Pitt                 Debian GNU/Linux Developer
martin@piware.de                      mpitt@debian.org
http://www.piware.de             http://www.debian.org
[odbccrash.php (application/x-httpd-php, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Martin Pitt <mpitt@debian.org>:
Bug#247306; Package odbc-postgresql. Full text and rfc822 format available.

Acknowledgement sent to Peter Eisentraut <peter_e@gmx.net>:
Extra info received and forwarded to list. Copy sent to Martin Pitt <mpitt@debian.org>. Full text and rfc822 format available.

Message #21 received at 247306@bugs.debian.org (full text, mbox):

From: Peter Eisentraut <peter_e@gmx.net>
To: 247306@bugs.debian.org, pgsql-bugs@postgresql.org, Martin Pitt <martin@piware.de>
Cc: pgsql-odbc@postgresql.org
Subject: Re: [BUGS] Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)
Date: Wed, 12 May 2004 01:31:37 +0200
Martin Pitt wrote:
> A week ago we at Debian received the bug report below: due to a
> buffer overflow in psqlodbc it is possible to crash (and possibly
> exploit) apache. I already sent this mail to the psqlodbc list [1],
> but unfortunately got no response so far. So maybe there are some
> hackers here who can help with this?

The problem is that the ODBC driver just writes the long user name or 
password into its internal data structures without paying attention the 
fact that it's only got 256 bytes of space.  (function PGAPI_Connect in 
file connection.c)  It's the oldest bug in the book really.




Information forwarded to debian-bugs-dist@lists.debian.org, Martin Pitt <mpitt@debian.org>:
Bug#247306; Package odbc-postgresql. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin@piware.de>:
Extra info received and forwarded to list. Copy sent to Martin Pitt <mpitt@debian.org>. Full text and rfc822 format available.

Message #26 received at 247306@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin@piware.de>
To: pgsql-bugs@postgresql.org, Peter Eisentraut <peter_e@gmx.net>
Cc: 247306@bugs.debian.org
Subject: Re: [BUGS] Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)
Date: Wed, 12 May 2004 01:47:09 +0200
Hi!

On 2004-05-12  1:31 +0200, Peter Eisentraut wrote:
> Martin Pitt wrote:
> > A week ago we at Debian received the bug report below: due to a
> > buffer overflow in psqlodbc it is possible to crash (and possibly
> > exploit) apache. I already sent this mail to the psqlodbc list [1],
> > but unfortunately got no response so far. So maybe there are some
> > hackers here who can help with this?
> 
> The problem is that the ODBC driver just writes the long user name or 
> password into its internal data structures without paying attention the 
> fact that it's only got 256 bytes of space.  (function PGAPI_Connect in 
> file connection.c)  It's the oldest bug in the book really.

Thanks for this hint and spotting the error, I think I see the problem
now: PGAPI_Connect calls

        make_string(szDSN, cbDSN, ci->dsn);
 
to copy the string (and similar with uid and password). ci->dsn is
only MEDIUM_REGISTRY_LEN (256) bytes big, so if cbDSN >= 256, it will
crash. So I suppose the function just has to check the cb* values, and
if one of them is >= 256, return an appropriate error? 

Another possibility would be to add a fourth argument to make_string
that specifies the size of the target buffer (and have it copy
max(stringlen, bufferlen-1) bytes). This would force the correction of
all places where make_string is used (just 13, so it should not get
too hard).

Any comments to that?

Thanks,

Martin

-- 
Martin Pitt                 Debian GNU/Linux Developer
martin@piware.de                      mpitt@debian.org
http://www.piware.de             http://www.debian.org



Tags added: woody Request was from Martin Pitt <mpitt@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#247306; Package odbc-postgresql. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #33 received at 247306@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: pgsql-bugs@postgresql.org, pgsql-odbc@postgresql.org
Cc: 247306@bugs.debian.org, Peter Eisentraut <peter_e@gmx.net>
Subject: Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)]
Date: Thu, 13 May 2004 11:41:56 +0200
[Message part 1 (text/plain, inline)]
Hi again!

Sorry for crossposting, but I sent the initial post also to -bugs,
because I did not get an answer on -odbc.

On 2004-05-11 12:03 +0200, Martin Pitt wrote:
> I noticed Apache segfaulting when I feed a simple form with long inputs:
> 
> 	[Tue May  4 11:32:10 2004] [notice] child pid 4084 exit signal Segmentation fault (11)
> 
> Such inputs are used by php function odbc_connect as username and password to connect to a DSN using postgresql driver:
> 
> 	$connection = @odbc_connect(DSN, $_POST['username'], $_POST['password'])
> 
> The output of gdb is:
> 
> 	(gdb) run -X -d apache
> 	[...]
> 	[Thread debugging using libthread_db enabled]
> 	[...]
> 	Program received signal SIGSEGV, Segmentation fault.
> 	[Switching to Thread 1076569920 (LWP 832)]
> 	0x44c3d627 in SOCK_put_next_byte () from /usr/lib/postgresql/lib/psqlodbc.so
> 
> Or:
> 	[same stuff here]
> 	0x44c4c3d0 in strncpy_null () from /usr/lib/postgresql/lib/psqlodbc.so
> 
> I suspect a security issue because playing around with long input strings of "A" I've been able to trigger in Apache error.log this message:
> 	
> 	free(): invalid pointer 0x41414141!
> 
> 0x41 is obviously one of my "A"...

The problem is that make_string() in misc.c does not check whether the
target buffer is big enough to hold the copied string.

I added a bufsize parameter to make_string() and used it in all calls
to it. I tried it with my php4 crash test script and now it works
properly.

The attached patch is for the current stable release 07.03.0200.

Thanks a lot to Peter Eisentraut for pointing me at the problem origin.

Unless you have a better idea it would be nice if you could apply the
patch to the official sources and also include it in the next release.

I will upload updated Debian packages for unstable and stable this
afternoon (16:00 CEST) if nobody reports a problem or a better
solution.

Thanks in advance,

Martin

-- 
Martin Pitt                 Debian GNU/Linux Developer
martin@piware.de                      mpitt@debian.org
http://www.piware.de             http://www.debian.org
[psqlodbc-make_string.patch (text/plain, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Tags removed: help Request was from Martin Pitt <mpitt@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: patch, pending Request was from Martin Pitt <mpitt@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Martin Pitt <mpitt@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to delman <delman@despammed.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #42 received at 247306-close@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: 247306-close@bugs.debian.org
Subject: Bug#247306: fixed in psqlodbc 1:07.03.0200-3
Date: Thu, 13 May 2004 10:02:06 -0400
Source: psqlodbc
Source-Version: 1:07.03.0200-3

We believe that the bug you reported is fixed in the latest version of
psqlodbc, which is due to be installed in the Debian FTP archive:

odbc-postgresql_07.03.0200-3_i386.deb
  to pool/main/p/psqlodbc/odbc-postgresql_07.03.0200-3_i386.deb
psqlodbc_07.03.0200-3.diff.gz
  to pool/main/p/psqlodbc/psqlodbc_07.03.0200-3.diff.gz
psqlodbc_07.03.0200-3.dsc
  to pool/main/p/psqlodbc/psqlodbc_07.03.0200-3.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 247306@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin Pitt <mpitt@debian.org> (supplier of updated psqlodbc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 13 May 2004 10:47:36 +0200
Source: psqlodbc
Binary: odbc-postgresql
Architecture: source i386
Version: 1:07.03.0200-3
Distribution: unstable
Urgency: high
Maintainer: Martin Pitt <mpitt@debian.org>
Changed-By: Martin Pitt <mpitt@debian.org>
Description: 
 odbc-postgresql - ODBC support for PostgreSQL
Closes: 247306
Changes: 
 psqlodbc (1:07.03.0200-3) unstable; urgency=high
 .
   * urgency high since this is a security related bug and no other changes
     were made
   * misc.c: added target buffer size parameter to make_string() to prevent
     buffer overflows and corrected all calls to it (closes: #247306)
Files: 
 02511a0be4f7bd7b8ab94da7a38dc7f8 670 libs optional psqlodbc_07.03.0200-3.dsc
 0e2a30e797f5b238d7cde501d857f505 6218 libs optional psqlodbc_07.03.0200-3.diff.gz
 a71b3f5da42bb3d385b0963fbbc056d1 137276 libs optional odbc-postgresql_07.03.0200-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAo0VhDecnbV4Fd/IRAvWqAKDJGQGRViaOf+ruU7fmO9dsG3ByUQCgwAPA
aNvHU/WoiWasaM3HLqovX/M=
=Lpjd
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Martin Pitt <mpitt@debian.org>:
Bug#247306; Package odbc-postgresql. Full text and rfc822 format available.

Acknowledgement sent to Peter Eisentraut <peter_e@gmx.net>:
Extra info received and forwarded to list. Copy sent to Martin Pitt <mpitt@debian.org>. Full text and rfc822 format available.

Message #47 received at 247306@bugs.debian.org (full text, mbox):

From: Peter Eisentraut <peter_e@gmx.net>
To: Martin Pitt <mpitt@debian.org>, pgsql-bugs@postgresql.org, pgsql-odbc@postgresql.org
Cc: 247306@bugs.debian.org
Subject: Re: Fix for buffer overflow ready [was: Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)]
Date: Thu, 13 May 2004 19:43:09 +0200
Martin Pitt wrote:
> The problem is that make_string() in misc.c does not check whether
> the target buffer is big enough to hold the copied string.
>
> I added a bufsize parameter to make_string() and used it in all calls
> to it. I tried it with my php4 crash test script and now it works
> properly.

Silently truncating various pieces of information is probably not the 
right thing.  What are you truncating?  If it's a query string you 
might open yourself up to SQL-injection type problems.

Plus, the ODBC driver appears to have buffer overruns all over the 
place.  We need to replace every instance of strcpy, strcat, sprintf, 
make_string, and the various other feeble attempts with pqexpbuffer 
from libpq.  That's the only way to solve this problem once and for 
all.




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:27:56 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.