Debian Bug report logs - #554684
php5-pgsql: Suhosin alerts about heap overflows

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@gwolf.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: php5-pgsql: Suhosin alerts about heap overflows

Date: Thu, 05 Nov 2009 16:34:03 -0600

[Message part 1 (text/plain, inline)]

Package: php5-pgsql
Version: 5.2.6.dfsg.1-1+lenny3
Severity: serious
Tags: security

I am not sure on the impact of this bug, but if the main PHP escaping
function for PostgreSQL is mis-escaping strings, it can
_quite_probably_ be a serious security bug. Feel free to adjust
severity. 

I have been getting the following message on my Apache logs:

[error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)

Note that 132.248.72.141 is the same server where this is reported,
and lines 363-365 of the reported file is:

function db_escape_string($text) {
  return pg_escape_string($text);
}

I cannot establish what user action is causing this to be triggered,
but -having a very limited dataset to judge from- its frequency has
been slightly increasing since I first detected it (August 18) - From
two weeks between first and second sight to about once a day.

I am looking at log files starting in early August. I am attaching
here (filename: alerts) the output of:

( zcat error.log.{18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2}.gz; cat error.log{.1,} ) | grep ALERT

The times of the log messages roughly match comment additions on the
Drupal system in question (which was completely open to spammers and I
have just closed for comments). I am attaching also a comment example
(filename: spammy) where the timestamp is closest to the latest
event - It does not look atypical in any way, but the result might
have not been properly received...

...Hmm, thinking about it over, I found this in the PostgreSQL log at
the right time:

2009-11-04 06:25:29 CST [30578]LOG:  connection received: host=127.0.0.1 port=39334
2009-11-04 06:25:29 CST [30578]LOG:  connection authorized: user=drupal_obela database=drupal_obela
2009-11-04 06:25:29 CST [30578]WARNING:  nonstandard use of \\ in a string literal at character 25
2009-11-04 06:25:29 CST [30578]HINT:  Use the escape string syntax for backslashes, e.g., E'\\'.
2009-11-04 06:25:29 CST [30578]WARNING:  nonstandard use of \\ in a string literal at character 90
2009-11-04 06:25:29 CST [30578]HINT:  Use the escape string syntax for backslashes, e.g., E'\\'.

And yes, that would support my theory, that pg_escape_string is
failing to escape _something_.

Thanks,

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (900, 'stable'), (200, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages php5-pgsql depends on:
ii  libapache2-mod-php 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii  libc6              2.7-18                GNU C Library: Shared libraries
ii  libpq5             8.3.8-0lenny1         PostgreSQL C client library
ii  php5-cgi [phpapi-2 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii  php5-cli [phpapi-2 5.2.6.dfsg.1-1+lenny3 command-line interpreter for the p
ii  php5-common        5.2.6.dfsg.1-1+lenny3 Common files for packages built fr

php5-pgsql recommends no packages.

php5-pgsql suggests no packages.

-- no debconf information

[spammy (text/plain, attachment)]

[alert (text/plain, attachment)]

Message #10 received at 554684@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: Gunnar Wolf <gwolf@gwolf.org>, 554684@bugs.debian.org

Subject: Re: [php-maint] Bug#554684: php5-pgsql: Suhosin alerts about heap overflows

Date: Fri, 6 Nov 2009 00:16:59 +0100

[Message part 1 (text/plain, inline)]

On Thu, Nov 05, 2009 at 04:34:03PM -0600, Gunnar Wolf wrote:
> function db_escape_string($text) {
>   return pg_escape_string($text);
> }
 
> 2009-11-04 06:25:29 CST [30578]WARNING:  nonstandard use of \\ in a string literal at character 25

hm... maybe this is a result of pg_escape_string and magic_quotes_<foo>
used together?

	sean


-- 

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 554684@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@gwolf.org>

To: sean finney <seanius@debian.org>

Cc: 554684@bugs.debian.org

Subject: Re: [php-maint] Bug#554684: php5-pgsql: Suhosin alerts about heap overflows

Date: Thu, 5 Nov 2009 19:41:41 -0600

sean finney dijo [Fri, Nov 06, 2009 at 12:16:59AM +0100]:
> On Thu, Nov 05, 2009 at 04:34:03PM -0600, Gunnar Wolf wrote:
> > function db_escape_string($text) {
> >   return pg_escape_string($text);
> > }
>  
> > 2009-11-04 06:25:29 CST [30578]WARNING:  nonstandard use of \\ in a string literal at character 25
> 
> hm... maybe this is a result of pg_escape_string and magic_quotes_<foo>
> used together?

In such case, this should be reassigned to drupal6 as they are
applying the escapings in the wrong order, right?

Now, in such case... I wonder why I don't get this warning more
often. As I said in the report, the site in question had its comments
open for spammers (although they were piling for administrator's
authorization). I have closed the comments for now, but would surely
like to know what causes this.

FWIW, I do _not_ think this is caused by magic_quotes as a global
configuration setting, as it is explicitly turned off at the site in
question. 

-- 
Gunnar Wolf • gwolf@gwolf.org • (+52-55)5623-0154 / 1451-2244

Message #20 received at 554684@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: Gunnar Wolf <gwolf@gwolf.org>, 554684@bugs.debian.org

Subject: Re: [php-maint] Bug#554684: Bug#554684: php5-pgsql: Suhosin alerts about heap overflows

Date: Tue, 12 Jan 2010 08:16:20 +0100

Gunnar,

do you think you can retest this bug with php5-pgsql from unstable?

Ie.

apt-get install php5-dev # from stable
dget http://ftp.debian.org/debian/pool/main/p/php5/php5_5.2.12.dfsg.1-2.dsc
cd php5-5.2.12/ext/pgsql
phpize
./configure
make
make install
(or something like that, I'm writing it from the top of my head)

This should allow you to not upgrade whole php5 just the module. This
could lead us if we need to look after the issue in SVN (and fix the
unstable version as well) or if we just need to fix it in stable.

On Fri, Nov 6, 2009 at 02:41, Gunnar Wolf <gwolf@gwolf.org> wrote:
> sean finney dijo [Fri, Nov 06, 2009 at 12:16:59AM +0100]:
>> On Thu, Nov 05, 2009 at 04:34:03PM -0600, Gunnar Wolf wrote:
>> > function db_escape_string($text) {
>> >   return pg_escape_string($text);
>> > }
>>
>> > 2009-11-04 06:25:29 CST [30578]WARNING:  nonstandard use of \\ in a string literal at character 25
>>
>> hm... maybe this is a result of pg_escape_string and magic_quotes_<foo>
>> used together?
>
> In such case, this should be reassigned to drupal6 as they are
> applying the escapings in the wrong order, right?

This may or may not be linked together. It could just be separate
issues. But it could also be a result of suhosin patch canary
mismatch.

> Now, in such case... I wonder why I don't get this warning more
> often. As I said in the report, the site in question had its comments
> open for spammers (although they were piling for administrator's
> authorization). I have closed the comments for now, but would surely
> like to know what causes this.

I have seen reports of php5 going wrong after some time. Do you have
php5-suhosin package installed by any chance?

> FWIW, I do _not_ think this is caused by magic_quotes as a global
> configuration setting, as it is explicitly turned off at the site in
> question.

Yup, I do not think that this is cause by magic_quotes.

Ondrej
-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Message #25 received at 554684@bugs.debian.org (full text, mbox, reply):

From: Gunnar Wolf <gwolf@gwolf.org>

To: Ondřej Surý <ondrej@debian.org>

Cc: 554684@bugs.debian.org

Subject: Re: [php-maint] Bug#554684: Bug#554684: php5-pgsql: Suhosin alerts about heap overflows

Date: Tue, 12 Jan 2010 07:38:05 -0600

tags 554684 + unreproducible
thanks

Ondřej Surý dijo [Tue, Jan 12, 2010 at 08:16:20AM +0100]:
> Gunnar,
> 
> do you think you can retest this bug with php5-pgsql from unstable?
> 
> Ie.
> (...)
> This should allow you to not upgrade whole php5 just the module. This
> could lead us if we need to look after the issue in SVN (and fix the
> unstable version as well) or if we just need to fix it in stable.

Hi,

Sadly, I cannot reproduce this anymore. Since November (precisely two
days before filing this bug), I have not logged any new similar
reports. 

I am tagging the bug as unreproducible. Just FWIW, here are all the
occurrences I got. Note they appear seemingly out of order, as I
separate the logs based on the virtualhost:

/var/log/apache2$ zcat *error*gz | grep ALERT 
[Tue Nov 03 07:05:43 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Wed Nov 04 06:25:21 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Sun Nov 01 01:04:52 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Tue Oct 20 02:24:29 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Thu Oct 22 02:24:27 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Wed Oct 14 13:06:30 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Fri Oct 16 12:25:27 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Fri Oct 16 21:04:43 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Sun Oct 18 09:05:15 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Mon Oct 19 06:04:32 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Wed Oct 07 02:05:13 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Sun Oct 11 08:24:50 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Mon Oct 12 03:04:59 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Tue Sep 29 10:04:44 2009] [error] [client 132.248.72.141] ALERT - linked list corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.inc', line 205)
[Fri Oct 02 04:05:05 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Mon Oct 05 03:04:47 2009] [error] [client 132.248.72.141] ALERT - linked list corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file '/usr/share/drupal6/modules/search/search.module', line 292)
[Mon Sep 28 06:05:04 2009] [error] [client 132.248.72.141] ALERT - linked list corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.inc', line 205)
[Tue Sep 29 01:05:02 2009] [error] [client 132.248.72.141] ALERT - linked list corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 138)
[Tue Aug 18 04:25:04 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)


-- 
Gunnar Wolf • gwolf@gwolf.org • (+52-55)5623-0154 / 1451-2244

Message #30 received at 554684-done@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 554684-done@bugs.debian.org

Subject: Re: [php-maint] Bug#554684: Bug#554684: Bug#554684: php5-pgsql: Suhosin alerts about heap overflows

Date: Sat, 27 Feb 2010 17:21:11 +0100

Hi Gunnar,

On tiisdei 12 Jannewaris 2010, Gunnar Wolf wrote:
> Sadly, I cannot reproduce this anymore. Since November (precisely two
> days before filing this bug), I have not logged any new similar
> reports. 
> 
> I am tagging the bug as unreproducible.

As the bug is marked as a serious bug, we need to do something with it either 
way. So as this has been unreproducible since November and there haven't been 
similar reports, I think closing it is the best option here. It can always be 
reopened when it can be reproduced again.


cheers,
Thijs

Send a report that this bug log contains spam.