Debian Bug report logs -
#565387
php5-odbc: odbc_fetch_object() causes heap corruption on 64bit systems
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, peterpan@mailinator.com, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#565387; Package php5-odbc.
(Fri, 15 Jan 2010 11:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Peter Pan <peterpan@mailinator.com>:
New Bug report received and forwarded. Copy sent to peterpan@mailinator.com, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Fri, 15 Jan 2010 11:57:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php5-odbc
Version: 5.2.6.dfsg.1-1+lenny4
Severity: important
http://bugs.php.net/bug.php?id=50370
I have a page which reproducibly overwrites non alloc'd memory (a write
of 8 bytes instead of 4 bytes at the end of the range). It is caused by
the call odbc_fetch_object() and the bad write in libtdsodbc.so.
Apparently in php_odbc_includes.h a len is declared as
SDWORD which is only 32-bit while should be 64-bit (SQLLEN).
Php error Log:
ALERT - canary mismatch on efree() - heap overflow detected (attacker 'x.x.x.x', file '.../DbTest.php')
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages php5-odbc depends on:
ii libapache2-mod-php 5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii libc6 2.7-18 GNU C Library: Shared libraries
ii php5-cli [phpapi-2 5.2.6.dfsg.1-1+lenny4 command-line interpreter for the p
ii php5-common 5.2.6.dfsg.1-1+lenny4 Common files for packages built fr
ii unixodbc 2.2.11-16 ODBC tools libraries
php5-odbc recommends no packages.
php5-odbc suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#565387; Package php5-odbc.
(Fri, 15 Jan 2010 21:36:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Geissert <geissert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Fri, 15 Jan 2010 21:36:11 GMT) (full text, mbox, link).
Message #10 received at 565387@bugs.debian.org (full text, mbox, reply):
forwarded 565387 http://bugs.php.net/bug.php?id=50370
thanks
Will take a look at it and fix it in the next stable upload.
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#565387; Package php5-odbc.
(Mon, 22 Feb 2010 22:30:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Geissert <geissert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Mon, 22 Feb 2010 22:30:09 GMT) (full text, mbox, link).
Message #17 received at 565387@bugs.debian.org (full text, mbox, reply):
tag 565387 pending
thanks
Date: Fri Feb 5 14:11:25 2010 -0600
Author: Raphael Geissert <geissert@debian.org>
Commit ID: 91355ceda1fb91edabf96bdb1aaddeb783b27586
Commit URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff;h=91355ceda1fb91edabf96bdb1aaddeb783b27586
Patch URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff_plain;h=91355ceda1fb91edabf96bdb1aaddeb783b27586
Fix a heap overflow in the odbc extension (Closes: #565387)
Added tag(s) pending.
Request was from Raphael Geissert <geissert@debian.org>
to control@bugs.debian.org.
(Mon, 22 Feb 2010 22:30:10 GMT) (full text, mbox, link).
Reply sent
to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility.
(Wed, 27 Apr 2011 08:34:18 GMT) (full text, mbox, link).
Notification sent
to Peter Pan <peterpan@mailinator.com>:
Bug acknowledged by developer.
(Wed, 27 Apr 2011 08:34:18 GMT) (full text, mbox, link).
Message #24 received at 565387-done@bugs.debian.org (full text, mbox, reply):
Version: 5.3.3-7
Hi,
since lenny is oldstable it will not get any updates now (except
security)[1], I am closing all segfault bugs filled against php5 in
lenny. (This is kind of saying that we don't care much about php5 in
lenny anymore).
If you believe the bug is still there, please provide evidence[2] and
a (preferably complete) test case with up-to-date squeeze (and/or
testing or unstable) version of php5 and reopen the bug.
O.
1. http://wiki.debian.org/PHP#Notes_on_PHP_and_security
2. Install php5-dbg and provide backtrace:
http://bugs.php.net/bugs-generating-backtrace.php
--
Ondřej Surý <ondrej@sury.org>
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 26 May 2011 07:41:24 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 01:12:49 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.