Fwd: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)

Hi psqlodbc developers!

We (the Debian maintainers of postgresql) just got the following bug
report. Unfortunately I don't have any personal experience with the
package, I came to it more or less by accident (long story, does not
belong here).

Can anybody please confirm this and does anybody have a solution? A
patch against the current version 07.03.0200 would be greatly
appreciated!

The stable version of Debian still has PostgreSQL 7.2.1 which included
the odbc driver. Is this version affected as well?

Thank you very much in advance and have a nice day!

Martin

----- Forwarded message from delman <delman@xxxxxxxxxxxxx> -----

Subject: Bug#247306: odbc-postgresql: SIGSEGV with long inputs (> 10000 bytes)
Reply-To: delman <delman@xxxxxxxxxxxxx>, 247306@xxxxxxxxxxxxxxx
From: delman <delman@xxxxxxxxxxxxx>
To: Debian Bug Tracking System <submit@xxxxxxxxxxxxxxx>
Date: Tue, 04 May 2004 15:25:24 +0200
X-Spam-Status: No, hits=0.0 required=4.0 tests=SUBJ_BRACKET_BALANCED,
        SUBJ_BRACKET_OFF,SUBJ_BRACKET_ON autolearn=no version=2.61

Package: odbc-postgresql
Version: 1:07.03.0200-2
Severity: grave
Tags: security
Justification: user security hole


I noticed Apache segfaulting when I feed a simple form with long inputs:

        [Tue May  4 11:32:10 2004] [notice] child pid 4084 exit signal 
Segmentation fault (11)

Such inputs are used by php function odbc_connect as username and password to 
connect to a DSN using postgresql driver:

        $connection = @odbc_connect(DSN, $_POST['username'], $_POST['password'])

The output of gdb is:

        (gdb) run -X -d apache
        [...]
        [Thread debugging using libthread_db enabled]
        [...]
        Program received signal SIGSEGV, Segmentation fault.
        [Switching to Thread 1076569920 (LWP 832)]
        0x44c3d627 in SOCK_put_next_byte () from 
/usr/lib/postgresql/lib/psqlodbc.so

Or:
        [same stuff here]
        0x44c4c3d0 in strncpy_null () from /usr/lib/postgresql/lib/psqlodbc.so

I suspect a security issue because playing around with long input strings of 
"A" I've been able to trigger in Apache error.log this message:
        
        free(): invalid pointer 0x41414141!

0x41 is obviously one of my "A"...

Other ODBC related messages found are:
        
        /usr/sbin/apache: relocation error: AAAA[...]AAA: symbol 
getDSNdefaults, version not defined in file with link time reference

The SIGSEGV is triggered with input strings > 10000 bytes. I use Apache/1.3.29 
(Debian GNU/Linux) PHP/4.3.4 mod_auth_pam/1.1.1 mod_ssl/2.8.16 OpenSSL/0.9.7c

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.4
Locale: LANG=C, LC_CTYPE=C

Versions of packages odbc-postgresql depends on:
ii  libc6                       2.3.2.ds1-11 GNU C Library: Shared libraries an
ii  odbcinst1                   2.2.4-9      Support library and helper program

-- no debconf information

----- End forwarded message -----

-- 
Martin Pitt                 Debian GNU/Linux Developer
martin@xxxxxxxxx                      mpitt@xxxxxxxxxx
http://www.piware.de             http://www.debian.org

---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
      subscribe-nomail command to majordomo@xxxxxxxxxxxxxx so that your
      message can get through to the mailing list cleanly