Your message dated Sat, 27 Feb 2010 17:21:11 +0100
with message-id <201002271721.11226.th...@debian.org>
and subject line Re: [php-maint] Bug#554684: Bug#554684: Bug#554684:
php5-pgsql: Suhosin alerts about heap overflows
has caused the Debian Bug report #554684,
regarding php5-pgsql: Suhosin alerts about heap overflows
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
554684: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=554684
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: php5-pgsql
Version: 5.2.6.dfsg.1-1+lenny3
Severity: serious
Tags: security
I am not sure on the impact of this bug, but if the main PHP escaping
function for PostgreSQL is mis-escaping strings, it can
_quite_probably_ be a serious security bug. Feel free to adjust
severity.
I have been getting the following message on my Apache logs:
[error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap
overflow detected (attacker '132.248.72.141', file
'/usr/share/drupal6/includes/database.pgsql.inc', line 364)
Note that 132.248.72.141 is the same server where this is reported,
and lines 363-365 of the reported file is:
function db_escape_string($text) {
return pg_escape_string($text);
}
I cannot establish what user action is causing this to be triggered,
but -having a very limited dataset to judge from- its frequency has
been slightly increasing since I first detected it (August 18) - From
two weeks between first and second sight to about once a day.
I am looking at log files starting in early August. I am attaching
here (filename: alerts) the output of:
( zcat error.log.{18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2}.gz; cat
error.log{.1,} ) | grep ALERT
The times of the log messages roughly match comment additions on the
Drupal system in question (which was completely open to spammers and I
have just closed for comments). I am attaching also a comment example
(filename: spammy) where the timestamp is closest to the latest
event - It does not look atypical in any way, but the result might
have not been properly received...
...Hmm, thinking about it over, I found this in the PostgreSQL log at
the right time:
2009-11-04 06:25:29 CST [30578]LOG: connection received: host=127.0.0.1
port=39334
2009-11-04 06:25:29 CST [30578]LOG: connection authorized: user=drupal_obela
database=drupal_obela
2009-11-04 06:25:29 CST [30578]WARNING: nonstandard use of \\ in a string
literal at character 25
2009-11-04 06:25:29 CST [30578]HINT: Use the escape string syntax for
backslashes, e.g., E'\\'.
2009-11-04 06:25:29 CST [30578]WARNING: nonstandard use of \\ in a string
literal at character 90
2009-11-04 06:25:29 CST [30578]HINT: Use the escape string syntax for
backslashes, e.g., E'\\'.
And yes, that would support my theory, that pg_escape_string is
failing to escape _something_.
Thanks,
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (900, 'stable'), (200, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages php5-pgsql depends on:
ii libapache2-mod-php 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libpq5 8.3.8-0lenny1 PostgreSQL C client library
ii php5-cgi [phpapi-2 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii php5-cli [phpapi-2 5.2.6.dfsg.1-1+lenny3 command-line interpreter for the p
ii php5-common 5.2.6.dfsg.1-1+lenny3 Common files for packages built fr
php5-pgsql recommends no packages.
php5-pgsql suggests no packages.
-- no debconf information
# SELECT * from comments where timestamp > 1257337500 and timestamp <
1257337600;
cid | pid | nid | uid | subject |
comment
| hostname | timestamp | status | format | thread |
name | mail | homepage
-------+-----+-----+-----+------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+------------+--------+--------+--------+------+------+----------
91845 | 0 | 348 | 0 | YnRFrcYXCSacEMRs | Thank you for this article. <a
href="http://thedigitallifestyle.com/cs/members/skimtube-skimtube-penny-porsche/default.aspx";>penny
porsche skimtube</a> beepgirl <a
href="http://thedigitallifestyle.com/cs/members/tehvids-tehvid/default.aspx";>tehvids</a>
jimboy <a
href="http://thedigitallifestyle.com/cs/members/tiava-ask-tiava/default.aspx";>tiava
tube isis love</a> tunquelen | 94.102.63.32 | 1257337537 | 0 | 1 |
21ti/ | | |
(1 row)
[Tue Aug 18 04:25:04 2009] [error] [client 132.248.72.141] ALERT - canary
mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141',
file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Mon Sep 28 06:05:04 2009] [error] [client 132.248.72.141] ALERT - linked list
corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file
'/usr/share/drupal6/includes/database.inc', line 205)
[Tue Sep 29 01:05:02 2009] [error] [client 132.248.72.141] ALERT - linked list
corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file
'/usr/share/drupal6/includes/database.pgsql.inc', line 138)
[Tue Sep 29 10:04:44 2009] [error] [client 132.248.72.141] ALERT - linked list
corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file
'/usr/share/drupal6/includes/database.inc', line 205)
[Fri Oct 02 04:05:05 2009] [error] [client 132.248.72.141] ALERT - canary
mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141',
file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Mon Oct 05 03:04:47 2009] [error] [client 132.248.72.141] ALERT - linked list
corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file
'/usr/share/drupal6/modules/search/search.module', line 292)
[Wed Oct 07 02:05:13 2009] [error] [client 132.248.72.141] ALERT - canary
mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141',
file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Sun Oct 11 08:24:50 2009] [error] [client 132.248.72.141] ALERT - canary
mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141',
file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Mon Oct 12 03:04:59 2009] [error] [client 132.248.72.141] ALERT - canary
mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141',
file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Wed Oct 14 13:06:30 2009] [error] [client 132.248.72.141] ALERT - canary
mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141',
file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Fri Oct 16 12:25:27 2009] [error] [client 132.248.72.141] ALERT - canary
mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141',
file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Fri Oct 16 21:04:43 2009] [error] [client 132.248.72.141] ALERT - canary
mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141',
file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Sun Oct 18 09:05:15 2009] [error] [client 132.248.72.141] ALERT - canary
mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141',
file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Mon Oct 19 06:04:32 2009] [error] [client 132.248.72.141] ALERT - canary
mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141',
file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Tue Oct 20 02:24:29 2009] [error] [client 132.248.72.141] ALERT - canary
mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141',
file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Thu Oct 22 02:24:27 2009] [error] [client 132.248.72.141] ALERT - canary
mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141',
file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Sun Nov 01 01:04:52 2009] [error] [client 132.248.72.141] ALERT - canary
mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141',
file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Tue Nov 03 07:05:43 2009] [error] [client 132.248.72.141] ALERT - canary
mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141',
file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
[Wed Nov 04 06:25:21 2009] [error] [client 132.248.72.141] ALERT - canary
mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141',
file '/usr/share/drupal6/includes/database.pgsql.inc', line 364)
--- End Message ---
--- Begin Message ---
Hi Gunnar,
On tiisdei 12 Jannewaris 2010, Gunnar Wolf wrote:
> Sadly, I cannot reproduce this anymore. Since November (precisely two
> days before filing this bug), I have not logged any new similar
> reports.
>
> I am tagging the bug as unreproducible.
As the bug is marked as a serious bug, we need to do something with it either
way. So as this has been unreproducible since November and there haven't been
similar reports, I think closing it is the best option here. It can always be
reopened when it can be reproduced again.
cheers,
Thijs
--- End Message ---
