Bug#554684: [php-maint] Bug#554684: Bug#554684: php5-pgsql: Suhosin alerts about heap overflows
tags 554684 + unreproducible thanks Ondřej Surý dijo [Tue, Jan 12, 2010 at 08:16:20AM +0100]: > Gunnar, > > do you think you can retest this bug with php5-pgsql from unstable? > > Ie. > (...) > This should allow you to not upgrade whole php5 just the module. This > could lead us if we need to look after the issue in SVN (and fix the > unstable version as well) or if we just need to fix it in stable. Hi, Sadly, I cannot reproduce this anymore. Since November (precisely two days before filing this bug), I have not logged any new similar reports. I am tagging the bug as unreproducible. Just FWIW, here are all the occurrences I got. Note they appear seemingly out of order, as I separate the logs based on the virtualhost: /var/log/apache2$ zcat *error*gz | grep ALERT [Tue Nov 03 07:05:43 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Wed Nov 04 06:25:21 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Sun Nov 01 01:04:52 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Tue Oct 20 02:24:29 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Thu Oct 22 02:24:27 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Wed Oct 14 13:06:30 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Fri Oct 16 12:25:27 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Fri Oct 16 21:04:43 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Sun Oct 18 09:05:15 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Mon Oct 19 06:04:32 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Wed Oct 07 02:05:13 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Sun Oct 11 08:24:50 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Mon Oct 12 03:04:59 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Tue Sep 29 10:04:44 2009] [error] [client 132.248.72.141] ALERT - linked list corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.inc', line 205) [Fri Oct 02 04:05:05 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Mon Oct 05 03:04:47 2009] [error] [client 132.248.72.141] ALERT - linked list corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file '/usr/share/drupal6/modules/search/search.module', line 292) [Mon Sep 28 06:05:04 2009] [error] [client 132.248.72.141] ALERT - linked list corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.inc', line 205) [Tue Sep 29 01:05:02 2009] [error] [client 132.248.72.141] ALERT - linked list corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 138) [Tue Aug 18 04:25:04 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) -- Gunnar Wolf • gw...@gwolf.org • (+52-55)5623-0154 / 1451-2244 -- To UNSUBSCRIBE, ema
Bug#554684: [php-maint] Bug#554684: Bug#554684: php5-pgsql: Suhosin alerts about heap overflows
Gunnar, do you think you can retest this bug with php5-pgsql from unstable? Ie. apt-get install php5-dev # from stable dget http://ftp.debian.org/debian/pool/main/p/php5/php5_5.2.12.dfsg.1-2.dsc cd php5-5.2.12/ext/pgsql phpize ./configure make make install (or something like that, I'm writing it from the top of my head) This should allow you to not upgrade whole php5 just the module. This could lead us if we need to look after the issue in SVN (and fix the unstable version as well) or if we just need to fix it in stable. On Fri, Nov 6, 2009 at 02:41, Gunnar Wolf wrote: > sean finney dijo [Fri, Nov 06, 2009 at 12:16:59AM +0100]: >> On Thu, Nov 05, 2009 at 04:34:03PM -0600, Gunnar Wolf wrote: >> > function db_escape_string($text) { >> > return pg_escape_string($text); >> > } >> >> > 2009-11-04 06:25:29 CST [30578]WARNING: nonstandard use of \\ in a string >> > literal at character 25 >> >> hm... maybe this is a result of pg_escape_string and magic_quotes_ >> used together? > > In such case, this should be reassigned to drupal6 as they are > applying the escapings in the wrong order, right? This may or may not be linked together. It could just be separate issues. But it could also be a result of suhosin patch canary mismatch. > Now, in such case... I wonder why I don't get this warning more > often. As I said in the report, the site in question had its comments > open for spammers (although they were piling for administrator's > authorization). I have closed the comments for now, but would surely > like to know what causes this. I have seen reports of php5 going wrong after some time. Do you have php5-suhosin package installed by any chance? > FWIW, I do _not_ think this is caused by magic_quotes as a global > configuration setting, as it is explicitly turned off at the site in > question. Yup, I do not think that this is cause by magic_quotes. Ondrej -- Ondřej Surý http://blog.rfc1925.org/ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#554684: [php-maint] Bug#554684: php5-pgsql: Suhosin alerts about heap overflows
sean finney dijo [Fri, Nov 06, 2009 at 12:16:59AM +0100]: > On Thu, Nov 05, 2009 at 04:34:03PM -0600, Gunnar Wolf wrote: > > function db_escape_string($text) { > > return pg_escape_string($text); > > } > > > 2009-11-04 06:25:29 CST [30578]WARNING: nonstandard use of \\ in a string > > literal at character 25 > > hm... maybe this is a result of pg_escape_string and magic_quotes_ > used together? In such case, this should be reassigned to drupal6 as they are applying the escapings in the wrong order, right? Now, in such case... I wonder why I don't get this warning more often. As I said in the report, the site in question had its comments open for spammers (although they were piling for administrator's authorization). I have closed the comments for now, but would surely like to know what causes this. FWIW, I do _not_ think this is caused by magic_quotes as a global configuration setting, as it is explicitly turned off at the site in question. -- Gunnar Wolf • gw...@gwolf.org • (+52-55)5623-0154 / 1451-2244 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#554684: [php-maint] Bug#554684: php5-pgsql: Suhosin alerts about heap overflows
On Thu, Nov 05, 2009 at 04:34:03PM -0600, Gunnar Wolf wrote: > function db_escape_string($text) { > return pg_escape_string($text); > } > 2009-11-04 06:25:29 CST [30578]WARNING: nonstandard use of \\ in a string > literal at character 25 hm... maybe this is a result of pg_escape_string and magic_quotes_ used together? sean -- signature.asc Description: Digital signature
Bug#554684: php5-pgsql: Suhosin alerts about heap overflows
Package: php5-pgsql Version: 5.2.6.dfsg.1-1+lenny3 Severity: serious Tags: security I am not sure on the impact of this bug, but if the main PHP escaping function for PostgreSQL is mis-escaping strings, it can _quite_probably_ be a serious security bug. Feel free to adjust severity. I have been getting the following message on my Apache logs: [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) Note that 132.248.72.141 is the same server where this is reported, and lines 363-365 of the reported file is: function db_escape_string($text) { return pg_escape_string($text); } I cannot establish what user action is causing this to be triggered, but -having a very limited dataset to judge from- its frequency has been slightly increasing since I first detected it (August 18) - From two weeks between first and second sight to about once a day. I am looking at log files starting in early August. I am attaching here (filename: alerts) the output of: ( zcat error.log.{18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2}.gz; cat error.log{.1,} ) | grep ALERT The times of the log messages roughly match comment additions on the Drupal system in question (which was completely open to spammers and I have just closed for comments). I am attaching also a comment example (filename: spammy) where the timestamp is closest to the latest event - It does not look atypical in any way, but the result might have not been properly received... ...Hmm, thinking about it over, I found this in the PostgreSQL log at the right time: 2009-11-04 06:25:29 CST [30578]LOG: connection received: host=127.0.0.1 port=39334 2009-11-04 06:25:29 CST [30578]LOG: connection authorized: user=drupal_obela database=drupal_obela 2009-11-04 06:25:29 CST [30578]WARNING: nonstandard use of \\ in a string literal at character 25 2009-11-04 06:25:29 CST [30578]HINT: Use the escape string syntax for backslashes, e.g., E'\\'. 2009-11-04 06:25:29 CST [30578]WARNING: nonstandard use of \\ in a string literal at character 90 2009-11-04 06:25:29 CST [30578]HINT: Use the escape string syntax for backslashes, e.g., E'\\'. And yes, that would support my theory, that pg_escape_string is failing to escape _something_. Thanks, -- System Information: Debian Release: 5.0.3 APT prefers stable APT policy: (900, 'stable'), (200, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages php5-pgsql depends on: ii libapache2-mod-php 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti ii libc6 2.7-18GNU C Library: Shared libraries ii libpq5 8.3.8-0lenny1 PostgreSQL C client library ii php5-cgi [phpapi-2 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti ii php5-cli [phpapi-2 5.2.6.dfsg.1-1+lenny3 command-line interpreter for the p ii php5-common5.2.6.dfsg.1-1+lenny3 Common files for packages built fr php5-pgsql recommends no packages. php5-pgsql suggests no packages. -- no debconf information # SELECT * from comments where timestamp > 1257337500 and timestamp < 1257337600; cid | pid | nid | uid | subject | comment | hostname | timestamp | status | format | thread | name | mail | homepage ---+-+-+-+--+--+--+++++--+--+-- 91845 | 0 | 348 | 0 | YnRFrcYXCSacEMRs | Thank you for this article. http://thedigitallifestyle.com/cs/members/skimtube-skimtube-penny-porsche/default.aspx";>penny porsche skimtube beepgirl http://thedigitallifestyle.com/cs/members/tehvids-tehvid/default.aspx";>tehvids jimboy http://thedigitallifestyle.com/cs/members/tiava-ask-tiava/default.aspx";>tiava tube isis love tunquelen | 94.102.63.32 | 1257337537 | 0 | 1 | 21ti/ | | | (1 row) [Tue Aug 18 04:25:04 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/inc