Bug#554684: [php-maint] Bug#554684: Bug#554684: php5-pgsql: Suhosin alerts about heap overflows
tags 554684 + unreproducible thanks Ondřej Surý dijo [Tue, Jan 12, 2010 at 08:16:20AM +0100]: > Gunnar, > > do you think you can retest this bug with php5-pgsql from unstable? > > Ie. > (...) > This should allow you to not upgrade whole php5 just the module. This > could lead us if we need to look after the issue in SVN (and fix the > unstable version as well) or if we just need to fix it in stable. Hi, Sadly, I cannot reproduce this anymore. Since November (precisely two days before filing this bug), I have not logged any new similar reports. I am tagging the bug as unreproducible. Just FWIW, here are all the occurrences I got. Note they appear seemingly out of order, as I separate the logs based on the virtualhost: /var/log/apache2$ zcat *error*gz | grep ALERT [Tue Nov 03 07:05:43 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Wed Nov 04 06:25:21 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Sun Nov 01 01:04:52 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Tue Oct 20 02:24:29 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Thu Oct 22 02:24:27 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Wed Oct 14 13:06:30 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Fri Oct 16 12:25:27 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Fri Oct 16 21:04:43 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Sun Oct 18 09:05:15 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Mon Oct 19 06:04:32 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Wed Oct 07 02:05:13 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Sun Oct 11 08:24:50 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Mon Oct 12 03:04:59 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Tue Sep 29 10:04:44 2009] [error] [client 132.248.72.141] ALERT - linked list corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.inc', line 205) [Fri Oct 02 04:05:05 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) [Mon Oct 05 03:04:47 2009] [error] [client 132.248.72.141] ALERT - linked list corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file '/usr/share/drupal6/modules/search/search.module', line 292) [Mon Sep 28 06:05:04 2009] [error] [client 132.248.72.141] ALERT - linked list corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.inc', line 205) [Tue Sep 29 01:05:02 2009] [error] [client 132.248.72.141] ALERT - linked list corrupt on efree() - heap corruption detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 138) [Tue Aug 18 04:25:04 2009] [error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141', file '/usr/share/drupal6/includes/database.pgsql.inc', line 364) -- Gunnar Wolf • gw...@gwolf.org • (+52-55)5623-0154 / 1451-2244 -- To UNSUBSCRIBE, ema
Bug#554684: [php-maint] Bug#554684: Bug#554684: php5-pgsql: Suhosin alerts about heap overflows
Gunnar,
do you think you can retest this bug with php5-pgsql from unstable?
Ie.
apt-get install php5-dev # from stable
dget http://ftp.debian.org/debian/pool/main/p/php5/php5_5.2.12.dfsg.1-2.dsc
cd php5-5.2.12/ext/pgsql
phpize
./configure
make
make install
(or something like that, I'm writing it from the top of my head)
This should allow you to not upgrade whole php5 just the module. This
could lead us if we need to look after the issue in SVN (and fix the
unstable version as well) or if we just need to fix it in stable.
On Fri, Nov 6, 2009 at 02:41, Gunnar Wolf wrote:
> sean finney dijo [Fri, Nov 06, 2009 at 12:16:59AM +0100]:
>> On Thu, Nov 05, 2009 at 04:34:03PM -0600, Gunnar Wolf wrote:
>> > function db_escape_string($text) {
>> > return pg_escape_string($text);
>> > }
>>
>> > 2009-11-04 06:25:29 CST [30578]WARNING: nonstandard use of \\ in a string
>> > literal at character 25
>>
>> hm... maybe this is a result of pg_escape_string and magic_quotes_
>> used together?
>
> In such case, this should be reassigned to drupal6 as they are
> applying the escapings in the wrong order, right?
This may or may not be linked together. It could just be separate
issues. But it could also be a result of suhosin patch canary
mismatch.
> Now, in such case... I wonder why I don't get this warning more
> often. As I said in the report, the site in question had its comments
> open for spammers (although they were piling for administrator's
> authorization). I have closed the comments for now, but would surely
> like to know what causes this.
I have seen reports of php5 going wrong after some time. Do you have
php5-suhosin package installed by any chance?
> FWIW, I do _not_ think this is caused by magic_quotes as a global
> configuration setting, as it is explicitly turned off at the site in
> question.
Yup, I do not think that this is cause by magic_quotes.
Ondrej
--
Ondřej Surý
http://blog.rfc1925.org/
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#554684: [php-maint] Bug#554684: php5-pgsql: Suhosin alerts about heap overflows
sean finney dijo [Fri, Nov 06, 2009 at 12:16:59AM +0100]:
> On Thu, Nov 05, 2009 at 04:34:03PM -0600, Gunnar Wolf wrote:
> > function db_escape_string($text) {
> > return pg_escape_string($text);
> > }
>
> > 2009-11-04 06:25:29 CST [30578]WARNING: nonstandard use of \\ in a string
> > literal at character 25
>
> hm... maybe this is a result of pg_escape_string and magic_quotes_
> used together?
In such case, this should be reassigned to drupal6 as they are
applying the escapings in the wrong order, right?
Now, in such case... I wonder why I don't get this warning more
often. As I said in the report, the site in question had its comments
open for spammers (although they were piling for administrator's
authorization). I have closed the comments for now, but would surely
like to know what causes this.
FWIW, I do _not_ think this is caused by magic_quotes as a global
configuration setting, as it is explicitly turned off at the site in
question.
--
Gunnar Wolf • gw...@gwolf.org • (+52-55)5623-0154 / 1451-2244
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#554684: [php-maint] Bug#554684: php5-pgsql: Suhosin alerts about heap overflows
On Thu, Nov 05, 2009 at 04:34:03PM -0600, Gunnar Wolf wrote:
> function db_escape_string($text) {
> return pg_escape_string($text);
> }
> 2009-11-04 06:25:29 CST [30578]WARNING: nonstandard use of \\ in a string
> literal at character 25
hm... maybe this is a result of pg_escape_string and magic_quotes_
used together?
sean
--
signature.asc
Description: Digital signature
Bug#554684: php5-pgsql: Suhosin alerts about heap overflows
Package: php5-pgsql
Version: 5.2.6.dfsg.1-1+lenny3
Severity: serious
Tags: security
I am not sure on the impact of this bug, but if the main PHP escaping
function for PostgreSQL is mis-escaping strings, it can
_quite_probably_ be a serious security bug. Feel free to adjust
severity.
I have been getting the following message on my Apache logs:
[error] [client 132.248.72.141] ALERT - canary mismatch on erealloc() - heap
overflow detected (attacker '132.248.72.141', file
'/usr/share/drupal6/includes/database.pgsql.inc', line 364)
Note that 132.248.72.141 is the same server where this is reported,
and lines 363-365 of the reported file is:
function db_escape_string($text) {
return pg_escape_string($text);
}
I cannot establish what user action is causing this to be triggered,
but -having a very limited dataset to judge from- its frequency has
been slightly increasing since I first detected it (August 18) - From
two weeks between first and second sight to about once a day.
I am looking at log files starting in early August. I am attaching
here (filename: alerts) the output of:
( zcat error.log.{18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2}.gz; cat
error.log{.1,} ) | grep ALERT
The times of the log messages roughly match comment additions on the
Drupal system in question (which was completely open to spammers and I
have just closed for comments). I am attaching also a comment example
(filename: spammy) where the timestamp is closest to the latest
event - It does not look atypical in any way, but the result might
have not been properly received...
...Hmm, thinking about it over, I found this in the PostgreSQL log at
the right time:
2009-11-04 06:25:29 CST [30578]LOG: connection received: host=127.0.0.1
port=39334
2009-11-04 06:25:29 CST [30578]LOG: connection authorized: user=drupal_obela
database=drupal_obela
2009-11-04 06:25:29 CST [30578]WARNING: nonstandard use of \\ in a string
literal at character 25
2009-11-04 06:25:29 CST [30578]HINT: Use the escape string syntax for
backslashes, e.g., E'\\'.
2009-11-04 06:25:29 CST [30578]WARNING: nonstandard use of \\ in a string
literal at character 90
2009-11-04 06:25:29 CST [30578]HINT: Use the escape string syntax for
backslashes, e.g., E'\\'.
And yes, that would support my theory, that pg_escape_string is
failing to escape _something_.
Thanks,
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (900, 'stable'), (200, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages php5-pgsql depends on:
ii libapache2-mod-php 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii libc6 2.7-18GNU C Library: Shared libraries
ii libpq5 8.3.8-0lenny1 PostgreSQL C client library
ii php5-cgi [phpapi-2 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii php5-cli [phpapi-2 5.2.6.dfsg.1-1+lenny3 command-line interpreter for the p
ii php5-common5.2.6.dfsg.1-1+lenny3 Common files for packages built fr
php5-pgsql recommends no packages.
php5-pgsql suggests no packages.
-- no debconf information
# SELECT * from comments where timestamp > 1257337500 and timestamp <
1257337600;
cid | pid | nid | uid | subject |
comment
| hostname | timestamp | status | format | thread |
name | mail | homepage
---+-+-+-+--+--+--+++++--+--+--
91845 | 0 | 348 | 0 | YnRFrcYXCSacEMRs | Thank you for this article. http://thedigitallifestyle.com/cs/members/skimtube-skimtube-penny-porsche/default.aspx";>penny
porsche skimtube beepgirl http://thedigitallifestyle.com/cs/members/tehvids-tehvid/default.aspx";>tehvids
jimboy http://thedigitallifestyle.com/cs/members/tiava-ask-tiava/default.aspx";>tiava
tube isis love tunquelen | 94.102.63.32 | 1257337537 | 0 | 1 |
21ti/ | | |
(1 row)
[Tue Aug 18 04:25:04 2009] [error] [client 132.248.72.141] ALERT - canary
mismatch on erealloc() - heap overflow detected (attacker '132.248.72.141',
file '/usr/share/drupal6/inc
