[php-maint] Bug#565387: php5-odbc: odbc_fetch_object() causes heap corruption on 64bit systems
Peter Pan
peterpan at mailinator.com
Fri Jan 15 05:57:25 UTC 2010
Package: php5-odbc
Version: 5.2.6.dfsg.1-1+lenny4
Severity: important
http://bugs.php.net/bug.php?id=50370
I have a page which reproducibly overwrites non alloc'd memory (a write
of 8 bytes instead of 4 bytes at the end of the range). It is caused by
the call odbc_fetch_object() and the bad write in libtdsodbc.so.
Apparently in php_odbc_includes.h a len is declared as
SDWORD which is only 32-bit while should be 64-bit (SQLLEN).
Php error Log:
ALERT - canary mismatch on efree() - heap overflow detected (attacker 'x.x.x.x', file '.../DbTest.php')
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages php5-odbc depends on:
ii libapache2-mod-php 5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii libc6 2.7-18 GNU C Library: Shared libraries
ii php5-cli [phpapi-2 5.2.6.dfsg.1-1+lenny4 command-line interpreter for the p
ii php5-common 5.2.6.dfsg.1-1+lenny4 Common files for packages built fr
ii unixodbc 2.2.11-16 ODBC tools libraries
php5-odbc recommends no packages.
php5-odbc suggests no packages.
-- no debconf information
More information about the pkg-php-maint
mailing list