[Pkg-erlang-devel] Bug report on erlang-odbc: odbcserver crashes with exit status 139

[Sergei Golovan]

Hi Alexandre,

On Wed, Jun 26, 2013 at 9:46 PM, Alexandre Rebert <alexandre at cmu.edu> wrote:
>
> We found a crash in odbcserver contained in the erlang-odbc package. You are being
> contacted because your are listed as one of the maintainer of erlang-odbc.
>
> We are planning to submit the bug to the Debian bug tracking system in two
> weeks. We wanted to give you a heads-up, so that you some time to assess the
> seriousness of the bug before it is publicly disclosed.
>
> The bug report that will be submitted to the bug tracker is available at the
> following url:
>
>   http://www.forallsecure.com/bug-reports/2c4d1fcb868d5a742615b0508fb522132b9ee5a3/

I confirm this bug not only for erlang-odbc in unstable, but also in
oldstable, stable and testing suits. Though odbcserver doesn't process
any command line arguments, so there's a bit simpler code which still
consistently crashes it:

echo -e "\x0\x0\x0\x1\x0"
|/usr/lib/erlang/lib/odbc-<whatever>/priv/bin/odbcserver

The problem with this crash is an insufficient input checking.
Specifically, the standard input is being tokenized using strtok(),
but its result never checked for NULL before passing to strlen(). You
can see it in functions main() and receive_erlang_port_msg() in
odbcserver.c. Fixing this is fairly easy.

Though I think that this bug is not very serious and certainly can't
cause a security problem. The odbcserver binary is not suid or sgid
and never meant to be executed in uncontrolled environment. The odbc
Erlang code always correctly passes string "<some integer>;<another
integer>\0" to odbcserver's stdin, so I don't know how to trigger this
crash other than run the binary by hands.

I'll try to fix this bug in sid and will report it to upstream.

BTW, pkg-erlang-devel at lists.alioth.debian.org is a publicly available
mailing list, so, this report can be already considered disclosed.

Cheers!
--
Sergei Golovan