[pybsddb] Data leak in latest bsddb3/berkeleydb packages
Jacob Henner
jacobhenner at outlook.com
Thu May 8 14:56:34 CEST 2025
The last message was inadvertently sent as markdown. I've repeated it
below for readability.
---
When MALLOC_PERTURB_=165 is set, I no longer see the leaked data, but I
do see "Z" in its place:
Here is an example of the modified database file's contents when
MALLOC_PERTURB_=165:
(Many repeated lines of the "Z" data have been truncated for
readability)
0004bfe0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0004bff0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0004c000: 0000 0000 0100 0000 4c00 0000 0f00 0000 ........L.......
0004c010: 0000 0000 0800 ab0f 000d f10f eb0f dc0f ................
0004c020: d60f c70f c10f b10f ab0f 5a5a 5a5a 5a5a ..........ZZZZZZ
0004c030: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a ZZZZZZZZZZZZZZZZ
0004c040: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a ZZZZZZZZZZZZZZZZ
[repeating lines truncated]
0004cf60: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a ZZZZZZZZZZZZZZZZ
0004cf70: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a ZZZZZZZZZZZZZZZZ
0004cf80: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a ZZZZZZZZZZZZZZZZ
0004cf90: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a ZZZZZZZZZZZZZZZZ
0004cfa0: 5a5a 5a5a 5a5a 5a5a 5a5a 5a01 5245 4c41 ZZZZZZZZZZZ.RELA
0004cfb0: 5901 636f 6e6e 6563 743a 3130 302e 3130 Y.connect:100.10
0004cfc0: 3701 5245 4c41 5901 636f 6e6e 6563 743a 7.RELAY.connect:
0004cfd0: 3130 2e32 3432 0152 454c 4159 0163 6f6e 10.242.RELAY.con
0004cfe0: 6e65 6374 3a31 302e 3232 3401 5245 4c41 nect:10.224.RELA
0004cff0: 5901 636f 6e6e 6563 743a 3130 2e31 3730 Y.connect:10.170
0004d000: 0000 0000 0100 0000 4d00 0000 0b00 0000 ........M.......
0004d010: 0000 0000 0600 c10f 000d f10f eb0f dc0f ................
0004d020: d60f c70f c10f 5a5a 5a5a 5a5a 5a5a 5a5a ......ZZZZZZZZZZ
0004d030: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a ZZZZZZZZZZZZZZZZ
0004d040: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a ZZZZZZZZZZZZZZZZ
[repeating lines truncated]
0004dfa0: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a ZZZZZZZZZZZZZZZZ
0004dfb0: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a ZZZZZZZZZZZZZZZZ
0004dfc0: 5a01 5245 4c41 5901 636f 6e6e 6563 743a Z.RELAY.connect:
0004dfd0: 3130 2e32 3436 0152 454c 4159 0163 6f6e 10.246.RELAY.con
0004dfe0: 6e65 6374 3a31 302e 3232 3001 5245 4c41 nect:10.220.RELA
0004dff0: 5901 636f 6e6e 6563 743a 3130 2e31 3734 Y.connect:10.174
Regards,
Jacob Henner
On Thu, 2025-05-08 at 00:17 +0200, Jesus Cea wrote:
> On 7/5/25 4:00,
[jacobhenner at outlook.com](mailto:jacobhenner at outlook.com) wrote:
>
> > The leaked data is sufficiently distinct from the ordinary contents
of
> > a sendmail access.db file to be noticed immediately. I can confirm
that
> > the data that is being leaked was never part of the database, at
any
> > point. When viewing the raw file, imagine seeing a block (or
substring)
> > of pretty-printed JSON, a partial ini file, or HTML. All of these
cases
> > have been observed, and the leaked data comes from very different
parts
> > of the codebase than the part that manipulates these databases.
>
>
> If you are running under Linux, could you possibly run your program
with
> this environment variable set (see "man mallopt") (note the
underscore
> suffix)?:
>
> MALLOC_PERTURB_=165
>
> Then look for runs of characters "Z" or "0xa5".
>
> You see those characters? One or both?. Do you still see program data
> memory leaks while that environment variable is set?
>
> --
> Jesús Cea Avión _/_/ _/_/_/
_/_/_/
> [jcea at jcea.es](mailto:jcea at jcea.es) -
[https://www.jcea.es/](https://www.jcea.es/) _/_/ _/_/ _/_/
_/_/ _/_/
> Twitter: @jcea _/_/ _/_/
_/_/_/_/_/
> jabber / xmpp:[jcea at jabber.org](mailto:jcea at jabber.org) _/_/
_/_/ _/_/ _/_/ _/_/
> "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
> "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
> "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
--
Jacob Henner
More information about the pybsddb
mailing list