[pybsddb] Data leak in latest bsddb3/berkeleydb packages

Jacob Henner jacobhenner at outlook.com
Wed May 14 03:49:01 CEST 2025 

Here is a simple reproducer:
https://gist.github.com/JacobHenner/8af2eeb7bfa29475aa203abcd526dccc

The reproducer successfully reproduces the issue on Arch Linux amd64
with libdb 6.2.32 or libdb 5.3.28 and Python 3.12.10.

Interestingly, the code segfaults with Python 3.13.3. I will create a
separate thread for that issue.

On Thu, 2025-05-08 at 08:56 -0400, Jacob Henner wrote:
> The last message was inadvertently sent as markdown. I've repeated it
> below for readability.
> 
> ---
> 
> When MALLOC_PERTURB_=165 is set, I no longer see the leaked data, but
> I
> do see "Z" in its place:
> 
> Here is an example of the modified database file's contents when
> MALLOC_PERTURB_=165:
> 
> (Many repeated lines of the "Z" data have been truncated for
> readability)
> 
> 0004bfe0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0004bff0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0004c000: 0000 0000 0100 0000 4c00 0000 0f00 0000  ........L.......
> 0004c010: 0000 0000 0800 ab0f 000d f10f eb0f dc0f  ................
> 0004c020: d60f c70f c10f b10f ab0f 5a5a 5a5a 5a5a  ..........ZZZZZZ
> 0004c030: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a  ZZZZZZZZZZZZZZZZ
> 0004c040: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a  ZZZZZZZZZZZZZZZZ
> [repeating lines truncated]
> 0004cf60: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a  ZZZZZZZZZZZZZZZZ
> 0004cf70: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a  ZZZZZZZZZZZZZZZZ
> 0004cf80: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a  ZZZZZZZZZZZZZZZZ
> 0004cf90: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a  ZZZZZZZZZZZZZZZZ
> 0004cfa0: 5a5a 5a5a 5a5a 5a5a 5a5a 5a01 5245 4c41  ZZZZZZZZZZZ.RELA
> 0004cfb0: 5901 636f 6e6e 6563 743a 3130 302e 3130  Y.connect:100.10
> 0004cfc0: 3701 5245 4c41 5901 636f 6e6e 6563 743a  7.RELAY.connect:
> 0004cfd0: 3130 2e32 3432 0152 454c 4159 0163 6f6e  10.242.RELAY.con
> 0004cfe0: 6e65 6374 3a31 302e 3232 3401 5245 4c41  nect:10.224.RELA
> 0004cff0: 5901 636f 6e6e 6563 743a 3130 2e31 3730  Y.connect:10.170
> 0004d000: 0000 0000 0100 0000 4d00 0000 0b00 0000  ........M.......
> 0004d010: 0000 0000 0600 c10f 000d f10f eb0f dc0f  ................
> 0004d020: d60f c70f c10f 5a5a 5a5a 5a5a 5a5a 5a5a  ......ZZZZZZZZZZ
> 0004d030: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a  ZZZZZZZZZZZZZZZZ
> 0004d040: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a  ZZZZZZZZZZZZZZZZ
> [repeating lines truncated]
> 0004dfa0: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a  ZZZZZZZZZZZZZZZZ
> 0004dfb0: 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a 5a5a  ZZZZZZZZZZZZZZZZ
> 0004dfc0: 5a01 5245 4c41 5901 636f 6e6e 6563 743a  Z.RELAY.connect:
> 0004dfd0: 3130 2e32 3436 0152 454c 4159 0163 6f6e  10.246.RELAY.con
> 0004dfe0: 6e65 6374 3a31 302e 3232 3001 5245 4c41  nect:10.220.RELA
> 0004dff0: 5901 636f 6e6e 6563 743a 3130 2e31 3734  Y.connect:10.174
> 
> Regards,
> 
> Jacob Henner
> 
> 
> On Thu, 2025-05-08 at 00:17 +0200, Jesus Cea wrote:
> > On 7/5/25 4:00,
> [jacobhenner at outlook.com](mailto:jacobhenner at outlook.com) wrote:
> > 
> > > The leaked data is sufficiently distinct from the ordinary
> > > contents
> of
> > > a sendmail access.db file to be noticed immediately. I can
> > > confirm
> that
> > > the data that is being leaked was never part of the database, at
> any
> > > point. When viewing the raw file, imagine seeing a block (or
> substring)
> > > of pretty-printed JSON, a partial ini file, or HTML. All of these
> cases
> > > have been observed, and the leaked data comes from very different
> parts
> > > of the codebase than the part that manipulates these databases.
> > 
> > 
> > If you are running under Linux, could you possibly run your program
> with  
> > this environment variable set (see "man mallopt") (note the
> underscore  
> > suffix)?:
> > 
> > MALLOC_PERTURB_=165
> > 
> > Then look for runs of characters "Z" or "0xa5".
> > 
> > You see those characters? One or both?. Do you still see program
> > data
> > memory leaks while that environment variable is set?
> > 
> > --  
> > Jesús Cea Avión                         _/_/      _/_/_/       
> _/_/_/  
> > [jcea at jcea.es](mailto:jcea at jcea.es) -
> [https://www.jcea.es/](https://www.jcea.es/)    _/_/    _/_/  _/_/   
> _/_/  _/_/  
> > Twitter: @jcea                        _/_/    _/_/         
> _/_/_/_/_/  
> > jabber / xmpp:[jcea at jabber.org](mailto:jcea at jabber.org)  _/_/ 
> _/_/    _/_/          _/_/  _/_/  
> > "Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/ 
> > _/_/
> > "My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/ 
> > _/_/  
> > "El amor es poner tu felicidad en la felicidad de otro" - Leibniz

-- 
Jacob Henner

More information about the pybsddb mailing list