Comment 13 for bug 315507

Jonathan, thanks for taking the time to post an exhaustive reply.

I'm creating a new VM right now to do a complete test as you suggested, but as that's not going to reproduce our real world situation, I'm going to post the details of the actual machine where the thing is happening.

Later on I'll post the results from the complete test on the new vm.

The server is a vmware esxi 4 VM (like the new vm I'm creating).

Ubuntu release:
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 8.04.2
Release: 8.04
Codename: hardy

Packages version (note: I don't have php5-cli installed):
# dpkg-query -W apache2 libapache2-mod-php5 libmyodbc php5-common php5-odbc
apache2 2.2.8-1ubuntu0.10
libapache2-mod-php5 5.2.4-2ubuntu5.6
libmyodbc 3.51.15r409-2
php5-common 5.2.4-2ubuntu5.6
php5-odbc 5.2.4-2ubuntu5.6

This is the last request from apache2 log (/var/log/apache2/error.log) and syslog:
[Mon Jul 20 08:42:55 2009] [error] [client ip here] ALERT-SIMULATION - canary mismatch on efree() - heap overflow detected (attacker 'ip here', file '/var/www/services/reports/odbc.php')

Note that even if it shows "ALERT-SIMULATION" I still get the php script offered for download. Of course the same thing applies without simulation mode on (except it shows "ALERT" without the "-SIMULATION").
Note also that I've tried to run the script both without and with the suhosin extension (php5-suhosin).

The test script is basically:

$connection = odbc_connect($dsn, $user, $pass);
$result = odbc_exec("select * from table");

Then there is the while to loop on the resultset, but the script hangs on the odbc_exec line (tested by deleting one line at the time until I got no error).
The mysql server is on another (phisical) machine. I've tested the connection and the same query with isql and everything works fine.

Oh and everything is on https (I can test with http if needed).

If I missed something or you need more info, just ask.
Thanks.