Hi Guys, Have a look at this mail posted on bugtraq: http://www.securityfocus.com/archive/1/442438/30/0/threaded There is a PoC included in the mail. Regards, Alexander (eroyf)
php please advise.
yup, it's a bug. i'd say the impact is not large, as very few people use argument swapping. I don't have time to dig thru CVS and find the final patch now, the upstream bug seems to imply that the one commited was different from the one posted.
I'll prepare two new PHP releases tomorrow as I already wanted to do and fix this. Best regards, CHTEKK.
Thx Luca and Robin.
This should be the fix: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/scanf.c?r1=1.31.2.2&r2=1.31.2.2.2.1
Yup, that's correct, it's already available in the PHP Overlay since yesterday evening (http://overlays.gentoo.org/proj/php/browser/patches/php-patches/5.1.4/5.1.4/php5.1.4-sscanf_code_exec.patch), I'm now only waiting on a fix for Hardened-PHP which should be out in a few hours and then I'll put the stuff in Portage and update this bug. ;) Btw, from a security PoV, the new patchsets will also fix an open_basedir and safe_mode bypass in the IMAP extension. Best regards, CHTEKK.
afair we don't consider open_basedir and safe_mode bypass as security issues.
dev-lang/php-4.4.3-r1 and dev-lang/php-5.1.4-r6 are in the tree, stable them (amd64 is already stable-keyworded, so nothing to do there). Note: for all the arch-teams, with those two releases we start to finally support the PHP test suite! This should make testing easier for all of you, just do FEATURES="test" emerge php for it to work. Now on to the various quirks this has, cause it's not perfect, and we can't do very much about some of the following points: -sharedext USE flag must be disabled for all the test to be done correctly -java-internal USE flag must be disabled for all the test to be done correctly -all databases for the database extensions you want to test must be working: -standard FireBird install (just emerge && emerge --config && /etc/init.d start is enough ) -standard MySQL install (emerge && emerge --config), root user with empty/no password, and a database "test" created with access for that user -standard PostgreSQL install (emerge && emerge --config), with access for users root or portage (depends on Portage's userpriv feature), no password (trust authentication), and a "test" database created with access for that user SQLite and MSSQL (FreeTDS) don't need any special care, ODBC/iODBC seem to fail only on PHP5's PDO_ODBC extensions, don't really know how to solve that. Other databases, such as Oracle, Interbase, Informix, etc. (the commercial ones we provide USE flags for but aren't supported by us), don't have their test-suite-part supported either, as we can't test them anyway. Now, even after all this, some tests still fail, and that is expected (that some of them fail), I'll attach a list of the failures I got on x86 and amd64, so you can compare, the results should be fairly consistent with x86 for 32bit stuff and amd64 for 64bit stuff. If the test-results for your arch differ _drastically_ (like 20+ test failed, which should have worked), hold off stabling and please contact me with the exact report of which tests fail, if few tests fail, or the same as you'd expect from the x86/amd64 comparison, stable PHP without fear, but please contact me anyway and tell me which exactly failed, so I can build up a list of "what is expected to fail where" (and maybe even find some genuine bug somewhere). The tests are about 600 for PHP4 and 2400 for PHP5 (total number, depending on the enabled extensions, fewer will get executed, some skipped, etc.). Best regards, and good testing, CHTEKK.
Created attachment 93920 [details] List of failed tests on x86 and amd64, with and without hardenedphp enabled.
arches, please test and stable, thank you
ppc stable
PHP 4: 1) emerges fine so far 2) passes collision test 3) fails 1.9% of the test suite: ===================================================================== FAILED TEST SUMMARY --------------------------------------------------------------------- Simple POST Method test [tests/basic/002.phpt] GET and POST Method combined [tests/basic/003.phpt] Two variables in POST data [tests/basic/004.phpt] Three variables in POST data [tests/basic/005.phpt] Testing $argc and $argv handling (GET) [tests/basic/011.phpt] Bug #25145 (SEGV on recpt of form input with name like "123[]") [tests/lang/bug25145.phpt] Bug #35239 (Objects can lose references) [tests/lang/bug35239.phpt] Bug #24155 (gdImageRotate270 rotation problem). [ext/gd/tests/bug24155.phpt] Bug #27582 (ImageFillToBorder() on alphablending image looses alpha on fill color) [ext/gd/tests/bug27582_1.phpt] bug #31454 (Incorrect adding PHPSESSID to links, which contains \r\n) [ext/session/tests/bug36459.phpt] Bug #24142 (round() problems) [ext/standard/tests/math/bug24142.phpt] Bug #25694 (round() and number_format() inconsistency) [ext/standard/tests/math/bug25694.phpt] ===================================================================== 3) Could you please state to be tested versions in the summary?
1) emerges fine 2) passes collision test 3) passes test suite completely Portage 2.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.17-gentoo-r4 i686) ================================================================= System uname: 2.6.17-gentoo-r4 i686 AMD Athlon(tm) XP 2500+ Gentoo Base System version 1.6.15 app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-O2" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/" LANG="de_DE@euro" LC_ALL="de_DE@euro" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage" USE="x86 3dnow 3dnowext X Xaw3d a52 alsa arts artworkextra asf audiofile avi bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds emacs emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox foomaticdb fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imap imlib ipv6 isdnlog java javascript jikes jpeg jpeg2k ldap leim libg++ libwww lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng mono motif mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf pdflib perl plotutils pmu png ppds pppd preview-latex print python qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb vcd videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_de userland_GNU video_cards_radeon video_cards_vesa video_cards_fbdev" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
(In reply to comment #12) > > 3) Could you please state to be tested versions in the summary? > PHP, security? Please give us exact versions you want tested and keyworded.
Testing for alpha is as follow: PHP 5: all tests pased. Sweeet. PHP 4: some of the basic tests are faling. The errors don't appear on x86 or amd64 provided lists but I also see them on comment #12 (x86 powered). Gentoo/Alpha PHP-4.4.3-r1 ===================================================================== FAILED TEST SUMMARY --------------------------------------------------------------------- Simple POST Method test [tests/basic/002.phpt] GET and POST Method combined [tests/basic/003.phpt] Two variables in POST data [tests/basic/004.phpt] Three variables in POST data [tests/basic/005.phpt] Testing $argc and $argv handling (GET) [tests/basic/011.phpt] Bug #25145 (SEGV on recpt of form input with name like "123[]") [tests/lang/bug25145.phpt] Bug #35239 (Objects can lose references) [tests/lang/bug35239.phpt] Bug #24155 (gdImageRotate270 rotation problem). [ext/gd/tests/bug24155.phpt] Bug #27582 (ImageFillToBorder() on alphablending image looses alpha on fill color) [ext/gd/tests/bug27582_1.phpt] mb_http_input() [ext/mbstring/tests/mb_http_input.phpt] OpenSSL private key functions [ext/openssl/tests/001.phpt] bug #31454 (Incorrect adding PHPSESSID to links, which contains \r\n) [ext/session/tests/bug36459.phpt] ===================================================================== So, i'll mark php5 ASAP but wait for PHP4 until know if we can ignore the *basic test* errors or there is any kind of bug. I also want to thanks CHTEKK for trying to provide "some kind of test-suite" for the beast of php. Luca, really really apreciatted.
ok. I've marked this versions stable on ppc64 (following ppc): - dev-lang/php-4.4.3-r1 - dev-lang/php-5.1.4-r6 please say which versions you want stable next time... makes life easier.
stable on hppa
(In reply to comment #16) > please say which versions you want stable next time... makes life easier. From Comment #8: >> dev-lang/php-4.4.3-r1 and dev-lang/php-5.1.4-r6 are in the tree, stable them So, uhmm, eh? :) Anyway, wrt the failed tests: (In reply to comment #15) > Testing for alpha is as follow: > > PHP 5: all tests pased. Sweeet. Indeed! > PHP 4: some of the basic tests are faling. The errors don't appear on x86 or > amd64 provided lists but I also see them on comment #12 (x86 powered). > Simple POST Method test [tests/basic/002.phpt] > GET and POST Method combined [tests/basic/003.phpt] > Two variables in POST data [tests/basic/004.phpt] > Three variables in POST data [tests/basic/005.phpt] > Testing $argc and $argv handling (GET) [tests/basic/011.phpt] > Bug #25145 (SEGV on recpt of form input with name like "123[]") > [tests/lang/bug25145.phpt] > mb_http_input() [ext/mbstring/tests/mb_http_input.phpt] These tests all require the CGI SAPI to be available, so my guess is that you just didn't have the "cgi" USE flag enabled for dev-lang/php, I'll see to fix the test-suite to handle this more gracefully for PHP4. > Bug #35239 (Objects can lose references) [tests/lang/bug35239.phpt] > Bug #24155 (gdImageRotate270 rotation problem). [ext/gd/tests/bug24155.phpt] > Bug #27582 (ImageFillToBorder() on alphablending image looses alpha on fill > color) [ext/gd/tests/bug27582_1.phpt] > bug #31454 (Incorrect adding PHPSESSID to links, which contains \r\n) > [ext/session/tests/bug36459.phpt] Those are from the x86/amd64 lists, so they are ok. > OpenSSL private key functions [ext/openssl/tests/001.phpt] In the end, this seems to be the only new "relevant" one. You can find it's sourcecode at http://cvs.php.net/viewvc.cgi/php-src/ext/openssl/tests/001.phpt?revision=1.3.4.1&pathrev=PHP_4_4 it's the part after --FILE--, try to copy that manually in some bla.php script and execute it via CLI and see what the output is. It could be a genuine bug, or it could be something on your system (not enough entropy, not possible to create files in /tmp, etc.). The expected output of the test for it to pass is the one listed after --EXPECT--, if it doesn't match that, even by a whitespace or newline, the test is reported as failed. Ping me on IRC or via email to continue debugging this, I anyway think you can mark PHP4 stable without problems. > I also want to thanks CHTEKK for trying to provide "some kind of test-suite" > for the beast of php. Luca, really really apreciatted. Thanks for the thanks! :) Best regards, CHTEKK.
Stable on alpha. Vapier did arm/s390/sh. Removing them from the CC list. > > PHP 4: some of the basic tests are faling. The errors don't appear on x86 or > > amd64 provided lists but I also see them on comment #12 (x86 powered). > > These tests all require the CGI SAPI to be available, so my guess is that you > just didn't have the "cgi" USE flag enabled for dev-lang/php, I'll see to fix > the test-suite to handle this more gracefully for PHP4. Right, with the "cgi" use flag enabled, all went just fine. Thanks.
this weight is lifted off my shoulders *starts to float* woah! I've found the secret to antigravity :-P ^.^;; wacky tsunam day *grin* X86 is poofed
time to vote. Code exec or not ? code exec ==> at least *2 ==> glsa=yes
I tend to vote yes.
GLSA, I guess. That's one of those "library bugs" where there is nothing vulnerable because it needs you to find software making use of the affected function...
Let's have a GLSA then.
rerating, imho it's B2
GLSA 200608-28
