Bugzilla Bug 143126

Hi Guys,

Have a look at this mail posted on bugtraq:
http://www.securityfocus.com/archive/1/442438/30/0/threaded

There is a PoC included in the mail.

Regards,
Alexander (eroyf)

php please advise.

yup, it's a bug. i'd say the impact is not large, as very few people use
argument swapping. I don't have time to dig thru CVS and find the final patch
now, the upstream bug seems to imply that the one commited was different from
the one posted.

I'll prepare two new PHP releases tomorrow as I already wanted to do and fix
this.
Best regards, CHTEKK.

Thx Luca and Robin.

This should be the fix:

http://cvs.php.net/viewvc.cgi/php-src/ext/standard/scanf.c?r1=1.31.2.2&r2=1.31.2.2.2.1

Yup, that's correct, it's already available in the PHP Overlay since yesterday
evening
(http://overlays.gentoo.org/proj/php/browser/patches/php-patches/5.1.4/5.1.4/php5.1.4-sscanf_code_exec.patch),
I'm now only waiting on a fix for Hardened-PHP which should be out in a few
hours and then I'll put the stuff in Portage and update this bug. ;)
Btw, from a security PoV, the new patchsets will also fix an open_basedir and
safe_mode bypass in the IMAP extension.
Best regards, CHTEKK.

afair we don't consider open_basedir and safe_mode bypass as security issues.

dev-lang/php-4.4.3-r1 and dev-lang/php-5.1.4-r6 are in the tree, stable them
(amd64 is already stable-keyworded, so nothing to do there).
Note: for all the arch-teams, with those two releases we start to finally
support the PHP test suite! This should make testing easier for all of you,
just do FEATURES="test" emerge php for it to work.
Now on to the various quirks this has, cause it's not perfect, and we can't do
very much about some of the following points:
-sharedext USE flag must be disabled for all the test to be done correctly
-java-internal USE flag must be disabled for all the test to be done correctly
-all databases for the database extensions you want to test must be working:
 -standard FireBird install (just emerge && emerge --config && /etc/init.d
start is enough )
 -standard MySQL install (emerge && emerge --config), root user with empty/no
password, and a database "test" created with access for that user
 -standard PostgreSQL install (emerge && emerge --config), with access for
users root or portage (depends on Portage's userpriv feature), no password
(trust authentication), and a "test" database created with access for that user
SQLite and MSSQL (FreeTDS) don't need any special care, ODBC/iODBC seem to fail
only on PHP5's PDO_ODBC extensions, don't really know how to solve that. Other
databases, such as Oracle, Interbase, Informix, etc. (the commercial ones we
provide USE flags for but aren't supported by us), don't have their
test-suite-part supported either, as we can't test them anyway.
Now, even after all this, some tests still fail, and that is expected (that
some of them fail), I'll attach a list of the failures I got on x86 and amd64,
so you can compare, the results should be fairly consistent with x86 for 32bit
stuff and amd64 for 64bit stuff. If the test-results for your arch differ
_drastically_ (like 20+ test failed, which should have worked), hold off
stabling and please contact me with the exact report of which tests fail, if
few tests fail, or the same as you'd expect from the x86/amd64 comparison,
stable PHP without fear, but please contact me anyway and tell me which exactly
failed, so I can build up a list of "what is expected to fail where" (and maybe
even find some genuine bug somewhere). The tests are about 600 for PHP4 and
2400 for PHP5 (total number, depending on the enabled extensions, fewer will
get executed, some skipped, etc.).
Best regards, and good testing, CHTEKK.

Created an attachment (id=93920) [details]
List of failed tests on x86 and amd64, with and without hardenedphp enabled.

arches, please test and stable, thank you

ppc stable

PHP 4:
1) emerges fine so far
2) passes collision test
3) fails 1.9% of the test suite:
=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Simple POST Method test [tests/basic/002.phpt]
GET and POST Method combined [tests/basic/003.phpt]
Two variables in POST data [tests/basic/004.phpt]
Three variables in POST data [tests/basic/005.phpt]
Testing $argc and $argv handling (GET) [tests/basic/011.phpt]
Bug #25145 (SEGV on recpt of form input with name like "123[]")
[tests/lang/bug25145.phpt]
Bug #35239 (Objects can lose references) [tests/lang/bug35239.phpt]
Bug #24155 (gdImageRotate270 rotation problem). [ext/gd/tests/bug24155.phpt]
Bug #27582 (ImageFillToBorder() on alphablending image looses alpha on fill
color) [ext/gd/tests/bug27582_1.phpt]
bug #31454 (Incorrect adding PHPSESSID to links, which contains \r\n)
[ext/session/tests/bug36459.phpt]
Bug #24142 (round() problems) [ext/standard/tests/math/bug24142.phpt]
Bug #25694 (round() and number_format() inconsistency)
[ext/standard/tests/math/bug25694.phpt]
=====================================================================

3) Could you please state to be tested versions in the summary?

1) emerges fine
2) passes collision test
3) passes test suite completely

Portage 2.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4,
2.6.17-gentoo-r4 i686)
=================================================================
System uname: 2.6.17-gentoo-r4 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.6.15
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash
/etc/terminfo"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer
parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE@euro"
LC_ALL="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="x86 3dnow 3dnowext X Xaw3d a52 alsa arts artworkextra asf audiofile avi
bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo
cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus
dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds emacs emboss
encode esd evo exif expat fam fat fbcon ffmpeg firefox foomaticdb fortran ftp
gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick
imap imlib ipv6 isdnlog java javascript jikes jpeg jpeg2k ldap leim libg++
libwww lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng mono
motif mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nptl nptlonly
nsplugin nvidia objc ogg opengl pam pcre pdf pdflib perl plotutils pmu png ppds
pppd preview-latex print python qt3 qt4 quicktime readline reflection reiserfs
samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd theora
thunderbird tiff truetype truetype-fonts type1-fonts udev usb vcd videos vorbis
win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib elibc_glibc
input_devices_mouse input_devices_keyboard kernel_linux linguas_de userland_GNU
video_cards_radeon video_cards_vesa video_cards_fbdev"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS,
PORTAGE_RSYNC_EXTRA_OPTS

(In reply to comment #12)
> 
> 3) Could you please state to be tested versions in the summary?
> 

PHP, security? Please give us exact versions you want tested and keyworded.

Testing for alpha is as follow:

PHP 5: all tests pased. Sweeet.

PHP 4: some of the basic tests are faling. The errors don't appear on x86 or
amd64 provided lists but I also see them on comment #12 (x86 powered).

Gentoo/Alpha PHP-4.4.3-r1
=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Simple POST Method test [tests/basic/002.phpt]
GET and POST Method combined [tests/basic/003.phpt]
Two variables in POST data [tests/basic/004.phpt]
Three variables in POST data [tests/basic/005.phpt]
Testing $argc and $argv handling (GET) [tests/basic/011.phpt]
Bug #25145 (SEGV on recpt of form input with name like "123[]")
[tests/lang/bug25145.phpt]
Bug #35239 (Objects can lose references) [tests/lang/bug35239.phpt]
Bug #24155 (gdImageRotate270 rotation problem). [ext/gd/tests/bug24155.phpt]
Bug #27582 (ImageFillToBorder() on alphablending image looses alpha on fill
color) [ext/gd/tests/bug27582_1.phpt]
mb_http_input() [ext/mbstring/tests/mb_http_input.phpt]
OpenSSL private key functions [ext/openssl/tests/001.phpt]
bug #31454 (Incorrect adding PHPSESSID to links, which contains \r\n)
[ext/session/tests/bug36459.phpt]
=====================================================================

So, i'll mark php5 ASAP but wait for PHP4 until know if we can ignore the
*basic test* errors or there is any kind of bug.

I also want to thanks CHTEKK for trying to provide "some kind of test-suite"
for the beast of php. Luca, really really apreciatted.

ok. I've marked this versions stable on ppc64 (following ppc):

- dev-lang/php-4.4.3-r1
- dev-lang/php-5.1.4-r6

please say which versions you want stable next time... makes life easier.

stable on hppa

(In reply to comment #16)
> please say which versions you want stable next time... makes life easier.

From Comment #8:
>> dev-lang/php-4.4.3-r1 and dev-lang/php-5.1.4-r6 are in the tree, stable them

So, uhmm, eh? :)

Anyway, wrt the failed tests:

(In reply to comment #15)
> Testing for alpha is as follow:
> 
> PHP 5: all tests pased. Sweeet.

Indeed!

> PHP 4: some of the basic tests are faling. The errors don't appear on x86 or
> amd64 provided lists but I also see them on comment #12 (x86 powered).

> Simple POST Method test [tests/basic/002.phpt]
> GET and POST Method combined [tests/basic/003.phpt]
> Two variables in POST data [tests/basic/004.phpt]
> Three variables in POST data [tests/basic/005.phpt]
> Testing $argc and $argv handling (GET) [tests/basic/011.phpt]
> Bug #25145 (SEGV on recpt of form input with name like "123[]")
> [tests/lang/bug25145.phpt]
> mb_http_input() [ext/mbstring/tests/mb_http_input.phpt]

These tests all require the CGI SAPI to be available, so my guess is that you
just didn't have the "cgi" USE flag enabled for dev-lang/php, I'll see to fix
the test-suite to handle this more gracefully for PHP4.

> Bug #35239 (Objects can lose references) [tests/lang/bug35239.phpt]
> Bug #24155 (gdImageRotate270 rotation problem). [ext/gd/tests/bug24155.phpt]
> Bug #27582 (ImageFillToBorder() on alphablending image looses alpha on fill
> color) [ext/gd/tests/bug27582_1.phpt]
> bug #31454 (Incorrect adding PHPSESSID to links, which contains \r\n)
> [ext/session/tests/bug36459.phpt]

Those are from the x86/amd64 lists, so they are ok.

> OpenSSL private key functions [ext/openssl/tests/001.phpt]

In the end, this seems to be the only new "relevant" one. You can find it's
sourcecode at
http://cvs.php.net/viewvc.cgi/php-src/ext/openssl/tests/001.phpt?revision=1.3.4.1&pathrev=PHP_4_4
it's the part after --FILE--, try to copy that manually in some bla.php script
and execute it via CLI and see what the output is. It could be a genuine bug,
or it could be something on your system (not enough entropy, not possible to
create files in /tmp, etc.). The expected output of the test for it to pass is
the one listed after --EXPECT--, if it doesn't match that, even by a whitespace
or newline, the test is reported as failed. Ping me on IRC or via email to
continue debugging this, I anyway think you can mark PHP4 stable without
problems.

> I also want to thanks CHTEKK for trying to provide "some kind of test-suite"
> for the beast of php. Luca, really really apreciatted.

Thanks for the thanks! :)
Best regards, CHTEKK.

Stable on alpha.

Vapier did arm/s390/sh. Removing them from the CC list.

> > PHP 4: some of the basic tests are faling. The errors don't appear on x86 or
> > amd64 provided lists but I also see them on comment #12 (x86 powered).
> 
> These tests all require the CGI SAPI to be available, so my guess is that you
> just didn't have the "cgi" USE flag enabled for dev-lang/php, I'll see to fix
> the test-suite to handle this more gracefully for PHP4.

Right, with the "cgi" use flag enabled, all went just fine.

Thanks.

this weight is lifted off my shoulders *starts to float* woah! I've found the
secret to antigravity :-P ^.^;; wacky tsunam day *grin* 

X86 is poofed

time to vote.

Code exec or not ?
code exec ==> at least *2 ==> glsa=yes

I tend to vote yes.

GLSA, I guess.
That's one of those "library bugs" where there is nothing vulnerable because it
needs you to find software making use of the affected function...

Let's have a GLSA then.

rerating, imho it's B2

GLSA 200608-28

GLSA 200608-28