A buffer overflow has been reported in the PHP openlog() function. By passing an argument of excessive size to the function, it may be possible for an attacker to overwrite memory, resulting in a denial of service or (unconfirmed) possible execution arbitrary commands within the PHP interpreter. Reproducible: Didn't try Steps to Reproduce: 1. 2. 3. Information taken from Bugtraq: http://www.securityfocus.com/bid/7210/discussion/ The vulnerability was reported for php 4.3.1 and later. Bugtraq states that it is likely that previous versions are affected. Link to original post on bugtraq: http://www.securityfocus.com/archive/1/316488 Proof of concept exploit has been published. Temporary (unofficial and unconfirmed) workaround is to disable the openlog function: http://www.securityfocus.com/archive/1/316583 I think there is no fixed version of php because I cannot find anything in respect to openlog in the changelog of php4 or php5, also bugtraq contains no hint to fixed version/patch. I searched the php website for some information on this bug but found nothing. Therefore I believe, that the vulnerability is also in php 4.3.4 (latest stable in portage), especially since php-5rc1 (released on 18 Mar 2004) is still affected. I hope that I didn't overlook something (bugfix, patch,...).
PHP herd -- could you review/comment?
Looking now ...
Here's what I've looked at so far: * The syslog.c source code file hasn't been touched since January 2004, and no fixes for any bug like this have been committed since php-4.3.1 was released. * I can't reproduce the buffer overflow issue. I've loaded a copy of php-4.3.4 with debugging statements, and I can't see any problem. And I can't spot an obvious problem from reviewing the code either. The key part of the openlog() function comes down to a call to estrndup(): ZEND_API char *_estrndup(const char *s, uint length ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) { char *p; HANDLE_BLOCK_INTERRUPTIONS(); p = (char *) _emalloc(length+1 ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC); if (!p) { HANDLE_UNBLOCK_INTERRUPTIONS(); return (char *)NULL; } HANDLE_UNBLOCK_INTERRUPTIONS(); memcpy(p, s, length); p[length] = 0; return p; } This function is used throughout PHP for duplicating strings. If openlog() was vulnerable, then there would be many other exploits also possible. If you have code that reproduces this fault, please add it to this bug. The script included in one of the links below does not show up this security hole. Best regards, Stu
No response from submitter in ~1 week. Since we were unable to reproduce this bug locally and have not had further contact from the original submitter, closing as invalid.
