Summary: | dev-php/php: local DoS through xml_parser | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Romang <zataz> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED UPSTREAM | ||||||||||
Severity: | minor | CC: | beu, chtekk, robbat2, sebastian, stuart, tomk | ||||||||
Priority: | High | ||||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | A4 [noglsa] | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Attachments: |
|
Description
Romang
2005-10-05 04:41:40 UTC
Created attachment 69912 [details]
XML Parser class
Created attachment 69913 [details]
The XML file to parse
Created attachment 69914 [details]
The PHP to import the XML file
Hello, I have add some script to reproduce the bug. XML Parser class The XML file to parse The PHP to import the XML file Seem that some path are broken (gdb) run Starting program: /usr/bin/php import2.php warning: Unable to find dynamic linker breakpoint function. GDB will be unable to debug shared library initializers and track explicitly loaded dynamic code. [Thread debugging using libthread_db enabled] [New Thread 16384 (LWP 2751)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 2751)] poolDestroy (pool=0x85246e8) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c:5424 5424 /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c: No such file or directory. in /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c (gdb) Message from syslogd@zeus at Wed Oct 5 15:29:55 2005 ... zeus kernel: grsec: From 80.92.64.98: signal 11 sent to /usr/bin/php[php:2751] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/gdb[gdb:22233] uid/euid:0/0 gid/egid:0/0 (gdb) bt #0 poolDestroy (pool=0x85246e8) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c:5424 #1 0x081c2619 in php_XML_ParserFree (parser=0x8524558) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c:1055 #2 0x081be136 in xml_parser_dtor (rsrc=0xffffffff) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/xml.c:297 #3 0x0821ea7c in list_entry_destructor (ptr=0x850fe5c) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_list.c:177 #4 0x0821cfff in zend_hash_del_key_or_index (ht=0x842fa28, arKey=0x0, nKeyLength=0, h=9, flag=1) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:527 #5 0x0821e874 in _zend_list_delete (id=9) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_list.c:56 #6 0x0820fbdc in _zval_ptr_dtor (zval_ptr=0x8518aa0, __zend_filename=0x83bef40 "/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c", __zend_lineno=171) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:289 #7 0x08216d52 in _zval_ptr_dtor_wrapper (zval_ptr=0xffffffff) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:171 #8 0x0821d1b8 in zend_hash_destroy (ht=0x8518d8c) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:556 #9 0x08216a73 in _zval_dtor (zvalue=0x85100e4, __zend_filename=0x83be698 "/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c", __zend_lineno=289) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:60 #10 0x0820fbdc in _zval_ptr_dtor (zval_ptr=0x8525768, __zend_filename=0x83bef40 "/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c", __zend_lineno=171) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:289 #11 0x08216d52 in _zval_ptr_dtor_wrapper (zval_ptr=0xffffffff) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:171 #12 0x0821d1b8 in zend_hash_destroy (ht=0x85256fc) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:556 #13 0x08216ad2 in _zval_dtor (zvalue=0x850efd4, __zend_filename=0x83be698 "/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c", __zend_lineno=289) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:51 #14 0x0820fbdc in _zval_ptr_dtor (zval_ptr=0x85244f4, __zend_filename=0x83a0bf8 "/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/xml.c", __zend_lineno=312) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:289 #15 0x081be0ae in xml_parser_dtor (rsrc=0xffffffff) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/xml.c:312 #16 0x0821ea7c in list_entry_destructor (ptr=0x850fe5c) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_list.c:177 #17 0x0821d40a in zend_hash_apply_deleter (ht=0x842fa28, p=0x852513c) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:611 #18 0x0821d4ca in zend_hash_graceful_reverse_destroy (ht=0x842fa28) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:677 #19 0x0820f8ce in shutdown_executor () at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:211 #20 0x08217b02 in zend_deactivate () at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend.c:693 #21 0x081e77b8 in php_request_shutdown (dummy=0x0) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/main/main.c:997 #22 0x08238d7e in main (argc=2, argv=0xbfffd874) at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/sapi/cli/php_cli.c:879 (gdb) quit Hi, could you please test if you can reproduce this using the new dev-lang/php pacakge? Just emerge =dev-lang/php-4*, remember to enable the "cli" USE flag and the "xml" and "xml2" USE flags at least for this to work. dev-lang/php is the new generation of PHP support in Gentoo and will sobstitute dev-php/php, dev-php/php-cgi and dev-php/mod_php (all these are now only in dev-lang/php, controlled by USE flags). For more informations on the new PHP support, take a look at: http://svn.gnqs.org/projects/gentoo-php-overlay/file/docs/php-upgrading.html?format=raw Thanks for feedback, best regards, CHTEKK. Bleh, dev-lang/php-4.4.0-r1 segfaults as well. $ cd /usr/lib/php4 && grep -Rni '/var/tmp/portage/' * Binary file bin/php matches Binary file bin/php-cgi matches Binary file lib/php/extensions/no-debug-non-zts-20020429/apc.so matches Binary file lib/php/extensions/no-debug-non-zts-20020429/sqlite.so matches --- And for the record, with dev-lang/php-5.1.0_rc1 (the overlay one) - it does not segfault, but contains screwed paths as well. $ cd /usr/lib/php5 && grep -Rni '/var/tmp/portage/' * Binary file bin/php matches Binary file bin/php-cgi matches Binary file lib/php/extensions/no-debug-non-zts-20050617/pdo_mysql.so matches Binary file lib/php/extensions/no-debug-non-zts-20050617/apc.so matches Binary file lib/php/extensions/no-debug-non-zts-20050617/pdo_odbc.so matches Binary file lib/php/extensions/no-debug-non-zts-20050617/pdo_sqlite.so matches Hello, Ok apache also segfault with mod_php 4 if you use this files. DOS possible. Koon could you please close the bug to public. Regards. Hello, I have resolv my bug by adding this method to the XML Parser class function freexml() { xml_parser_free($this->parser); } And in the PHP to import XML file : $xml->freexml(); They is still a bug in php but a workaround exist. Regards. Auditors, maybe confirm this ? Was confirmed by maintainer. Luca: would be nice to have a fix for this at the same time as bug 107602 CHTEKK will open a bug upstream about this, as it's not fixed in 4.4.1. CHTEKK: did you file the bug upstream ? Finally got to this... The bug is confirmed by me and reproducible with the test scripts, and the workaround indeed solves the problem. I've tried using both the bundled expat library and an external install, it segfaults with both. Searching the PHP bugs database a bit more I've found two bugs that reference the same problem already: http://bugs.php.net/bug.php?id=32494 http://bugs.php.net/bug.php?id=34150 From what I gater from them, upstream knows about it and has the problem verified, but won't do anything about it (see second bug), it seems they consider the xml_parser_free() workaround as a viable solution (but it isn't really, the segfault remains still...). Best regards, CHTEKK. I propose that we open this bug (since it's already public on PHP's bugzie) and resolve it as UPSTREAM. Eric: you should try to convince them to fix it by demonstrating that this is a security issue... I agree with comment #14, lets do it! ;) Best regards, CHTEKK. done like mentioned in comment #14 |