Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 127939

Summary: dev-lang/php: html_entity_decode is not binary safe and can leak memory to an attacker (CVE-2006-1490)
Product: Gentoo Security Reporter: Jasper Bryant-Greene <jasper>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: php-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [glsa] DerCorny
Package list:
Runtime testing required: ---

Description Jasper Bryant-Greene 2006-03-28 21:09:20 UTC 
Accessing the below short script on any current PHP release via an URL such as:

http://hostname/index.php?foo=%00ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss

returns a chunk of memory with length equal to the string supplied via the query string, in my case including PHP code, PHP INI data, other user data, etc.

<?php

$foobar = html_entity_decode( $_GET['foo'] );
echo $foobar;

?>

This bug is fixed in current PHP CVS, but the fix has not yet been in an official release. I understand it will be in 5.1.3.

This testcase was posted to full-disclosure by T
Comment 1 Jasper Bryant-Greene 2006-03-28 21:09:20 UTC 
Accessing the below short script on any current PHP release via an URL such as:

http://hostname/index.php?foo=%00ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss

returns a chunk of memory with length equal to the string supplied via the query string, in my case including PHP code, PHP INI data, other user data, etc.

<?php

$foobar = html_entity_decode( $_GET['foo'] );
echo $foobar;

?>

This bug is fixed in current PHP CVS, but the fix has not yet been in an official release. I understand it will be in 5.1.3.

This testcase was posted to full-disclosure by Tõnu Samuel in an email dated Tue, 28 Mar 2006 22:58:12 +0300.
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-29 06:27:51 UTC 
ok, since we've around 20days to fix this: want to patch with the CVS-fix or should we wait for a new upstream release?
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-29 06:34:05 UTC 
here is a link to the patch: http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/html.c?r1=1.63.2.23.2.1&r2=1.63.2.23.2.2
Comment 4 Luca Longinotti (RETIRED) gentoo-dev 2006-03-29 10:05:30 UTC 
I'm going to put out revbumps for 5.1.2 and 4.4.2 including this patch (thanks for the link) and some other crahes/problems I saw were fixed while I browsed the PHP CVS, then we can go about stabling those. 5.1.3 does not have a clear release date, RC2 is afaik still not out, and there is no RC process for a 4.4.3 going on atm. I'll see to make the patches, test them and commit to Portage later today or tomorrow.
Best regards, CHTEKK.
Comment 5 Luca Longinotti (RETIRED) gentoo-dev 2006-03-30 12:34:16 UTC 
http://marc.theaimsgroup.com/?l=php-dev&m=114374747612800&w=2 changed things a little, I'll put out a revbump for 4.4.2, as there is no 4.4.3 planned atm, to fix the problems in the PHP 4.X series, but I'll wait on 5.1.3 for the PHP 5.X series, as it surely fixes a lot of other minor bugs as well. :)
Best regards, CHTEKK.
Comment 6 Luca Longinotti (RETIRED) gentoo-dev 2006-04-12 03:33:15 UTC 
Assigning this one to php-bugs too.
Best regards, CHTEKK.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2006-04-15 05:32:02 UTC 
PHP herd, what's the ETA for this ?
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2006-04-28 12:29:36 UTC 
Setting this to upstream until new PHPs are released
Comment 9 Luca Longinotti (RETIRED) gentoo-dev 2006-05-05 03:35:07 UTC 
Fixed, see bug #131135 for stabilization instructions and then close this when
that one is closed too.
Best regards, CHTEKK.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2006-05-08 06:47:04 UTC 
Common GLSA with 131135
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2006-05-08 10:45:28 UTC 
GLSA 200605-08