Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 131135

Summary: dev-lang/php: 5.1.2 and 4.4.2 buffer overflow and DoS's (CVE-2006-199{0|1})
Product: Gentoo Security Reporter: Raphael Marichez (Falco) (RETIRED) <falco>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: frederic.mangeant, jasper, php-bugs, tcort
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://archives.neohapsis.com/archives/bugtraq/2006-04/0498.html
Whiteboard: B1 [glsa] Falco
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 129314, 129315    
Attachments:
Description Flags
patch for php-4.4.2-r2 zend-info none

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-24 12:52:23 UTC
the most important vuln reported would be this one. Our php-5.1.2 contains the same sources.

PHP team, please confirm if we are vulnerable. In such case it's an "A1", "critical".


i. PHP4/PHP5 wordwrap() buffer overflow

Function wordwrap() wraps a string to the given number of characters using a
string break character. There is a buffer overflow (heap) vulnerability in
the PHP wordwrap() caused by an integer miscalculation if long strings are
passed to the wordwrap() function. With a proper string size, it is
possible to allocate a small heap buffer that will be overflowed in the
memcpy() function. There are several different ways to make the overflow,
and one of them will be described here.

In [1] or [2], integer 'alloced' is calculated from user input (text and
breakchar) strings length. It is possible to set long strings (about 1 MB)
that will wrap around in multiplication and result in small positive integer
that will be used in [3] for memory allocation. In [4], user input is copied
to the newly allocated buffer 'newtext' that is too short, and will be
overflowed in memcpy(). Copy size 'current' will contain string length of
the user supplied string 'text'.

Vulnerable code php-4.4.2/ext/standard/string.c:
--------------------------------------------------------
PHP_FUNCTION(wordwrap)
{
        const char *text, *breakchar = "\n";
        char *newtext;
        int textlen, breakcharlen = 1, newtextlen, alloced, chk;
        long current = 0, laststart = 0, lastspace = 0;
        long linelength = 75;
        zend_bool docut = 0;
 ...
                if (linelength > 0) {
                        chk = (int)(textlen/linelength + 1);
[1] alloced = textlen + chk * breakcharlen + 1;
                } else {
                        chk = textlen;
[2] alloced = textlen * (breakcharlen + 1) + 1;
                }
                if (alloced <= 0) {
                        RETURN_FALSE;
                }
[3] newtext = emalloc(alloced);

 ...
                if (laststart != current) {
[4] memcpy(newtext+newtextlen, text+laststart,
current-laststart);
                        newtextlen += current - laststart;
         }
 ...
}
--------------------------------------------------------

If memory_limit value is high, it is also possible to cause memory DoS
attack.
Comment 1 Luca Longinotti (RETIRED) gentoo-dev 2006-04-25 12:17:18 UTC
Well, as (for now) we don't patch in any way string.c or our PHP releases for this vulnerability, I'd say we are vulnerable.
The advisory speaks of three issues:

i. PHP4/PHP5 wordwrap() buffer overflow
Confirmed in PHP 5.1.2 too.
No upstream fix available yet afaics.

ii. PHP4/PHP5 array_fill() DoS condition
This appeared to me like the other bug where you just called a function inside itself, so it got in an endless loop, consumed all memory available for it (memory_limit) and dies... So not really critical, but it's really intersting to try this out on a system with no memory_limit support in PHP ("memlimit" USE off), it really sucks up 2GB of RAM in 1-2 seconds and renders your system pretty unusable.
No upstream fix available yet afaics.

iii. PHP5 substr_compare() DoS condition
Upstream fix available.

So, we'll have to wait on upstream for the other two still, should be quickly fixed, at least for PHP5 I hope, PHP4 may take longer (still no fix for the phpinfo() XSS fex.), so we may have to push out a new 5.1.2 rev that fixes all of those, and a new 4.4.2 rev that fixes the ones that are already fixed in the 4_4 branch...
Best regards, CHTEKK.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-04-25 12:49:10 UTC
An application needs to use wordwrap to be vulnerable so B1.
Comment 3 Jasper Bryant-Greene 2006-05-02 17:39:16 UTC
PHP 5.1.3 has been released upstream which fixes these issues.
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2006-05-03 02:51:01 UTC
*** Bug 132102 has been marked as a duplicate of this bug. ***
Comment 5 Jakub Moc (RETIRED) gentoo-dev 2006-05-05 02:04:05 UTC
*** Bug 132318 has been marked as a duplicate of this bug. ***
Comment 6 Luca Longinotti (RETIRED) gentoo-dev 2006-05-05 03:38:07 UTC
PHP 5.1.4 and PHP 4.4.2-r2 where just added to CVS, which fix all the mentioned security issues known to us.

PHP4
wordwrap() buffer overflow
safe_mode copy() bypass
open_basedir tempname() bypass
html_entity_decode not binary safe
phpinfo() XSS

PHP5
wordwrap() buffer overflow
substr_compare() DoS
safe_mode copy() bypass
open_basedir tempname() bypass
html_entity_decode not binary safe
phpinfo() XSS

To the arch-teams: please stabilize dev-lang/php-4.4.2-r2 and dev-lang/php-5.1.4, thanks!
Best regards, CHTEKK.
Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-05 03:54:13 UTC
OK, then let's go and stabilize dev-lang/php-4.4.2-r2 and php-5.1.4

Arches, it's up to you.
Comment 8 Jon Hood (RETIRED) gentoo-dev 2006-05-05 08:27:11 UTC
Created attachment 86202 [details, diff]
patch for php-4.4.2-r2 zend-info

5.1.4 stable on amd64

4.4.2-r2:
/bin/sh /var/tmp/portage/php-4.4.2-r2/work/php-4.4.2/libtool --silent --preserve-dup-deps --mode=compile /var/tmp/portage/php-4.4.2-r2/work/php-4.4.2/meta_ccld  -Iext/standard/ -I/var/tmp/portage/php-4.4.2-r2/work/php-4.4.2/ext/standard/ -DPHP_ATOM_INC -I/var/tmp/portage/php-4.4.2-r2/work/php-4.4.2/include -I/var/tmp/portage/php-4.4.2-r2/work/php-4.4.2/main -I/var/tmp/portage/php-4.4.2-r2/work/php-4.4.2 -I/usr/include/libxml2 -I/usr/X11R6/include -I/usr/include/freetype2 -I/var/tmp/portage/php-4.4.2-r2/work/php-4.4.2/ext/mbstring/mbregex -I/var/tmp/portage/php-4.4.2-r2/work/php-4.4.2/ext/mbstring/libmbfl -I/var/tmp/portage/php-4.4.2-r2/work/php-4.4.2/ext/mbstring/libmbfl/mbfl -I/usr/include/mysql -I/usr/include/pspell -I/var/tmp/portage/php-4.4.2-r2/work/php-4.4.2/TSRM -I/var/tmp/portage/php-4.4.2-r2/work/php-4.4.2/Zend  -D_REENTRANT  -march=athlon64 -O3 -pipe -fomit-frame-pointer -ffast-math -pthread -DZTS  -c /var/tmp/portage/php-4.4.2-r2/work/php-4.4.2/ext/standard/iptc.c -o ext/standard/iptc.o
/var/tmp/portage/php-4.4.2-r2/work/php-4.4.2/ext/standard/info.c: In function `php_print_gpcse_array':
/var/tmp/portage/php-4.4.2-r2/work/php-4.4.2/ext/standard/info.c:158: error: too many arguments to function `zend_print_zval_r'
make: *** [ext/standard/info.lo] Error 1
make: *** Waiting for unfinished jobs....

It fails in 4.4.2 because the zend api changes between versions, and someone put in a function that relies on the zend api provided in php-5.1.4. Attached is a patch that seems to fix it for me, but I don't know if it regresses any security issues fixed by the version bump.
Comment 9 Jon Hood (RETIRED) gentoo-dev 2006-05-05 08:33:55 UTC
Actually, you don't need my patch. This is broken because of the following patch:

4.4.2/php4.4.2-phpinfo_xss.patch

Please fix the phpinfo_xss.patch to call the zend_print_zval_r function correctly for php-4.4.2-r2, then we can start marking it stable.
Comment 10 Luca Longinotti (RETIRED) gentoo-dev 2006-05-05 08:45:02 UTC
Uhhh sorry, that bug was already fixed yesterday when I tested those, and I updated the patchset, at least the one on my mirror, but forgot to upload it to the distfiles mirror. Now I've updated the patchset on the distfiles mirrors, and will redigest the ebuilds, only dev-lang/php-4.4.2-r2 is affected by this, sorry again.
Best regards, CHTEKK.
Comment 11 Jon Hood (RETIRED) gentoo-dev 2006-05-05 09:48:25 UTC
stable and tested amd64; I hope the distfiles mirrors sync soon ;)
Comment 12 Thomas Cort (RETIRED) gentoo-dev 2006-05-05 10:26:57 UTC
The tests in dev-lang/php-5.1.4 didn't run. They says I need CLI sapi, and in the install phase it says "Installing SAPI(s)  cli apache2" and "Installing CLI SAPI" It this a bug, or am I doing something completely wrong?

Some output from emerge =dev-lang/php-5.1.4:

>>> Test phase [test]: dev-lang/php-5.1.4

Build complete.
(It is safe to ignore warnings about tempnam and tmpnam).

ERROR: Cannot run tests without CLI sapi.

>>> Install php-5.1.4 into /var/tmp/portage/php-5.1.4/image/ category dev-lang
Installing build environment:     /var/tmp/portage/php-5.1.4/image//usr/lib/php5/lib/php/build/
Installing header files:          /var/tmp/portage/php-5.1.4/image//usr/lib/php5/include/php/
Installing helper programs:       /var/tmp/portage/php-5.1.4/image//usr/lib/php5/bin/
  program: phpize
  program: php-config
Installing man pages:             /var/tmp/portage/php-5.1.4/image//usr/lib/php5/man/man1/
  page: phpize.1
  page: php-config.1
 * Setting extension_dir in php.ini
 * Securing fopen wrappers
 * Setting correct include_path
 *
 * Installing SAPI(s)  cli apache2
 *
 * Installing CLI SAPI


dev-lang/php-5.1.4  USE="apache2 berkdb calendar cli crypt ctype curl curlwrappers ftp gdbm ipv6 ncurses nls pcre readline recode reflection session sockets spell spl ssl threads truetype xml xmlreader zip zlib -apache -bcmath -bzip2 -cdb -cgi -cjk -dbase -debug -discard-path -doc -exif -fastbuild -flatfile -force-cgi-redirect -gd -gd-external -gmp -hardenedphp -hash -hyperwave-api -iconv -imap -inifile -interbase -iodbc -kerberos -ldap -libedit -mcve -memlimit -mhash -ming -msql -mssql -mysql -mysqli -odbc -pcntl -pdo -pdo-external -pic -posix -postgres -qdbm -sapdb -sasl -sharedext -sharedmem -simplexml -snmp -soap -sqlite -sysvipc -tidy -tokenizer -unicode -vm-goto -vm-switch -wddx -xmlrpc -xmlwriter -xpm -xsl -yaz"


# emerge --info
Portage 2.1_pre10-r2 (default-linux/alpha/no-nptl/2.4, gcc-3.4.6, glibc-2.3.6-r3, 2.4.32 alpha)
=================================================================
System uname: 2.4.32 alpha EV56
Gentoo Base System version 1.12.0_pre16
dev-lang/python:     2.3.5, 2.4.3
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r2
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.4.26-r1
ACCEPT_KEYWORDS="alpha ~alpha"
AUTOCLEAN="yes"
CBUILD="alpha-unknown-linux-gnu"
CFLAGS="-mieee -pipe -O2 -mcpu=ev56"
CHOST="alpha-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/env.d"
CXXFLAGS="-mieee -pipe -O2 -mcpu=ev56"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox sfperms strict test"
GENTOO_MIRRORS="http://gentoo.mirrored.ca/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/java-experimental"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="alpha X aac aalib aim alsa apache2 artworkextra async audacious audiofile bash-completion berkdb binfilter bitmap-fonts bittorrent bl bonjour c++ cairo calendar cdinstall cdparanoia cdr cdrom chroot cli config_wizard cracklib crypt cscope csv ctype cups curl curlwrappers cvs cvsgraph dhcp dillo dri editor eds elf encode epiphany escreen esd ethereal extraicons extras ffmpeg fftw figlet firefox flac ftp gdb gdbm gif glep gnome gnutls gpm grammar gsl gstreamer gtalk gtk gtk2 gtkspell gvim gzip html icq id3 imlib ipv6 jabber javascript jpeg justify ladspa lame libg++ libsexy libwww lite lj logrotate lua mad mapeditor md5sum mikmod motif moznoirc moznomail moznoroaming mozsha1 mp3 mpeg mpeg2 mplayer msn msnextras music ncurses net nethack nls offensive ogg oggvorbis opengl openssh openssl oscar oss pam pcre pdflib perl png python quicktime quotes readline recode reflection reiserfs scp screen sdl session sftp skins sndfile sockets sounds sox speech spell spl ssl subversion symlink syslog tcpd threads truetype truetype-fonts type1-fonts userlocales vcd videos vim vim-with-x vorbis wma wma123 xml xml2 xmlreader xmms xorg xv xvid yahoo zip zlib elibc_glibc kernel_linux userland_GNU"
Unset:  ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS
Comment 13 Luca Longinotti (RETIRED) gentoo-dev 2006-05-05 10:38:43 UTC
We don't support (atm, it's planned sometimes, maybe...) the PHP tests, they vary too much between releases and are not a real test, since I never saw a PHP version where, _if_ they started, they too all worked, at least 5-6 fail. So atm just emerge, if it compiles, installs, php -v/-i gives you the expected output, and if you try to run some app like phpMyAdmin, or others, it works, then it's ok. That's how it was done till now and will probably be done for a long time yet. :)
Best regards, CHTEKK.
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2006-05-05 11:13:46 UTC
ppc stable
Comment 15 Thomas Cort (RETIRED) gentoo-dev 2006-05-05 13:59:34 UTC
alpha stable.
Comment 16 Mark Loeser (RETIRED) gentoo-dev 2006-05-05 22:01:59 UTC
x86 done
Comment 17 Markus Rothe (RETIRED) gentoo-dev 2006-05-06 05:12:59 UTC
stable on ppc64
Comment 18 Luca Longinotti (RETIRED) gentoo-dev 2006-05-06 05:58:52 UTC
HPPA already stabled both, they probably just forgot to remove themselves from this bug.
SPARC still needs to stable dev-lang/php-4.4.2-r2.
Best regards, CHTEKK.
Comment 19 Jason Wever (RETIRED) gentoo-dev 2006-05-06 14:57:09 UTC
php-4.4.2-r2 is the proud owner of a sexy SPARC keyword.  Congrats!
Comment 20 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-06 15:23:07 UTC
thank you weeve !  :)

php 4.4.2-r2 & 5.1.4 are stable on all supported arches

arm, ia64, s390, sh, x86-fbsd, feel free to mark stable when you want to.
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2006-05-08 10:34:36 UTC
GLSA 200605-08