Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 191034

Summary: dev-lang/php <5.2.4_p20070914-r2 Multiple issues
Product: Gentoo Security Reporter: Wolfram Schlich (RETIRED) <wschlich>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: bernd, php-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.php.net/releases/5_2_4.php
Whiteboard: B? [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
php-5.2.4-fixed-issues none

Description Wolfram Schlich (RETIRED) gentoo-dev 2007-09-02 09:26:12 UTC
Also has lots of security fixes:
http://www.php.net/ChangeLog-5.php#5.2.4
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2007-09-02 10:02:02 UTC
Security bugs go to security; we also know about releases, nothing that will be done until hoffie is back (~Sept. 6) plus most of this stuff has been already fixed in the 5.2.4_pre200708051230-r2 snapshot which is in the tree and stable.
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2007-09-03 17:49:48 UTC
*** Bug 191160 has been marked as a duplicate of this bug. ***
Comment 3 Hanno Böck gentoo-dev 2007-09-06 18:45:48 UTC
Further security issues (unfixed in 5.2.4 upstream):

DoS in setlocale
http://securityreason.com/securityalert/3090

mail.force_extra_parameters code injection
http://securityreason.com/news/0/0x1f
Comment 4 Christian Hoffmann (RETIRED) gentoo-dev 2007-09-07 12:07:07 UTC
(In reply to comment #3)
> DoS in setlocale
> http://securityreason.com/securityalert/3090
Fix in upstream cvs, will backport.

> mail.force_extra_parameters code injection
> http://securityreason.com/news/0/0x1f
This bug was fixed in upstream CVS and is part of our in-tree snapshot, so we aren't vulnerable currently, as far as I can see. The patch was reverted on Aug 23 (before the final 5.2.4 release) as it caused hangups with multithreaded builds (someone confirmed that problem indepdently @ #gentoo-php today). After the release the patch was re-added and another change was done to prevent that hangup problem. We are going to backport those two fixes.

Our current in-tree version is vulnerable to the above mentioned setlocale() bug and these bugs:
  * phpbug #42208 (substr_replace() crashes when the same array is passed more than once)
  * phpbug #42242 (sybase_connect() crashes)
  * phpbug #42364 (Crash when using getRealPath with DirectoryIterator)
  * phpbug bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass)
  * phpbug bug #42365 (glob() crashes and/or accepts way too many flags)
(these are fixed in 5.2.4 final)

This bug was fixed after 5.2.4 (will backport it as well):
  Possible buffer overflows inside the fnmatch() and glob() functions

Preparing a new ebuild/patchset now...
Comment 5 Christian Hoffmann (RETIRED) gentoo-dev 2007-09-07 13:46:44 UTC
5.2.4 committed to php-testing overlay , will merge to the tree tomorrow after a bit more testing.
It also fixes:
  * phpbug #42462 (Segmentation when trying to set an attribute in DOMElement)
  * phpbug #42326 (SoapServer crash)
Comment 6 Christian Hoffmann (RETIRED) gentoo-dev 2007-09-08 18:31:40 UTC
In the tree now. Would be nice if it could stay in ~arch for an additional day to avoid such breakage as for php-5.2.3.
Comment 7 Christian Hoffmann (RETIRED) gentoo-dev 2007-09-11 16:44:02 UTC
Didn't see a patch for the open_basedir/safe_mode bypass described at [1] yet, once one is available I'll add -r1 which will also fix the PHP part of Lighttpd SA 2007:12 [2] and a non-security annoying bug [3].

[1] http://article.gmane.org/gmane.comp.security.bugtraq/32758
[2] http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt
[3] http://bugs.php.net/bug.php?id=42587
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2007-09-12 16:57:20 UTC
According to CVE-2007-4825:
  Directory traversal vulnerability in PHP 5.2.4 and earlier allows attackers to
  bypass open_basedir restrictions and possibly execute arbitrary code via a ..
  (dot dot) in the dl function.

We might want to patch that too before stabling.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-09-12 17:06:45 UTC
(In reply to comment #3)
> Further security issues (unfixed in 5.2.4 upstream):
> 
> DoS in setlocale
> http://securityreason.com/securityalert/3090

For the record, this is CVE-2007-4784.

(In reply to comment #4)
> This bug was fixed after 5.2.4 (will backport it as well):
>   Possible buffer overflows inside the fnmatch() and glob() functions

Looks like CVE-2007-4782.

Also unpatched in 5.2.4 is a DoS in str and iconv_substr (CVE-2007-4783).
Comment 10 Christian Hoffmann (RETIRED) gentoo-dev 2007-09-12 21:42:14 UTC
(In reply to comment #8)
> According to CVE-2007-4825:
>   Directory traversal vulnerability in PHP 5.2.4 and earlier allows attackers
> to
>   bypass open_basedir restrictions and possibly execute arbitrary code via a ..
>   (dot dot) in the dl function.
> 
> We might want to patch that too before stabling.
Indeed, now that I understood it completely it should be patched. Sadly I haven't seen an upstream patch yet.

(In reply to comment #7)
> Didn't see a patch for the open_basedir/safe_mode bypass described at [1] yet,
> 
> [1] http://article.gmane.org/gmane.comp.security.bugtraq/32758
I agree with the replies on the bugtraq thread -- it's not PHP's job to enforce permissions in MySQL. For those file functions to be usable, the MySQL user apparently requires FILE permissions anyway, so it's probably a configuration issue.

(In reply to comment #9)
> Also unpatched in 5.2.4 is a DoS in str and iconv_substr (CVE-2007-4783).
I was able to reproduce the iconv-substr one and haven't seen an upstream fix for that one either. :(
Not sure about str_repeat() -- it seems just to hang for a long time and consume CPU (it doesn't even seem to allocate memory or something while doing that). I don't think it's too critical, this behaviour can be caused with usual PHP code as well.

To conclude, php-5.2.4 from the tree is still vulnerable to the dl() issue and to the iconv_substr() one.
Once there are fixes for these issues I'll probably add a cvs snapshot again as it looks like we would get insane amounts of patches in our patchset again otherwise.
Comment 11 Christian Hoffmann (RETIRED) gentoo-dev 2007-09-13 15:17:59 UTC
There is an upstream fix for dl() now, nothing for str_repeat/iconv_substr yet. I'm going to add a snapshot to the tree tomorrow afternoon, hopefully fixing all vulnerabilities listed in the bug. But if there is still no fix for iconv stuff I'll add it anyway as I think the dl() one is more serious (and in addition, I'll not be around this weekend :)).
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2007-09-14 10:19:56 UTC
(In reply to comment #10)
> (In reply to comment #7)
> > Didn't see a patch for the open_basedir/safe_mode bypass described at [1] yet,
> > 
> > [1] http://article.gmane.org/gmane.comp.security.bugtraq/32758
> I agree with the replies on the bugtraq thread -- it's not PHP's job to enforce
> permissions in MySQL. For those file functions to be usable, the MySQL user
> apparently requires FILE permissions anyway, so it's probably a configuration
> issue.

CVE assigned CVE-2007-4889 to this "issue".

hoffie, does the dl fix take care of CVE-2007-4887 too?:
  The dl function in PHP 5.2.4 and earlier allows context-dependent
  attackers to cause a denial of service (application crash) via a
  long string in the library parameter.
Comment 13 Christian Hoffmann (RETIRED) gentoo-dev 2007-09-16 15:44:43 UTC
Ok, actually I wanted to have submitted this reply on Friday already, but somehow Bugzilla ate it (or I forgot to submit it properly :P).

So, status update: php-5.2.4_p20070914 is in the tree. It fixes all sec bugs mentioned in this bug except iconv/str_repeat one (still no upstream fix) and the dl() segfault (only the segfault is unfixed, the ../ problem is solved).
It's up to you whether you want this version stabilized (I haven't seen any problem reports until now either, so it cannot be that bad) or want to wait for a -r1 which hopefully includes fixes for the two outstanding segfaults (iconv, dl) and the hangup (str_repeat). No clue when patches for those will appear...

(In reply to comment #12)
> hoffie, does the dl fix take care of CVE-2007-4887 too?:
>   The dl function in PHP 5.2.4 and earlier allows context-dependent
>   attackers to cause a denial of service (application crash) via a
>   long string in the library parameter.
Unfixed and still no patch as far as I can tell.
Comment 14 Christian Hoffmann (RETIRED) gentoo-dev 2007-09-17 21:54:36 UTC
Just a short update: Still no upstream fixes for mentioned bugs, I created a patch [1] the dl() issue. I also tried creating a patch for the iconv issue but I don't know what the maximal length for the charset parameter of the iconv function is. Freebsd has ICONV_CSNMAXLEN, glibc doesn't seem to have that. Hopefully I'll get the required information tomorrow and can finally add a -r1 including those two patches.

[1] http://overlays.gentoo.org/proj/php/browser/patches/php-patches/5.2.4_p20070914/5.2.4_p20070912/dl-filename-length-CVE-2007-4887.patch?rev=1847
Comment 15 Christian Hoffmann (RETIRED) gentoo-dev 2007-09-18 22:35:33 UTC
Ok, I added php-5.2.4_p20070914-r1 to php-testing overlay.
It fixes
  * CVE-2007-4887: dl() segfault; own patch, was accepted by upstream now
  * CVE-2007-4783 and CVE-2007-4840: segfault in iconv functions
    this is a glibc bug [1], but I added workarounds for all mentioned
    occurences (and some more). Patch submitted upstream, not yet committed.
Also, we are now using an almost official suhosin patch again (patch for php-5.2.4 was released, this is our base; I had to fix one hunk though).

Will commit to the tree tomorrow, once it is better tested and maybe there is an response from upstream about my iconv patch.

I think we should not wait any longer on any other bugs discovered now. -r1 should be committed to the tree and marked stable as soon as possible.

[1] http://sourceware.org/bugzilla/show_bug.cgi?id=5043
Comment 16 Christian Hoffmann (RETIRED) gentoo-dev 2007-09-19 20:07:37 UTC
php-5.2.4_p20070914-r2 in the tree now. Only differences to -r1: Improved iconv patch (better ini handling), fixing iconv function calls from xmlrpc extensions as well as a possible integer overflow in iconv_substr discovered by Mattias Bengtsson <mattias@secweb.se>.

Looks ready to be stabled to me.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2007-09-19 21:33:51 UTC
Arches, have fun stabling php-5.2.4_p20070914-r2.
Targets are: "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 18 Jeroen Roovers (RETIRED) gentoo-dev 2007-09-20 04:56:47 UTC
Stable for HPPA.
Comment 19 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-20 18:07:23 UTC
ppc stable
Comment 20 Chris Gianelloni (RETIRED) gentoo-dev 2007-09-20 20:01:43 UTC
amd64/x86 done
Comment 21 Brent Baude (RETIRED) gentoo-dev 2007-09-20 20:39:42 UTC
ppc64 stable
Comment 22 Raúl Porcel (RETIRED) gentoo-dev 2007-09-22 15:11:00 UTC
alpha/ia64 stable
Comment 23 Raúl Porcel (RETIRED) gentoo-dev 2007-09-25 15:48:13 UTC
sparc stable

This is ready to go
Comment 24 Robert Buchholz (RETIRED) gentoo-dev 2007-09-25 18:49:27 UTC
Created attachment 131886 [details]
php-5.2.4-fixed-issues

Christian, Jakub and I went through the issues fixed by the 5.2.4 release and in the snapshort afterwards. This should ease up the GLSA drafting.

I guess it would be best to combine this with the GLSA from bug 180556, as some of these issues were already fixed in the pre 5.2.4 tarball stabled there.
Comment 25 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-07 11:30:54 UTC
GLSA 200710-02