Summary: | dev-lang/php <5.2.4_p20070914-r2 Multiple issues | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Wolfram Schlich (RETIRED) <wschlich> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | bernd, php-bugs | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.php.net/releases/5_2_4.php | ||||||
Whiteboard: | B? [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Wolfram Schlich (RETIRED)
2007-09-02 09:26:12 UTC
Security bugs go to security; we also know about releases, nothing that will be done until hoffie is back (~Sept. 6) plus most of this stuff has been already fixed in the 5.2.4_pre200708051230-r2 snapshot which is in the tree and stable. *** Bug 191160 has been marked as a duplicate of this bug. *** Further security issues (unfixed in 5.2.4 upstream): DoS in setlocale http://securityreason.com/securityalert/3090 mail.force_extra_parameters code injection http://securityreason.com/news/0/0x1f (In reply to comment #3) > DoS in setlocale > http://securityreason.com/securityalert/3090 Fix in upstream cvs, will backport. > mail.force_extra_parameters code injection > http://securityreason.com/news/0/0x1f This bug was fixed in upstream CVS and is part of our in-tree snapshot, so we aren't vulnerable currently, as far as I can see. The patch was reverted on Aug 23 (before the final 5.2.4 release) as it caused hangups with multithreaded builds (someone confirmed that problem indepdently @ #gentoo-php today). After the release the patch was re-added and another change was done to prevent that hangup problem. We are going to backport those two fixes. Our current in-tree version is vulnerable to the above mentioned setlocale() bug and these bugs: * phpbug #42208 (substr_replace() crashes when the same array is passed more than once) * phpbug #42242 (sybase_connect() crashes) * phpbug #42364 (Crash when using getRealPath with DirectoryIterator) * phpbug bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass) * phpbug bug #42365 (glob() crashes and/or accepts way too many flags) (these are fixed in 5.2.4 final) This bug was fixed after 5.2.4 (will backport it as well): Possible buffer overflows inside the fnmatch() and glob() functions Preparing a new ebuild/patchset now... 5.2.4 committed to php-testing overlay , will merge to the tree tomorrow after a bit more testing. It also fixes: * phpbug #42462 (Segmentation when trying to set an attribute in DOMElement) * phpbug #42326 (SoapServer crash) In the tree now. Would be nice if it could stay in ~arch for an additional day to avoid such breakage as for php-5.2.3. Didn't see a patch for the open_basedir/safe_mode bypass described at [1] yet, once one is available I'll add -r1 which will also fix the PHP part of Lighttpd SA 2007:12 [2] and a non-security annoying bug [3]. [1] http://article.gmane.org/gmane.comp.security.bugtraq/32758 [2] http://www.lighttpd.net/assets/2007/9/9/lighttpd_sa_2007_12.txt [3] http://bugs.php.net/bug.php?id=42587 According to CVE-2007-4825: Directory traversal vulnerability in PHP 5.2.4 and earlier allows attackers to bypass open_basedir restrictions and possibly execute arbitrary code via a .. (dot dot) in the dl function. We might want to patch that too before stabling. (In reply to comment #3) > Further security issues (unfixed in 5.2.4 upstream): > > DoS in setlocale > http://securityreason.com/securityalert/3090 For the record, this is CVE-2007-4784. (In reply to comment #4) > This bug was fixed after 5.2.4 (will backport it as well): > Possible buffer overflows inside the fnmatch() and glob() functions Looks like CVE-2007-4782. Also unpatched in 5.2.4 is a DoS in str and iconv_substr (CVE-2007-4783). (In reply to comment #8) > According to CVE-2007-4825: > Directory traversal vulnerability in PHP 5.2.4 and earlier allows attackers > to > bypass open_basedir restrictions and possibly execute arbitrary code via a .. > (dot dot) in the dl function. > > We might want to patch that too before stabling. Indeed, now that I understood it completely it should be patched. Sadly I haven't seen an upstream patch yet. (In reply to comment #7) > Didn't see a patch for the open_basedir/safe_mode bypass described at [1] yet, > > [1] http://article.gmane.org/gmane.comp.security.bugtraq/32758 I agree with the replies on the bugtraq thread -- it's not PHP's job to enforce permissions in MySQL. For those file functions to be usable, the MySQL user apparently requires FILE permissions anyway, so it's probably a configuration issue. (In reply to comment #9) > Also unpatched in 5.2.4 is a DoS in str and iconv_substr (CVE-2007-4783). I was able to reproduce the iconv-substr one and haven't seen an upstream fix for that one either. :( Not sure about str_repeat() -- it seems just to hang for a long time and consume CPU (it doesn't even seem to allocate memory or something while doing that). I don't think it's too critical, this behaviour can be caused with usual PHP code as well. To conclude, php-5.2.4 from the tree is still vulnerable to the dl() issue and to the iconv_substr() one. Once there are fixes for these issues I'll probably add a cvs snapshot again as it looks like we would get insane amounts of patches in our patchset again otherwise. There is an upstream fix for dl() now, nothing for str_repeat/iconv_substr yet. I'm going to add a snapshot to the tree tomorrow afternoon, hopefully fixing all vulnerabilities listed in the bug. But if there is still no fix for iconv stuff I'll add it anyway as I think the dl() one is more serious (and in addition, I'll not be around this weekend :)). (In reply to comment #10) > (In reply to comment #7) > > Didn't see a patch for the open_basedir/safe_mode bypass described at [1] yet, > > > > [1] http://article.gmane.org/gmane.comp.security.bugtraq/32758 > I agree with the replies on the bugtraq thread -- it's not PHP's job to enforce > permissions in MySQL. For those file functions to be usable, the MySQL user > apparently requires FILE permissions anyway, so it's probably a configuration > issue. CVE assigned CVE-2007-4889 to this "issue". hoffie, does the dl fix take care of CVE-2007-4887 too?: The dl function in PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long string in the library parameter. Ok, actually I wanted to have submitted this reply on Friday already, but somehow Bugzilla ate it (or I forgot to submit it properly :P). So, status update: php-5.2.4_p20070914 is in the tree. It fixes all sec bugs mentioned in this bug except iconv/str_repeat one (still no upstream fix) and the dl() segfault (only the segfault is unfixed, the ../ problem is solved). It's up to you whether you want this version stabilized (I haven't seen any problem reports until now either, so it cannot be that bad) or want to wait for a -r1 which hopefully includes fixes for the two outstanding segfaults (iconv, dl) and the hangup (str_repeat). No clue when patches for those will appear... (In reply to comment #12) > hoffie, does the dl fix take care of CVE-2007-4887 too?: > The dl function in PHP 5.2.4 and earlier allows context-dependent > attackers to cause a denial of service (application crash) via a > long string in the library parameter. Unfixed and still no patch as far as I can tell. Just a short update: Still no upstream fixes for mentioned bugs, I created a patch [1] the dl() issue. I also tried creating a patch for the iconv issue but I don't know what the maximal length for the charset parameter of the iconv function is. Freebsd has ICONV_CSNMAXLEN, glibc doesn't seem to have that. Hopefully I'll get the required information tomorrow and can finally add a -r1 including those two patches. [1] http://overlays.gentoo.org/proj/php/browser/patches/php-patches/5.2.4_p20070914/5.2.4_p20070912/dl-filename-length-CVE-2007-4887.patch?rev=1847 Ok, I added php-5.2.4_p20070914-r1 to php-testing overlay. It fixes * CVE-2007-4887: dl() segfault; own patch, was accepted by upstream now * CVE-2007-4783 and CVE-2007-4840: segfault in iconv functions this is a glibc bug [1], but I added workarounds for all mentioned occurences (and some more). Patch submitted upstream, not yet committed. Also, we are now using an almost official suhosin patch again (patch for php-5.2.4 was released, this is our base; I had to fix one hunk though). Will commit to the tree tomorrow, once it is better tested and maybe there is an response from upstream about my iconv patch. I think we should not wait any longer on any other bugs discovered now. -r1 should be committed to the tree and marked stable as soon as possible. [1] http://sourceware.org/bugzilla/show_bug.cgi?id=5043 php-5.2.4_p20070914-r2 in the tree now. Only differences to -r1: Improved iconv patch (better ini handling), fixing iconv function calls from xmlrpc extensions as well as a possible integer overflow in iconv_substr discovered by Mattias Bengtsson <mattias@secweb.se>. Looks ready to be stabled to me. Arches, have fun stabling php-5.2.4_p20070914-r2. Targets are: "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" Stable for HPPA. ppc stable amd64/x86 done ppc64 stable alpha/ia64 stable sparc stable This is ready to go Created attachment 131886 [details] php-5.2.4-fixed-issues Christian, Jakub and I went through the issues fixed by the 5.2.4 release and in the snapshort afterwards. This should ease up the GLSA drafting. I guess it would be best to combine this with the GLSA from bug 180556, as some of these issues were already fixed in the pre 5.2.4 tarball stabled there. GLSA 200710-02 |