Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC

Bug 396311 (CVE-2011-4885)

Summary: <dev-lang/php-5.3.9 : Hash collision DoS (CVE-2011-4885)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: hanno, kfm, php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cryptanalysis.eu/blog/2011/12/28/effective-dos-attacks-against-web-application-plattforms-hashdos/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 384301    
Bug Blocks: 396397    

Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-12-28 14:41:42 UTC
See $URL for a more elaborate explanation, I'll update this with more detail later.

Specially crafted POST parameters can be used to cause hash table operations with a time complexity of O(n^2), causing a Denial of Service.

PHP is working around the issue by limiting the number of input parameters allowed. According to Rasmus Lerdorf, implementing a proper fix will take time. [1]

The workaround commits are:
http://news.php.net/php.cvs/67294
http://news.php.net/php.cvs/67281

These are scheduled for the next 5.3 and 5.4 releases.

[1] Stated in 28C3 talk: http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-12-28 14:47:20 UTC
Until upstream implements the fix, let's bump to a version with the parameter count limit workaround when available.
Comment 2 Agostino Sarubbo gentoo-dev 2011-12-29 09:57:30 UTC
Secunia advisory says is fixed in git repo https://secunia.com/advisories/47404/
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-12-29 10:13:12 UTC
(In reply to comment #2)
> Secunia advisory says is fixed in git repo
> https://secunia.com/advisories/47404/

Please read my comments. This is a workaround, not a fix.
Comment 4 Ole Markus With (RETIRED) gentoo-dev 2011-12-29 11:39:21 UTC
Core PHP developers and others label max_input_vars as a fix for this issue.

However, I agree with Alex that this is more a workaround than a fix. If an application parse an input string and creates a hash table based on the parsed data, the application would still be vulnerable.

An example of a vulnerable application is one that accepts JSON data through HTTP POST.
Comment 5 Ole Markus With (RETIRED) gentoo-dev 2011-12-29 12:15:52 UTC
Also worth mentioning that those who have dev-php/suhosin installed will have the same protection as the mentioned workaround through suhosin.request.max_vars.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-01-02 18:59:19 UTC
CVE-2011-4885 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4885):
  PHP before 5.3.9 computes hash values for form parameters without
  restricting the ability to trigger hash collisions predictably, which allows
  remote attackers to cause a denial of service (CPU consumption) by sending
  many crafted parameters.
Comment 7 Ole Markus With (RETIRED) gentoo-dev 2012-01-11 06:38:02 UTC
PHP 5.3.9 containing the mentioned workaround has been released.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2012-01-11 06:45:54 UTC
(In reply to comment #7)
> PHP 5.3.9 containing the mentioned workaround has been released.

Great, thanks. Shall we call arches to stabilize now via this bug?
Comment 9 Ole Markus With (RETIRED) gentoo-dev 2012-01-11 06:48:54 UTC
I would wait with dealing with this bug until PHP has released a proper fix. 

5.3.9 should be stabilised soon anyway due to bug 384301.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2012-01-11 07:13:40 UTC
(In reply to comment #9)
> I would wait with dealing with this bug until PHP has released a proper fix. 
> 
> 5.3.9 should be stabilised soon anyway due to bug 384301.

Ok, thanks. We'll get the workaround via stabilization in that bug, and hold this open for a more complete fix.
Comment 11 Agostino Sarubbo gentoo-dev 2012-01-11 22:52:33 UTC
Fixed in 5.3.9
Comment 12 Agostino Sarubbo gentoo-dev 2012-01-17 09:03:44 UTC
Added to existing glsa request
Comment 13 Jamie Learmonth 2012-01-26 15:06:13 UTC
dev-lang/php-5.3.9 is now stable in the tree. About time we removed, or masked <dev-lang/php-5.3.9 ?
Comment 14 Ole Markus With (RETIRED) gentoo-dev 2012-01-26 15:24:57 UTC
(In reply to comment #13)
> dev-lang/php-5.3.9 is now stable in the tree. About time we removed, or masked
> <dev-lang/php-5.3.9 ?

Great idea! Removed now.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-09-24 00:27:25 UTC
This issue was resolved and addressed in
 GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml
by GLSA coordinator Sean Amoss (ackle).