|Summary:||<dev-lang/php-5.3.9 : Hash collision DoS (CVE-2011-4885)|
|Product:||Gentoo Security||Reporter:||Alex Legler (RETIRED) <a3li>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||minor||CC:||hanno, kfm, php-bugs|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||384301|
Description Alex Legler (RETIRED) 2011-12-28 14:41:42 UTC
See $URL for a more elaborate explanation, I'll update this with more detail later. Specially crafted POST parameters can be used to cause hash table operations with a time complexity of O(n^2), causing a Denial of Service. PHP is working around the issue by limiting the number of input parameters allowed. According to Rasmus Lerdorf, implementing a proper fix will take time.  The workaround commits are: http://news.php.net/php.cvs/67294 http://news.php.net/php.cvs/67281 These are scheduled for the next 5.3 and 5.4 releases.  Stated in 28C3 talk: http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html
Comment 1 Alex Legler (RETIRED) 2011-12-28 14:47:20 UTC
Until upstream implements the fix, let's bump to a version with the parameter count limit workaround when available.
Comment 2 Agostino Sarubbo 2011-12-29 09:57:30 UTC
Secunia advisory says is fixed in git repo https://secunia.com/advisories/47404/
Comment 3 Alex Legler (RETIRED) 2011-12-29 10:13:12 UTC
(In reply to comment #2) > Secunia advisory says is fixed in git repo > https://secunia.com/advisories/47404/ Please read my comments. This is a workaround, not a fix.
Comment 4 Ole Markus With (RETIRED) 2011-12-29 11:39:21 UTC
Core PHP developers and others label max_input_vars as a fix for this issue. However, I agree with Alex that this is more a workaround than a fix. If an application parse an input string and creates a hash table based on the parsed data, the application would still be vulnerable. An example of a vulnerable application is one that accepts JSON data through HTTP POST.
Comment 5 Ole Markus With (RETIRED) 2011-12-29 12:15:52 UTC
Also worth mentioning that those who have dev-php/suhosin installed will have the same protection as the mentioned workaround through suhosin.request.max_vars.
Comment 6 GLSAMaker/CVETool Bot 2012-01-02 18:59:19 UTC
CVE-2011-4885 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4885): PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Comment 7 Ole Markus With (RETIRED) 2012-01-11 06:38:02 UTC
PHP 5.3.9 containing the mentioned workaround has been released.
Comment 8 Tim Sammut (RETIRED) 2012-01-11 06:45:54 UTC
(In reply to comment #7) > PHP 5.3.9 containing the mentioned workaround has been released. Great, thanks. Shall we call arches to stabilize now via this bug?
Comment 9 Ole Markus With (RETIRED) 2012-01-11 06:48:54 UTC
I would wait with dealing with this bug until PHP has released a proper fix. 5.3.9 should be stabilised soon anyway due to bug 384301.
Comment 10 Tim Sammut (RETIRED) 2012-01-11 07:13:40 UTC
(In reply to comment #9) > I would wait with dealing with this bug until PHP has released a proper fix. > > 5.3.9 should be stabilised soon anyway due to bug 384301. Ok, thanks. We'll get the workaround via stabilization in that bug, and hold this open for a more complete fix.
Comment 11 Agostino Sarubbo 2012-01-11 22:52:33 UTC
Fixed in 5.3.9
Comment 12 Agostino Sarubbo 2012-01-17 09:03:44 UTC
Added to existing glsa request
Comment 13 Jamie Learmonth 2012-01-26 15:06:13 UTC
dev-lang/php-5.3.9 is now stable in the tree. About time we removed, or masked <dev-lang/php-5.3.9 ?
Comment 14 Ole Markus With (RETIRED) 2012-01-26 15:24:57 UTC
(In reply to comment #13) > dev-lang/php-5.3.9 is now stable in the tree. About time we removed, or masked > <dev-lang/php-5.3.9 ? Great idea! Removed now.
Comment 15 GLSAMaker/CVETool Bot 2012-09-24 00:27:25 UTC
This issue was resolved and addressed in GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml by GLSA coordinator Sean Amoss (ackle).