Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 133524 - dev-lang/php Incomplete fix for CVE-2006-1990 on 64 bit systems
Summary: dev-lang/php Incomplete fix for CVE-2006-1990 on 64 bit systems
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C3? [glsaupdate] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-05-16 12:19 UTC by Sune Kloppenborg Jeppesen
Modified: 2006-08-16 09:46 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2006-05-16 12:19:06 UTC
Vincent Danen from Mandriva discovered that the patch didn't work as expected on 64 bit systems.

No complete fix is currently available.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2006-05-30 11:02:30 UTC
We should check if we are indeed affected by usig the following testcase on a 64-bit system :

<?php
$a = str_repeat("A",438013);
$b = str_repeat("B",951140);
wordwrap($a,0,$b,0);
?>
Comment 2 Luca Longinotti (RETIRED) gentoo-dev 2006-05-31 03:41:27 UTC
We are...
Output of that on a 32bit system (x86):

Fatal error: Possible integer overflow in memory allocation (438013 * 951141 + 1) in /home/chtekk/test.php on line 4

Output of that on a 64bit system (amd64):

Segmentation fault

So it seems to be detected in 32bit mode and PHP exits, while it just segfaults on 64bit platforms...
Best regards, CHTEKK.
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-01 01:06:00 UTC
Thx Luca. Waiting for upstream patch.
Comment 4 Luca Longinotti (RETIRED) gentoo-dev 2006-07-14 09:25:25 UTC
Fixed in dev-lang/php-4.4.2-r6 and dev-lang/php-5.1.4-r4.
To security: please unrestrict.
To all arches: please stable. :)
Best regards, CHTEKK.
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2006-07-16 12:12:06 UTC
Arches, please test and stable dev-lang/php-4.4.2-r6 and dev-lang/php-5.1.4-r4, thx
Comment 6 Jason Wever (RETIRED) gentoo-dev 2006-07-16 15:13:26 UTC
SPARC doth be stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2006-07-17 09:26:34 UTC
ppc stable
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2006-07-17 12:39:39 UTC
ppc64 stable
Comment 9 Thomas Cort (RETIRED) gentoo-dev 2006-07-18 11:21:41 UTC
alpha stable.
Comment 10 Joshua Jackson (RETIRED) gentoo-dev 2006-07-18 13:57:10 UTC
x86 is gone..I need to come up with witty messages like sparc and everyone else has ~_~;;
Comment 11 Luca Longinotti (RETIRED) gentoo-dev 2006-07-18 16:11:56 UTC
amd64 stable.
Best regards, CHTEKK.
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-22 23:52:57 UTC
Ready for GLSA update of GLSA 200605-08.
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-24 11:33:15 UTC
Hmm not sure how to handle this. This is my proposal:

Unaffected:
>=5.1.4 arm hppa ppc s390 sh sparc x86 x86-fbsd
>=5.1.4-r4 alpha amd64 ia64 ppc64

Vulnerable:
<5.1.4 arm hppa ppc s390 sh sparc x86 x86-fbsd
<5.1.4-r4 alpha amd64 ia64 ppc64

@security please comment and I'll update the GLSA and send an errata.
Comment 14 Gustavo Zacarias (RETIRED) gentoo-dev 2006-07-24 11:36:06 UTC
I'd say sparc not vulnerable since only the kernel is 64-bit, userland is 32. Userland @ 64 isn't supported yet. Thus from userland perspective the machine acts as 32-bit.
And in the hppa case under most circumstances everything is 32-bit.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2006-07-24 12:11:08 UTC
Comment #13 sounds good
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-24 12:26:45 UTC
@Security please double check as this is a version and arch mess.

Updated in GLSAmaker with the following versions:

Unaffected packages:  
dev-lang/php >= 5.1.4 on arm hppa ppc s390 sh sparc x86 x86-fbsd
dev-lang/php *>= 4.4.2-r2 on arm hppa ppc s390 sh sparc x86 x86-fbsd
dev-lang/php >= 5.1.4-r4 on alpha amd64 ia64 ppc64
dev-lang/php *>= 4.4.2-r6 on alpha amd64 ia64 ppc64

Vulnerable packages:  
dev-lang/php < 5.1.4 on arm hppa ppc s390 sh sparc x86 x86-fbsd
dev-lang/php < 5.1.4-r4 on alpha amd64 ia64 ppc64
Comment 17 Tim Yamin (RETIRED) gentoo-dev 2006-07-25 14:31:17 UTC
(In reply to comment #16)
> @Security please double check as this is a version and arch mess.

Looks correct to me.
Comment 18 René Nussbaumer (RETIRED) gentoo-dev 2006-07-29 02:04:24 UTC
does not affect us. Currently there's no 64 UL. The kernel can be 64 bit, but it's not recommended.
Comment 19 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-30 12:52:56 UTC
GLSA UPDATE 200605-08:02

Handling last stable marking back on bug #138180, since remaining arches are not affected by this issue.
Comment 20 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-30 12:53:49 UTC
Cleaning up.
Comment 21 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-31 10:23:05 UTC
Now also actually remove arches.
Comment 22 Ian Stakenvicius 2006-08-16 09:46:08 UTC
Getting a false-positive with GLSA on PHP-4.4.3 -- would it be better to get around this by putting lower-bounds on vulnerability on a per-slot basis?  ie:

    <package name="dev-lang/php" auto="yes" arch="alpha amd64 ia64 ppc64">
      <unaffected range="ge">5.1.4-r4</unaffected>
      <vulnerable range="lt">5.1.4-r4</vulnerable>
      <vulnerable range="ge">5.0</vulnerable>
      <unaffected range="lt">5.0</unaffected>
      <unaffected range="ge">4.4.2-r6</unaffected>
      <vulnerable range="lt">4.4.2-r6</vulnerable>
    </package>