Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 153911 - dev-lang/php: multiple vuln + "htmlentities()" and "htmlspecialchars()" Buffer Overflows (CVE-2006-5465)
Summary: dev-lang/php: multiple vuln + "htmlentities()" and "htmlspecialchars()" Buffe...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Highest major (vote)
Assignee: Gentoo Security
URL: http://www.hardened-php.net/advisory_...
Whiteboard: B1 [glsa] Falco
Keywords:
: 153853 154083 166683 166779 167028 (view as bug list)
Depends on: 166048
Blocks:
  Show dependency tree
 
Reported: 2006-11-03 02:51 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2007-06-24 23:31 UTC (History)
14 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-03 02:51:35 UTC
Hi PHP guys,

already another vuln. No time to take some rest, sorry!

5.2 is not affected.

  Application: PHP 5 <= 5.1.6, PHP 4 <= 4.4.4



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: PHP HTML Entity Encoder Heap Overflow Vulnerability
 Release Date: 2006/11/03
Last Modified: 2006/11/03
       Author: Stefan Esser [sesser@hardened-php.net]

  Application: PHP 5 <= 5.1.6, PHP 4 <= 4.4.4
     Severity: Bufferoverflows in htmlentities() and
               htmlspecialchars() may result in arbitrary 
               remote code execution
         Risk: Critical
Vendor Status: Vendor has released PHP 5.2.0 which fixes this issue
   References: http://www.hardened-php.net/advisory_132006.138.html


Overview:

   Quote from http://www.php.net
   "PHP is a widely-used general-purpose scripting language that 
    is especially suited for Web development and can be embedded 
    into HTML."
    
   While we were searching for a hole in htmlspecialchars() and
   htmlentities() to bypass the encoding of certain chars to exploit 
   a possible eval() injection hole in another application we 
   discovered that the implementation contains a possible 
   bufferoverflow that can be triggered when the UTF-8 charset 
   is selected.
   
   Unfortunately the whole purpose of both functions is to prepare 
   userinput for HTML output. Therefore they are used in most PHP 
   applications as protection against XSS and are always exposed
   to userinput.
   
   By triggering the overflow it is possible to overwrite heap
   management structures with a limited charset. This can result in
   remote code execution. Exploitability has been proven against
   for example Linux with glibc 2.3 in a test environment. It 
   depends on the heap layout, the OS heap implementation and the 
   used Zend Memory Manager.


Details:

   The HTML entity encoder of PHP will increase the size of it's 
   output buffer every time it reaches the end of the current buffer.
   Unfortunately the check assumes that the maximum length of an
   HTML entity is 8 chars, which is true for most entities. However
   especially the Greek character set contains entities that are
   longer than 8 chars. Because of this it is for example possible
   to trigger the overflow by embedding Greek theta UTF-8 characters
   into the input string.
   
   Because the longest HTML entity currently supported is 10 bytes
   long this allows overflowing the buffer with the 2 bytes ';' and
   '\0'. When exploiting heap overflows it can be enough to just
   overwrite the appending memory structure with a single '\0' char
   and control the content of the following memory block to execute 
   arbitrary code.
   
   While the above Greek character exploit is only possible in the
   htmlentities() function it is also possible to overwrite with up
   to 7 chars by embedding broken UTF-8 characters into the string.
   The characters may come from the limited charset 0x00, 0xc0-0xfd.
   
   On Linux glibc systems this is for example enough to trick realloc 
   into believing that the next memory block is empty and long enough 
   to store the additional 128 bytes. The position of the buffer is 
   therefore not changed and following writes to the output buffer
   will overwrite the Zend Memory Manager structure of the following
   block. This allows the typical linked list unlink exploit against
   the Zend Memory Manager.


Proof of Concept:

   The Hardened-PHP Project is not going to release a proof of concept 
   exploit for this vulnerability.


Disclosure Timeline:

   31. October 2006  - Notified security@php.net, patch in CVS
   01. November 2006 - Notified vendor-sec
   03. November 2006 - PHP developers released PHP 5.2.0
   03. November 2006 - Public Disclosure


Recommendation:

   For PHP 4 users it is strongly recommended to patch their version of 
   PHP with the following patch until php.net is providing PHP4 updates.

   http://cvs.php.net/viewvc.cgi/php-src/ext/standard/html.c?r1=1.63.2.23.2.2&r2=1.63.2.23.2.3&view=patch
 
   As usual we very strongly recommend that you install Suhosin-Patch
   and the Suhosin Extension, because once again this advisory proved
   that remotely triggerable overflows in PHP still exist. It is 
   therefore highly recommended by us to use Suhosin-Patch. It's 
   canary protection will detect overflows and stop execution to
   make exploitation very hard or impossible.
   
   FreeBSD and OpenBSD's PHP ports already come with Suhosin-Patch
   activated by default.
   
   Grab your copy and more information at:
   
   http://www.hardened-php.net/suhosin/index.html


CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the name CVE-2006-5465 to this vulnerability.
               

GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFSnmgRDkUzAqGSqERAksrAJsHlMJD90XU9KtiFI6PpyLddaZ2wQCgpR++
VRAQBzFoGx5SJemSTgxKTaI=
=6OY5
-----END PGP SIGNATURE-----
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-03 02:53:22 UTC
UTF8 character sed needs to be selected --> B1
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2006-11-03 04:32:59 UTC
*** Bug 153853 has been marked as a duplicate of this bug. ***
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2006-11-04 17:43:05 UTC
*** Bug 154083 has been marked as a duplicate of this bug. ***
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2006-11-24 14:06:50 UTC
php-bugs any news on this one?
Comment 5 Dennis 2006-12-15 02:24:02 UTC
will we ever get PHP 5.2 ebuild in portage???
Comment 6 Luca Longinotti (RETIRED) gentoo-dev 2006-12-15 03:26:35 UTC
I'm working on the security issue for 4.4 and 5.1.
There won't be a 5.2.0 ebuild in Portage, I'll only consider adding PHP 5.2 to Portage when 5.2.1 is out, for now just get it from the PHP Overlay [1] if you really need it.
Best regards, CHTEKK.

[1] http://overlays.gentoo.org/proj/php/
Comment 7 Dennis 2006-12-15 05:20:57 UTC
Just wondering - does php 5.2 have some kind of a problem? Why wait until 5.2.1? 

(In reply to comment #6)
> I'm working on the security issue for 4.4 and 5.1.
> There won't be a 5.2.0 ebuild in Portage, I'll only consider adding PHP 5.2 to
> Portage when 5.2.1 is out, for now just get it from the PHP Overlay [1] if you
> really need it.
> Best regards, CHTEKK.
> 
> [1] http://overlays.gentoo.org/proj/php/
> 

Comment 8 Jakub Moc (RETIRED) gentoo-dev 2006-12-15 08:02:43 UTC
(In reply to comment #7)
> Just wondering - does php 5.2 have some kind of a problem? Why wait until
> 5.2.1? 

Lots of issues. Please, this is a security bug, not a discussion forum. Feel free to ask in #gentoo-php, not here.
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-09 15:12:38 UTC
PHP 5.2.1 fixes several vulnerabilities in the 5.x branch. It could be good if it was feasible to bump php-5.2.1. Could you have a look please?
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-09 15:13:05 UTC
http://www.php.net/releases/5_2_1.php and http://secunia.com/advisories/24089/
Comment 11 Jakub Moc (RETIRED) gentoo-dev 2007-02-13 17:14:52 UTC
*** Bug 166683 has been marked as a duplicate of this bug. ***
Comment 12 Executioner 2007-02-14 01:49:42 UTC
Bug 166779 is somewhat related to this one as it effects 5.2.1
Comment 13 Dave Liefbroer 2007-02-14 10:07:27 UTC
Can seem to find 5.2.x in the overlay.
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-04 23:19:16 UTC
*** Bug 166779 has been marked as a duplicate of this bug. ***
Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-04 23:25:49 UTC
*** Bug 167028 has been marked as a duplicate of this bug. ***
Comment 16 Luca Longinotti (RETIRED) gentoo-dev 2007-03-05 18:31:10 UTC
Ok people it's finally all done!
Lots of work and fixes went into this, finally we have the new releases, that bring us again up-to-date PHP and a whole lot of security fixes (all fixed in 4.4.6 and 5.2.1-r3, not all fixed in 5.1.6-r11, but that's needed stable too for backwards compatibility).
Usual testing rules apply, ie. FEATURES="test" will work, remember to have all your dbs turned on if you want to test the db extensions too, and don't let failures stop you (unless they're reeeaallly many, like >20), a couple of failures are expected, and the results vary from system to system. If in doubt, just ping me via mail or IRC and tell me the test results.
This time also a few extensions need stabling, pecl-zip fixes a few security-related issues in the newest version, suhosin is the successor to hardenedphp (which was dropped as it's unmaintained and known to be broken), and we need a stable pecl-filter for backwards compatibility of 5.1 with 5.2.
Usual testing rules apply here too... Just emerge and see if it loads. ;)
Here all the packages I'd like you to stabilize ASAP:

PHP:

dev-lang/php-4.4.6
dev-lang/php-5.1.6-r11
dev-lang/php-5.2.1-r3

Extensions: (security-related)

dev-php4/suhosin-0.9.17
dev-php4/pecl-zip-1.8.6

dev-php5/suhosin-0.9.17
dev-php5/pecl-zip-1.8.6

Extensions: (needed for correct backwards compatibility of 5.1 to 5.2)

dev-php5/pecl-filter-0.11.0

As usual, thanks a lot, love ya all!
Best regards, CHTEKK.
Comment 17 Luca Longinotti (RETIRED) gentoo-dev 2007-03-05 19:05:19 UTC
AMD64 all done!
Btw, please *REMEMBER* to update your eclass/ directory before doing any testing&keywording, thanks!
Best regards, CHTEKK.
Comment 18 Dennis 2007-03-06 00:56:12 UTC
thank you very much, bro!
Comment 19 Markus Rothe (RETIRED) gentoo-dev 2007-03-06 08:32:38 UTC
ppc64 stable
Comment 20 Christian Faulhammer (RETIRED) gentoo-dev 2007-03-06 16:11:03 UTC
x86 stable
Comment 21 Tobias Scherbaum (RETIRED) gentoo-dev 2007-03-06 19:20:23 UTC
ppc stable
Comment 22 Jeroen Roovers gentoo-dev 2007-03-07 00:22:53 UTC
Stable for HPPA.
Comment 23 Gustavo Zacarias (RETIRED) gentoo-dev 2007-03-08 18:30:39 UTC
dev-lang/php-4.4.6
dev-lang/php-5.1.6-r11
dev-lang/php-5.2.1-r3
dev-php4/suhosin-0.9.17
dev-php4/pecl-zip-1.8.6
dev-php5/suhosin-0.9.17
dev-php5/pecl-zip-1.8.6
dev-php5/pecl-filter-0.11.0

sparc stable.
also sent dev-php5/pecl-fileinfo-1.0.4 stable directly for php-5.2 (build issues).
will do others as we find them out.
Comment 24 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-03-09 09:52:28 UTC
I've been working during the last two days in this bug for alpha. Unluckily, I found several failing tests in the three php versions.

I'm currently reviewing the archives (aka #143126) to check which are save to ignore. I'll post the list in some hours. 

Thanks guys.
Comment 25 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-03-09 16:24:07 UTC
Here we go: these are the test I found on alpha and which don't appear in previous versions (check #143126 for details).

PHP-4.6.6
--------------------------
- Bug #35239 (Objects can lose references) [tests/lang/bug35239.phpt]
- Bug #24155 (gdImageRotate270 rotation problem). [ext/gd/tests/bug24155.phpt]
- Bug #27582 (ImageFillToBorder() on alphablending image looses alpha on fill color) [ext/gd/tests/bug27582_1.phpt]
- Bug #16069 [ext/iconv/tests/bug16069.phpt]

COMMON PHP-5
--------------------------
- Test for buffering in core functions with implicit flush off [tests/func/008.phpt]
- Bug #16069 [ext/iconv/tests/bug16069.phpt]
- iconv stream filter [ext/iconv/tests/iconv_stream_filter.phpt]
- HTML input/output [ext/mbstring/tests/htmlent.phpt]
- mb_output_handler() (Shift_JIS) [ext/mbstring/tests/mb_output_handler_shift_jis.phpt]

PHP 5.1
--------------------------
- Test for abstract static classes [Zend/tests/abstract-static.phpt]

PHP - 5.2.1
--------------------------
- Bug #30549 (incorrect character translations for some ISO8859 charsets) [ext/mbstring/tests/bug30549.phpt]
- stream_socket_client() and invalid arguments [ext/standard/tests/file/stream_002.phpt]
- touch() tests [ext/standard/tests/file/touch.phpt]
- inet_ntop() & inet_pton() tests [ext/standard/tests/network/inet.phpt]

BTW, php seems to compile and work fine in basics test of php+mysql apps.

Luca, what do you think? :)
Comment 26 Luca Longinotti (RETIRED) gentoo-dev 2007-03-09 16:33:59 UTC
(In reply to comment #25)
> Luca, what do you think? :)

Fine to go, all those are known failures and shouldn't worry anybody.
Best regards, CHTEKK.
Comment 27 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-03-10 23:46:11 UTC
dev-lang/php-4.4.6
dev-lang/php-5.1.6-r11
dev-lang/php-5.2.1-r3
dev-php4/suhosin-0.9.17
dev-php4/pecl-zip-1.8.6
dev-php5/suhosin-0.9.17
dev-php5/pecl-zip-1.8.6
dev-php5/pecl-filter-0.11.0

Stable on alpha. Thanks guys. I'll do more keywording on monday.
Comment 28 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-25 11:01:54 UTC
GLSA 200703-21 
Comment 29 Raúl Porcel (RETIRED) gentoo-dev 2007-03-31 20:21:44 UTC
ia64 stable