Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 260576 (CVE-2009-1272) - <dev-lang/php-5.2.9-r2: multiple vulnerabilities (CVE-2009-1272)
Summary: <dev-lang/php-5.2.9-r2: multiple vulnerabilities (CVE-2009-1272)
Status: RESOLVED FIXED
Alias: CVE-2009-1272
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.php.net/archive/2009.php#i...
Whiteboard: B3? [glsa]
Keywords:
: 261252 262701 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-02-28 01:08 UTC by Caleb Cushing
Modified: 2010-01-05 21:13 UTC (History)
9 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Suhosin patch for 5.2.7 ported to 5.2.9 (suhosin-patch-5.2.9-0.9.6.3.patch.diff,29.86 KB, patch)
2009-03-01 17:06 UTC, Antti Järvinen
no flags Details | Diff
Modified version of 5.2.8 patchset's patch (001_tests-ignore-php-ini.patch,477 bytes, patch)
2009-03-01 17:16 UTC, Antti Järvinen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Caleb Cushing 2009-02-28 01:08:23 UTC
sorry for the zero day bug. I just want to track the progress on the release of this.

Reproducible: Always
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2009-02-28 01:17:09 UTC
Reassigning to php herd.
Comment 2 Antti Järvinen 2009-03-01 17:01:59 UTC
It seems that following patches in 5.2.8 patchset have been obsoleted by the 5.2.9 upstream release:

003_test-standard-array_slice_variation3-32bitonly.patch
004_test-standard-array_slice_variation2-32bitonly.patch
005_apache2-sapi-user-logging-fix.patch
006_ext-xml-ns-crash.patch
007_ext-mssql-NULL-crash.patch
009_CVE-2008-5498-ext-gd-mem-exposure.patch
010_ext-openssl-crash-fix.patch
011_ext-xmlwriter-fstring-err.patch
014_ext-posix-_GNU_SOURCE.patch
015_json_decode-crash.patch
016_extract-crash.patch

I'll attach diffs for 001_tests-ignore-php-ini.patch and suhosin.
Comment 3 Antti Järvinen 2009-03-01 17:06:33 UTC
Created attachment 183581 [details, diff]
Suhosin patch for 5.2.7 ported to 5.2.9
Comment 4 Antti Järvinen 2009-03-01 17:16:17 UTC
Created attachment 183585 [details, diff]
Modified version of 5.2.8 patchset's patch
Comment 5 Christian Hoffmann (RETIRED) gentoo-dev 2009-03-01 21:11:02 UTC
Antti, thanks for the patches / updates. I haven't had a deeper look at them yet, but the comments sound promising.
I'll handle it in the next few days. Unfortunately I have a big backlog of things to handle because of my unavailability during the last week.

Reassigning to security.
From the official list of security fixes only zip might still affect us, not sure, I'll verify. The others have already been fixed in previous Gentoo revisions of PHP.
Comment 6 Lars Wendler (Polynomial-C) gentoo-dev 2009-03-05 08:02:15 UTC
*** Bug 261252 has been marked as a duplicate of this bug. ***
Comment 7 Lars Wendler (Polynomial-C) gentoo-dev 2009-03-16 20:11:02 UTC
*** Bug 262701 has been marked as a duplicate of this bug. ***
Comment 8 Caleb Cushing 2009-03-16 20:51:26 UTC
even if there is still a relevant security bug... what's keeping this out of portage. php always has security bugs.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-03-16 21:19:17 UTC
(In reply to comment #8)
> even if there is still a relevant security bug... what's keeping this out of
> portage. php always has security bugs.

I'm not sure I get your point. This security bug is for getting php-5.2.9 in the tree, not for keeping it outside.
Comment 10 Caleb Cushing 2009-03-16 21:26:24 UTC
my question is what still needs to be done to get this committed to cvs.
Comment 11 Christian Hoffmann (RETIRED) gentoo-dev 2009-03-16 21:29:34 UTC
Someone needs to review, test and commit. That's usually me. And to get this done in this case, I need to finish several school-related work first.
Might have time tomorrow, but I cannot promise anything at the moment, everything is more or less unplanned here.
Comment 12 Tim Strong 2009-04-09 17:28:25 UTC
Bump for status on this issue?  Recently, sites on our machines have been failing PCI Compliance for not having upgraded to PHP 5.2.9.  As this is likely to become a major issue for others as well, this increases the urgency to upgrade PHP.  If an ebuild can be provided for 5.2.9, I'd be more than happy to test it on x86 and amd64.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-09 18:15:49 UTC
Gentoo is based on volunteer's work, so it might take some time until updates hit the tree - maybe you want to reconsider using it for systems that require PCI compliance or - if your business is large enough - hire a gentoo dev that can write updated ebuilds and use them in an overlay before they are available.

I'd be more careful what I posted about PCI failure on a public bugtracker that is indexed by google...


Comment 14 Christian Hoffmann (RETIRED) gentoo-dev 2009-04-09 22:31:09 UTC
I'm actively working on it. The problem is not 5.2.9, but the fact that it makes little sense to release a "vanilla" 5.2.9 right now, as there are lots of crash fixes in CVS already. Friday or Saturday might be realistic.
Comment 15 Christian Hoffmann (RETIRED) gentoo-dev 2009-04-10 10:26:59 UTC
5.2.9 (almost vanilla) and 5.2.9-r1 (lots of additional crash fixes from upstream, post-5.2.9) in the tree now...
Feel free to call for stabilization in a few days if no problems arise and I should become unavailable again.
A list of security-relevant fixes will follow soon.
Comment 16 Milos Ivanovic 2009-04-11 16:22:04 UTC
Thanks guys, you're doing a great job :)
Comment 17 Christian Hoffmann (RETIRED) gentoo-dev 2009-04-12 10:05:19 UTC
Haven't heard of any problems, but I'd still want to wait, because I have two crash fixes pending (probably not security relevant, they are in the engine part, so they'd only allow for local DoS in FastCGI setups) and this curl open_basedir/safe_mode bypass has been disclosed recently: http://securityreason.com/securityalert/5564

I've already got a patch from Pierre from upstream, but it needs testing and is still only a first attempt, according to him.
So that's why I'd prefer to wait, if this is OK security-wise. We have to draw a line between convenience (for arch teams and users) and exposure to the already fixed issues (where all of them are only local or maybe remote DoS issues, it seems).
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2009-04-12 15:28:08 UTC
let's set the target date in a week so we know when to revisit this bug.
Comment 19 Christian Hoffmann (RETIRED) gentoo-dev 2009-04-14 18:19:22 UTC
(In reply to comment #17)
> I've already got a patch from Pierre from upstream, but it needs testing and is
> still only a first attempt, according to him.
> So that's why I'd prefer to wait, if this is OK security-wise. We have to draw
> a line between convenience (for arch teams and users) and exposure to the
> already fixed issues (where all of them are only local or maybe remote DoS
> issues, it seems).
Patch is still incomplete, we are not supposed to use it, so still waiting...

Fixes in php-5.2.9 since php-5.2.8-r2:

#A.01 "Crash on extract in zip when files or directories entry names contain
      a relative path." (CVE-2009-1272, USE=zip)

#A.02 "Segfault with new pg_meta_data" (USE=postgres)
  Impact: Local DoS (persistent php setups)
  References: [1] [2]

#A.03 Crash in ext/xml with specially crafted XML documents (USE=xml)
  Impact: Local DoS (persistent php setups)
  References: [3] [4]

#A.04 ext/mbstring: Double free in mb_detect_encoding() (USE=unicode)
  Impact: Local DoS (persistent php setups), more?
  References: [5] [6]

#A.05 "possible invalid read when string is not null terminated" in spprintf.c
  Impact: ?
  References: [7]

#A.06 Hang in ext/mbstring with certain user input (USE=unicode)
  Impact: DoS (CPU consumption)
  References: [8] [9] [10]

#A.07 Possible integer (?) overflow in ext/mbstring (USE=unicode)
  Impact: ?
  References: [11]

#A.08 ext/soap Crafted WSDL file crash (USE=soap)
  Impact: DoS
  References: [12] [13] [14] [15]

#A.09 Double free / memory corruption when passing method return values by ref
  Impact: Local DoS (persistent php setups)
  References: [16] [17] [18] [19] [20]

#A.10 Crash when creating lots of objects while destructing another object
  Impact: Local DoS (persistent php setups)
  References: [22] [23]


List of fixes in php-5.2.9-r1 since php-5.2.9 yet to come.

    


[1] http://cvs.php.net/viewvc.cgi/php-src/ext/pgsql/pgsql.c?r1=1.331.2.13.2.33&r2=1.331.2.13.2.34&diff_format=u
[2] http://bugs.php.net/bug.php?id=47048
[3] http://bugs.php.net/bug.php?id=47220
[4] http://cvs.php.net/viewvc.cgi/php-src/ext/dom/document.c?r1=1.68.2.3.2.10&r2=1.68.2.3.2.11&diff_format=u
[5] http://bugs.php.net/bug.php?id=47245
[6] http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/mbstring.c?r1=1.224.2.22.2.42&r2=1.224.2.22.2.43&diff_format=u
[7] http://cvs.php.net/viewvc.cgi/php-src/main/spprintf.c?r1=1.25.2.2.2.13&r2=1.25.2.2.2.14&diff_format=u
[8] http://bugs.php.net/bug.php?id=45239
[9] http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/libmbfl/mbfl/mbfilter.c?r1=1.7.2.5.2.2&r2=1.7.2.5.2.3&diff_format=u
[10] http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/tests/bug45239.phpt?view=markup&rev=1.1
[11] http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/libmbfl/mbfl/mbfilter.c?r1=1.7.2.5.2.4&r2=1.7.2.5.2.5&diff_format=u
[12] http://bugs.php.net/bug.php?id=47049
[13] http://cvs.php.net/viewvc.cgi/php-src/ext/soap/soap.c?r1=1.156.2.28.2.43&r2=1.156.2.28.2.44&diff_format=u
[14] http://cvs.php.net/viewvc.cgi/php-src/ext/soap/tests/bugs/bug47049.phpt?view=markup&rev=1.1
[15] http://cvs.php.net/viewvc.cgi/php-src/ext/soap/tests/bugs/bug47049.wsdl?view=markup&rev=1.1
[16] http://bugs.php.net/bug.php?id=47165
[17] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_compile.c?r1=1.647.2.27.2.52&r2=1.647.2.27.2.53&diff_format=u
[18] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_compile.h?r1=1.316.2.8.2.15&r2=1.316.2.8.2.16&diff_format=u
[19] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_vm_def.h?r1=1.59.2.29.2.63&r2=1.59.2.29.2.64&diff_format=u
[20] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_vm_execute.h?r1=1.62.2.30.2.66&r2=1.62.2.30.2.67&diff_format=u
[21] http://cvs.php.net/viewvc.cgi/ZendEngine2/tests/bug47165.phpt?view=markup&rev=1.1
[22] http://bugs.php.net/bug.php?id=47353
[23] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_objects_API.c?r1=1.47.2.6.2.8&r2=1.47.2.6.2.9&diff_format=u
Comment 20 Christian Hoffmann (RETIRED) gentoo-dev 2009-04-14 18:59:02 UTC
Fixes in php-5.2.9-r1 since php-5.2.9:

#B.01 2 memory corruptions in ext/zip (USE=zip)
  Impact: Local DoS (persistent php setups), more?
  References: [1]

#B.02 ext/filter permitted invalid chars in email addresses (USE=filter)
  Impact: Circumvention of security restrictions in webapps, no issue by itself
  References: [2] [3]

#B.03 imagepng() crashes with empty images (USE=gd)
  Impact: Local? DoS (persistent php setups)
  References: [4] [5] [6]

#B.04 curl_set_opt() crash (USE=curl)
  Impact: Local DoS (persistent php setups)
  References: [7] [8]

#B.05 Crash in ext/openssl when UTF8 conversion fails (USE=ssl)
  Impact: Local? DoS (persistent php setups)
  References: [9] [10]

#B.06 Crash in ext/xmlrpc with bad callbacks
  Impact: Local DoS (persistent php setups)
  References: [11] [12] [13]

#B.07 Crash with bad config setting session.save_path (USE=session)
  Impact: (Local DoS)? (persistent php setups)
  References: [14]


All these local DoS thingies are just crash issues which can usually be only caused by a user which has the permissions to create/modify php code and run it. It affects other users in case of non-seperated mod_fastcgi/mod_php environments. Some of those might become remotely exploitable, depending on specific application scenarios.

Still missing: Two crash fixes in the engine which will be part of -r2.



[1] http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.49&r2=1.1.2.50&diff_format=u
[2] http://bugs.php.net/bug.php?id=47598
[3] http://cvs.php.net/viewvc.cgi/php-src/ext/filter/logical_filters.c?r1=1.1.2.29&r2=1.1.2.30&diff_format=u
[4] http://bugs.php.net/bug.php?id=45799
[5] http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_png.c?r1=1.17.4.2.2.6&r2=1.17.4.2.2.7&diff_format=u
[6] http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/bug45799.phpt?view=markup&revision=1.1
[7] http://bugs.php.net/bug.php?id=47616
[8] http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.42&r2=1.62.2.14.2.43&diff_format=u
[9] http://cvs.php.net/viewvc.cgi/php-src/ext/openssl/openssl.c?r1=1.98.2.5.2.51&r2=1.98.2.5.2.52&diff_format=u
[10] http://bugs.php.net/bug.php?id=47828
[11] http://cvs.php.net/viewvc.cgi/php-src/ext/xmlrpc/xmlrpc-epi-php.c?r1=1.39.2.5.2.13&r2=1.39.2.5.2.14&diff_format=u
[12] http://cvs.php.net/viewvc.cgi/php-src/ext/xmlrpc/tests/bug47818.phpt?view=markup&revision=1.1
[13] http://bugs.php.net/bug.php?id=47818
[14] http://cvs.php.net/viewvc.cgi/php-src/ext/session/mod_files.c?r1=1.100.2.3.2.12&r2=1.100.2.3.2.13&diff_format=u
Comment 21 Christian Hoffmann (RETIRED) gentoo-dev 2009-04-16 18:39:57 UTC
Fixes in php-5.2.9-r2 since php-5.2.9-r1:

#C.01 PHP crashes on some "bad" operations with string offsets
  Impact: Local DoS (persistent php setups)
  References: [1] [2] [3] [4] [5]

#C.02 Double efree() in zend_API.c, no further details
  Impact: Local DoS? (persistent php setups)
  References: [6]

#C.03 open_basedir/safe_mode bypass possibility in ext/curl (USE=curl)
  Impact: (Local) Disclosure of arbitrary files, given the unix perms allow it,
          (although php "perms" (i.e. open_basedir and safe_mode) don't).
  References: [7] [8] [9] [10]

This should be it...

Arches, please test and mark stable:
  =dev-lang/php-5.2.9-r2
Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86 ~x86-fbsd



[1] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_vm_def.h?r1=1.59.2.29.2.65&r2=1.59.2.29.2.66&diff_format=u
[2] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_vm_execute.h?r1=1.62.2.30.2.68&r2=1.62.2.30.2.69&diff_format=u
[3] http://cvs.php.net/viewvc.cgi/ZendEngine2/tests/bug47704.phpt?view=markup&revision=1.1
[4] http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1443&r2=1.2027.2.547.2.1444&diff_format=u
[5] http://bugs.php.net/bug.php?id=47704
[6] http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_API.c?r1=1.296.2.27.2.41&r2=1.296.2.27.2.42&diff_format=u
[7] http://securityreason.com/securityalert/5564
[8] http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.43&r2=1.62.2.14.2.44&diff_format=u
[9] http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.44&r2=1.62.2.14.2.45
[10] http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.45&r2=1.62.2.14.2.46&diff_format=u
Comment 22 Tobias Heinlein (RETIRED) gentoo-dev 2009-04-17 15:40:35 UTC
amd64 stable. most of the tests passed, just the usual ones failed.

hoffie: You might want to have a look at bug 266537. However, I didn't hit that.
Comment 23 Jeroen Roovers gentoo-dev 2009-04-17 18:56:00 UTC
Stable for HPPA.
Comment 24 nixnut (RETIRED) gentoo-dev 2009-04-18 08:11:08 UTC
ppc stable
Comment 25 Markus Meier gentoo-dev 2009-04-18 11:59:32 UTC
x86 stable
Comment 26 Brent Baude (RETIRED) gentoo-dev 2009-04-18 13:33:05 UTC
ppc64 done
Comment 27 Tobias Klausmann gentoo-dev 2009-04-18 16:00:20 UTC
Stable on alpha.
Comment 28 Raúl Porcel (RETIRED) gentoo-dev 2009-04-20 15:52:15 UTC
arm/ia64/s390/sh/sparc stable
Comment 29 Tobias Heinlein (RETIRED) gentoo-dev 2009-05-03 18:42:35 UTC
GLSA together with bug 249875.
Comment 30 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-05 21:13:33 UTC
GLSA 201001-03.

Thank you everyone, sorry about the delay.