Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 274670 (CVE-2009-2687) - <dev-lang/php-5.2.10-r1 DoS (CVE-2009-2687)
Summary: <dev-lang/php-5.2.10-r1 DoS (CVE-2009-2687)
Status: RESOLVED FIXED
Alias: CVE-2009-2687
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.php.net/releases/5_2_10.php
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-19 07:20 UTC by Alex Legler (RETIRED)
Modified: 2010-01-05 21:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-19 07:20:52 UTC
There seems to be a problem in exif_read_data(), where some fields
representing offsets(?) are taken directly from the file without being
validated, resulting in a segmentation fault.

(http://bugs.php.net/bug.php?id=48378)
Comment 1 Markus Ullmann (RETIRED) gentoo-dev 2009-06-19 13:31:19 UTC
Ah that's what killed my server this morning -.- I just saw something uploading a jpg :(
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2009-06-19 14:43:05 UTC
php-5.2.10 is in the tree now.
Please give it a day or two before stabilization, to see whether any problems pop up.
I won't be available on the weekend.

The mentioned DoS issue is most likely not the only one, I have a list of possibly security-relevant bugs, and I'll go through it and format it once I've got more time again.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-20 14:04:30 UTC
Thanks hoffe. There is also a PHP safe_mode bypass which I stumbled upon, so I thought I might add it here:
http://www.packetstormsecurity.com/0906-exploits/php5210-bypass.txt
Comment 4 Christian Hoffmann (RETIRED) gentoo-dev 2009-06-21 11:19:27 UTC
(In reply to comment #3)
> Thanks hoffe. There is also a PHP safe_mode bypass which I stumbled upon, so I
> thought I might add it here:
> http://www.packetstormsecurity.com/0906-exploits/php5210-bypass.txt
That's a win32-only issue which seems to have been fixed in 5.2.9 already.

http://bugs.php.net/bug.php?id=45997
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-22 12:14:19 UTC
Is it ok to stabilize now? Maybe you have some time today and want to fix #256941 first so that we minimize version bumps? If I don't get a reply today, I'll add arches so that we don't delay this too much.
Comment 6 Christian Hoffmann (RETIRED) gentoo-dev 2009-06-22 14:20:15 UTC
(In reply to comment #5)
> Is it ok to stabilize now? Maybe you have some time today and want to fix
> #256941 first so that we minimize version bumps? If I don't get a reply today,
> I'll add arches so that we don't delay this too much.
Well no, I have no immediate fix for it, and I don't think reverting this change just now is a good idea either.
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-22 14:24:37 UTC
Arches, please test and mark stable:
=dev-lang/php-5.2.10
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2009-06-23 06:10:57 UTC
Repoman complained thusly:

RepoMan scours the neighborhood...
  IUSE.invalid                  2
   dev-lang/php/php-5.2.9-r2.ebuild: zip-external
   dev-lang/php/php-5.2.10.ebuild: zip-external

Note: use --include-dev (-d) to check dependencies for 'dev' profiles

Please fix these important QA issues first.
RepoMan sez: "Make your QA payment on time and you'll never see the likes of me."

and that's obviously a bug in repoman, so I put back that line in metadata.xml temporarily to work around the problem.

Stable for HPPA.
Comment 9 Christian Hoffmann (RETIRED) gentoo-dev 2009-06-23 12:22:03 UTC
(In reply to comment #8)
> RepoMan scours the neighborhood...
>   IUSE.invalid                  2
>    dev-lang/php/php-5.2.9-r2.ebuild: zip-external
>    dev-lang/php/php-5.2.10.ebuild: zip-external
> 
> Note: use --include-dev (-d) to check dependencies for 'dev' profiles
> 
> Please fix these important QA issues first.
> RepoMan sez: "Make your QA payment on time and you'll never see the likes of
> me."
> 
> and that's obviously a bug in repoman, so I put back that line in metadata.xml
> temporarily to work around the problem.
Are you sure your eclass/ directory is up-to-date? I don't see a repoman warning with repoman full here.. If you still do, I'll revert metadata.xml for now (or you can feel free to do so as well, if I can't do it in time).
Comment 10 Brent Baude (RETIRED) gentoo-dev 2009-06-23 18:30:46 UTC
ppc64 done
Comment 11 Brent Baude (RETIRED) gentoo-dev 2009-06-23 18:30:52 UTC
ppc done
Comment 12 Brent Baude (RETIRED) gentoo-dev 2009-06-23 18:32:37 UTC
i couldnt commit either because of the same problem; adding us back in.
Comment 13 Christian Hoffmann (RETIRED) gentoo-dev 2009-06-24 15:55:57 UTC
(In reply to comment #8)
> and that's obviously a bug in repoman, so I put back that line in metadata.xml
> temporarily to work around the problem.

(In reply to comment #12)
> i couldnt commit either because of the same problem; adding us back in.

Well, I have reverted metadata.xml to the previous revision which includes the zip-external USE flag (basically what jer did locally).

I have neither an idea what causes/caused this problem nor am I able to reproduce it on ~amd64 or stable x86.

What I did miss was a zip-external line in profiles/base/package.use.mask, but I doubt this was the problem. Fixed now anyway.

Please go ahead with stabilization.
Comment 14 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-25 14:54:35 UTC
x86 stable
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-26 19:05:39 UTC
amd64 stable
Comment 16 Tobias Klausmann (RETIRED) gentoo-dev 2009-06-26 19:36:24 UTC
Stable on alpha
Comment 17 Christian Hoffmann (RETIRED) gentoo-dev 2009-06-26 21:18:15 UTC
There is a regression in ext/curl which renders certain code snippets unusuable. As this happens only with USE=curl and specific code, I'd be against masking, but I think we should not let the remaining arches stable it.

Security, what's more important, this issue or the DoS problem?

http://news.php.net/php.internals/44469
http://bugs.php.net/bug.php?id=48518
Comment 18 Brent Baude (RETIRED) gentoo-dev 2009-06-27 12:56:59 UTC
ppc64 done
Comment 19 Brent Baude (RETIRED) gentoo-dev 2009-06-27 12:57:04 UTC
ppc done
Comment 20 Raúl Porcel (RETIRED) gentoo-dev 2009-06-30 13:32:18 UTC
arm/ia64/s390/sh/sparc stable
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2009-08-07 17:20:51 UTC
CVE-2009-2687 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2687):
  The exif_read_data function in the Exif module in PHP before 5.2.10
  allows remote attackers to cause a denial of service (crash) via a
  malformed JPEG image with invalid offset fields, a different issue
  than CVE-2005-3353.

Comment 22 Tobias Heinlein (RETIRED) gentoo-dev 2009-11-06 13:55:39 UTC
php-5.2.11 has been stabilized meanwhile, I'm including this in the next PHP GLSA.
Comment 23 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-05 21:13:57 UTC
GLSA 201001-03.

Thank you everyone, sorry about the delay.