Bug 1305494

Summary: php: exec function ignore length and look for NULL termination
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, dmcphers, fedora, jialiu, jokerman, jorton, kseifried, lmeyer, mmaslano, mmccomas, rcollet, tiwillia, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.6.18, php 5.5.32 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-27 20:28:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1305565    
Bug Blocks: 1305564    

Description Adam Mariš 2016-02-08 12:31:55 UTC 
It was reported that functions defined in ext/standard/exec.c which work with strings (escapeshellcmd, eschapeshellarg, shell_exec), all ignore the length of the PHP string and work with NULL termination instead. If the string is not NULL terminated (some function uses RETURN_STRINGL(buf, len, 0); where buf is not NULL terminated), running these functions will cause buffer overflow.

Upstream bug:

https://bugs.php.net/bug.php?id=71039

Upstream patch:

https://git.php.net/?p=php-src.git;a=commit;h=c527549e899bf211aac7d8ab5ceb1bdfedf07f14
Comment 1 Adam Mariš 2016-02-08 15:14:00 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1305565]
Comment 2 Tomas Hoger 2016-07-27 20:28:37 UTC 
Upstream does not believe this is real security problem.  PHP does not normally create strings which are not NULL terminated, making it unlikely to have untrusted, not NULL terminated inputs passed to the affected escaping functions.  Therefore, there's currently no plan to backport this fix to PHP versions in Red Hat products.