Bug 1451700 (CVE-2017-8923)

Summary: CVE-2017-8923 php: Overflowing the length of string causes crash
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, hhorak, jorton, kseifried, rcollet, sardella, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 7.4.24, php 8.0.11 Doc Type: If docs needed, set a value
Doc Text:
An integer overflow vulnerability in PHP can lead to a buffer overflow when constructing extremely long strings with the ".=" operator. In unusual circumstances, this could be used by an attacker to cause an application to crash or possibly have other consequences.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-05 05:34:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1451701    
Bug Blocks: 1451702, 2020490    

Description Adam Mariš 2017-05-17 10:25:02 UTC
The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script's use of .= with a long string.

Upstream bug:

https://bugs.php.net/bug.php?id=74577

Comment 1 Adam Mariš 2017-05-17 10:25:23 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1451701]

Comment 2 Huzaifa S. Sidhpurwala 2017-07-05 05:34:05 UTC
This seems to be a flaw in handling very large strings. It is unlikely that this flaw will be triggered by malicious user input, therefore this has very limited security impact.

Comment 3 Tomas Hoger 2021-11-16 22:53:44 UTC
This issue got fixed upstream via the following upstream bug:

https://bugs.php.net/bug.php?id=73122

Upstream commit:

https://github.com/php/php-src/commit/f1ce8d5f5839cb2069ea37ff424fb96b8cd6932d

The fix was applied in versions 7.4.24 and 8.0.11:

https://www.php.net/ChangeLog-7.php#7.4.24
https://www.php.net/ChangeLog-8.php#8.0.11

The fix depends on the following fix:

https://bugs.php.net/bug.php?id=74960
https://github.com/php/php-src/commit/760ff841a14160f25348f7969985cb8a2c4da3cc

Note that upstream does not seem to be planning to apply this fix for PHP 7.3, as they do not consider the issue to be a security flaw:

https://bugs.php.net/bug.php?id=73122#1629209263

That classification may be based on the fact that this problem can only be triggered when running with memory_limit higher than 2GB or no memory limit, while the default limit is 128MB:

https://www.php.net/manual/en/ini.core.php#ini.memory-limit

However, it may also be based on the fact that upstream bug report #73122 only mentions strlen() function returning an incorrect value without triggering any crash as noted in the upstream bug report #74577.

To trigger the overflow, a script has to attempt to concatenate a string with more than 2^31 characters to itself.  Being able to trigger that in a non-malicious script seems unlikely.

Another mitigating factor is that the 2^31 limit only applies to 32-bit systems.  On 64-bit systems, string would have to be 2^63 characters long, which would not be possible with current hardware.  Only 64-bit builds of PHP are provided for Red Hat Enterprise Linux 7 and later.