| Summary: | CVE-2011-0420 php: missing $size checks in grapheme_extract() | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | fedora, jorton, rpm |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-03-01 13:50:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Jan Lieskovsky
2011-02-20 15:51:39 UTC
This issue did NOT affect the versions of the php package, as shipped with Red Hat Enterprise Linux 3, 4, or 5. This issue affects the version of the php53 package, as shipped with Red Hat Enterprise Linux 5. This issue affects the version of the php package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the php package, as shipped with Fedora release of 13 and 14. Looks like this is another SecurityReason advisory where the reporter did not spend much time investigating the crash they were seeing. This is not a NULL pointer dereference flaw. The reproducer triggers the crash around this line in grapheme_extract: RETURN_STRINGL(((char *)pstr), nsize, 1); pstr is non-NULL pointer to the $haystack input string (usually $start bytes away from the beginning). This leads to memcpy call where nsize == -1 is type casted to 0xffffffff, which leads to the input buffer over-read eventually. Theoretically, this may possibly lead to the information leak (over-reading $haystack input buffer up to the first non-ascii character), but this would require to have mapped memory and no non-ascii character after the $haystack $start position for at least 2^31 bytes. The grapheme functions were introduced upstream in 5.3.0 and still seems rarely used. It also seems $size is not too likely to come from an untrusted source, but I'm not sure if it's unlikely enough to consider this script author issue only. Very low impact anyway. Joe, I wanted to ask, do you think it's safe to assume this to be script author only? I think it's reasonable to assume that the 'size' argument would be under control of the script author. I struggle to imagine how this function could be useful in any context where any arguments are untrusted input. I agree with that. Given that it's unlikely to use untrusted size values, the limited impact of the flaw (crash only), and the limited use of the functionality, there's currently no plan to address this in future security errata for PHP. If anyone needs to have this fix backported to specific RHEL version, please open a request against specific RHEL/php version. Statement: Red Hat does not consider this flaw to be a security issue. The size argument of the grapheme_extract function is unlikely to from an untrusted source unfiltered, therefore the value passed to the function is under the the full control of the script author and no trust boundary is crossed. |