Bug 1053982 - php: CVE-2006-7243 patch issues in oci8 and odbc
Summary: php: CVE-2006-7243 patch issues in oci8 and odbc
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: php
Version: 6.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Web Stack Team
QA Contact: David Kutálek
URL:
Whiteboard:
Keywords: Regression
Depends On:
Blocks: 1056252
TreeView+ depends on / blocked
 
Reported: 2014-01-16 04:56 UTC by John Vandenberg
Modified: 2014-10-14 06:37 UTC (History)
4 users (show)

(edit)
Cause: patch for referenced CVE includes fix for not provided extensions (oci8...)

Consequence: these part of the patch are not needed and not tested and breaks those extensions

Fix: unneeded part have been removed

Result: unchanged source code for oci8 extension
Clone Of:
(edit)
Last Closed: 2014-10-14 06:37:29 UTC


Attachments (Terms of Use)
Patch to the CVE-2006-7243 patch (3.44 KB, patch)
2014-02-09 21:08 UTC, Martin Kalén
no flags Details | Diff
Patch to the CVE-2006-7243 patch (2.63 KB, patch)
2014-02-09 21:53 UTC, Martin Kalén
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1465 normal SHIPPED_LIVE php bug fix update 2014-10-14 01:10:51 UTC
Red Hat Bugzilla 782198 None None None Never

Description John Vandenberg 2014-01-16 04:56:14 UTC
Description of problem:
The patch php-5.3.3-CVE-2006-7243.patch modifies oci_lob_load instead of oci_lob_import , crashing the compile of the oci module of php

Version-Release number of selected component (if applicable):
php-5.3.3

How reproducible:
Very

Steps to Reproduce:
1. Download php.spec
2. Edit php.spec to enable OCI8
3. make

Actual results:
/home/../rpmbuild/BUILD/php-5.3.3/ext/oci8/oci8_interface.c: In function 'zif_oci_lob_load':
/home/../rpmbuild/BUILD/php-5.3.3/ext/oci8/oci8_interface.c:275: error: 'filename' undeclared (first use in this function)
/home/../rpmbuild/BUILD/php-5.3.3/ext/oci8/oci8_interface.c:275: error: (Each undeclared identifier is reported only once
/home/../rpmbuild/BUILD/php-5.3.3/ext/oci8/oci8_interface.c:275: error: for each function it appears in.)
/home/../rpmbuild/BUILD/php-5.3.3/ext/oci8/oci8_interface.c:275: error: 'filename_len' undeclared (first use in this function)


Expected results:
Clean build

Additional info:

There was a bit of a mixup in applying the patches for this CVE to the php tree.  The history can be seen here:

https://github.com/php/php-src/commits/PHP-5.3/ext/oci8/oci8_interface.c

Specifically, the breakage was added here:

https://github.com/php/php-src/commit/ce96fd6b0761d98353761bf78d5bfb55291179fd#diff-7c1deaf3f65d0a248a2aaf085e1f8f2cR280

And then fixed shortly after here:

https://github.com/php/php-src/commit/ff261853223f887fb1964e6c68080f903ca1de06

The patch needs to be altered, removing the chunk re function oci_lob_load, and _adding_ the chunk re function oci_lob_import.

https://github.com/php/php-src/blob/c8462df127c2ac21a71e6f6adba7bc3d08fb64bf/ext/oci8/oci8_interface.c#L246

Comment 2 Joe Orton 2014-01-16 11:58:52 UTC
Thanks John, your analysis looks correct there; sorry about that.  But note that we do not build the oci8 extension in the Red Hat Enterprise Linux binary RPMs, so we can not support this code as such.

We appreciate the feedback and look to use reports such as this to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.

If this issue is critical or in any way time sensitive, please raise a ticket
through your regular Red Hat support channels to make certain  it receives the
proper attention and prioritization to assure a timely resolution.

For information on how to contact the Red Hat production support team, please
visit: https://www.redhat.com/support/process/production/#howto

Comment 3 John Vandenberg 2014-01-16 14:29:10 UTC
Thanks Joe.  It is not critical or time-sensitive on my part, as I have rectified the patch for my purposes.  I do appreciate OCI is not a supported extension in Red Hat EL; I raised the bug in case Red Hat wants to rectify the faulty CVE patch when the package is next updated due to a 'real' bug.

Comment 4 Martin Kalén 2014-02-09 21:08:23 UTC
Created attachment 861145 [details]
Patch to the CVE-2006-7243 patch

Patch to perform the suggested changes. Only changes the part of php-5.3.3-CVE-2006-7243.patch regarding ext/oci8/oci8_interface.c, according to previous comments in this bug. Tested on RHEL6.5 x86_64 with Oracle 11gR2 Instant Client Basic 11.2.0.4.0 x86_64.

Comment 5 Martin Kalén 2014-02-09 21:35:40 UTC
Comment on attachment 861145 [details]
Patch to the CVE-2006-7243 patch

Incorrect whitespace.

Comment 6 Martin Kalén 2014-02-09 21:53:07 UTC
Created attachment 861168 [details]
Patch to the CVE-2006-7243 patch

Patch to perform the suggested changes. Only changes the part of php-5.3.3-CVE-2006-7243.patch regarding ext/oci8/oci8_interface.c, according to previous comments in this bug. Tested on RHEL6.5 x86_64 with Oracle 11gR2 Instant Client Basic 11.2.0.4.0 x86_64.

Fixed whitespace in patch (sorry about that).

I understand that OCI8 is not supported by Red Hat and that it probably never will be due to the Oracle [Instant]Client dependency, but by applying the attached patch to your distributed version of php-5.3.3-CVE-2006-7243.patch it would be a big convenience to your users that do include OCI8 in a RHEL6 rebuild of PHP since it now compiles cleanly.

Comment 7 Tomas Hoger 2014-02-13 10:05:46 UTC
There is another problem with the patch in the odbc extension.  The change applied to RHEL-6 php packages is identical to what was applied upstream:

http://git.php.net/?p=php-src.git;a=commitdiff;h=ce96fd6#patch10

Added check does:

  if (strlen(tmp) != Z_STRLEN_PP(tmp)) {

while it should be:

  if (strlen(Z_STRVAL_PP(tmp)) != Z_STRLEN_PP(tmp)) {

Leading to a compile warning:

/builddir/build/BUILD/php-5.3.3/ext/odbc/php_odbc.c: In function 'zif_odbc_execute':
/builddir/build/BUILD/php-5.3.3/ext/odbc/php_odbc.c:1303: warning: passing argument 1 of 'strlen' from incompatible pointer type
/usr/include/string.h:399: note: expected 'const char *' but argument is of type 'struct zval **'

This issue was never fixed upstream in 5.3 branch.  5.4 and later has different check, using CHECK_ZVAL_NULL_PATH():

http://git.php.net/?p=php-src.git;a=commitdiff;h=32b5f8a#patch19

Comment 12 Remi Collet 2014-05-22 13:23:52 UTC
(In reply to Tomas Hoger from comment #7)
> There is another problem with the patch in the odbc extension.  The change
> applied to RHEL-6 php packages is identical to what was applied upstream:
> 
> http://git.php.net/?p=php-src.git;a=commitdiff;h=ce96fd6#patch10
> 
> Added check does:
> 
>   if (strlen(tmp) != Z_STRLEN_PP(tmp)) {
> 
> while it should be:
> 
>   if (strlen(Z_STRVAL_PP(tmp)) != Z_STRLEN_PP(tmp)) {
> 


Fix also applied upstream
http://git.php.net/?p=php-src.git;a=commit;h=adc070ca995384e4de83fa3446c6dfcf946a3f50

Comment 14 errata-xmlrpc 2014-10-14 06:37:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1465.html


Note You need to log in before you can comment on or make changes to this bug.