RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1053982 - php: CVE-2006-7243 patch issues in oci8 and odbc
Summary: php: CVE-2006-7243 patch issues in oci8 and odbc
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: php
Version: 6.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Remi Collet
QA Contact: David Kutálek
URL:
Whiteboard:
Depends On:
Blocks: 1056252
TreeView+ depends on / blocked
 
Reported: 2014-01-16 04:56 UTC by John Vandenberg
Modified: 2021-01-14 09:24 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: patch for referenced CVE includes fix for not provided extensions (oci8...) Consequence: these part of the patch are not needed and not tested and breaks those extensions Fix: unneeded part have been removed Result: unchanged source code for oci8 extension
Clone Of:
Environment:
Last Closed: 2014-10-14 06:37:29 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Patch to the CVE-2006-7243 patch (3.44 KB, patch)
2014-02-09 21:08 UTC, Martin Kalén 		no flags Details | Diff
Patch to the CVE-2006-7243 patch (2.63 KB, patch)
2014-02-09 21:53 UTC, Martin Kalén 		no flags Details | Diff
Show Obsolete (1) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 782198 0 unspecified CLOSED RFE: Request for a new oci8 php package 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2014:1465 0 normal SHIPPED_LIVE php bug fix update 2014-10-14 01:10:51 UTC

Description John Vandenberg 2014-01-16 04:56:14 UTC 
Description of problem:
The patch php-5.3.3-CVE-2006-7243.patch modifies oci_lob_load instead of oci_lob_import , crashing the compile of the oci module of php

Version-Release number of selected component (if applicable):
php-5.3.3

How reproducible:
Very

Steps to Reproduce:
1. Download php.spec
2. Edit php.spec to enable OCI8
3. make

Actual results:
/home/../rpmbuild/BUILD/php-5.3.3/ext/oci8/oci8_interface.c: In function 'zif_oci_lob_load':
/home/../rpmbuild/BUILD/php-5.3.3/ext/oci8/oci8_interface.c:275: error: 'filename' undeclared (first use in this function)
/home/../rpmbuild/BUILD/php-5.3.3/ext/oci8/oci8_interface.c:275: error: (Each undeclared identifier is reported only once
/home/../rpmbuild/BUILD/php-5.3.3/ext/oci8/oci8_interface.c:275: error: for each function it appears in.)
/home/../rpmbuild/BUILD/php-5.3.3/ext/oci8/oci8_interface.c:275: error: 'filename_len' undeclared (first use in this function)


Expected results:
Clean build

Additional info:

There was a bit of a mixup in applying the patches for this CVE to the php tree.  The history can be seen here:

https://github.com/php/php-src/commits/PHP-5.3/ext/oci8/oci8_interface.c

Specifically, the breakage was added here:

https://github.com/php/php-src/commit/ce96fd6b0761d98353761bf78d5bfb55291179fd#diff-7c1deaf3f65d0a248a2aaf085e1f8f2cR280

And then fixed shortly after here:

https://github.com/php/php-src/commit/ff261853223f887fb1964e6c68080f903ca1de06

The patch needs to be altered, removing the chunk re function oci_lob_load, and _adding_ the chunk re function oci_lob_import.

https://github.com/php/php-src/blob/c8462df127c2ac21a71e6f6adba7bc3d08fb64bf/ext/oci8/oci8_interface.c#L246
Comment 2 Joe Orton 2014-01-16 11:58:52 UTC 
Thanks John, your analysis looks correct there; sorry about that.  But note that we do not build the oci8 extension in the Red Hat Enterprise Linux binary RPMs, so we can not support this code as such.

We appreciate the feedback and look to use reports such as this to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.

If this issue is critical or in any way time sensitive, please raise a ticket
through your regular Red Hat support channels to make certain  it receives the
proper attention and prioritization to assure a timely resolution.

For information on how to contact the Red Hat production support team, please
visit: https://www.redhat.com/support/process/production/#howto
Comment 3 John Vandenberg 2014-01-16 14:29:10 UTC 
Thanks Joe.  It is not critical or time-sensitive on my part, as I have rectified the patch for my purposes.  I do appreciate OCI is not a supported extension in Red Hat EL; I raised the bug in case Red Hat wants to rectify the faulty CVE patch when the package is next updated due to a 'real' bug.
Comment 4 Martin Kalén 2014-02-09 21:08:23 UTC 
Created attachment 861145 [details]
Patch to the CVE-2006-7243 patch

Patch to perform the suggested changes. Only changes the part of php-5.3.3-CVE-2006-7243.patch regarding ext/oci8/oci8_interface.c, according to previous comments in this bug. Tested on RHEL6.5 x86_64 with Oracle 11gR2 Instant Client Basic 11.2.0.4.0 x86_64.
Comment 5 Martin Kalén 2014-02-09 21:35:40 UTC 
Comment on attachment 861145 [details]
Patch to the CVE-2006-7243 patch

Incorrect whitespace.
Comment 6 Martin Kalén 2014-02-09 21:53:07 UTC 
Created attachment 861168 [details]
Patch to the CVE-2006-7243 patch

Patch to perform the suggested changes. Only changes the part of php-5.3.3-CVE-2006-7243.patch regarding ext/oci8/oci8_interface.c, according to previous comments in this bug. Tested on RHEL6.5 x86_64 with Oracle 11gR2 Instant Client Basic 11.2.0.4.0 x86_64.

Fixed whitespace in patch (sorry about that).

I understand that OCI8 is not supported by Red Hat and that it probably never will be due to the Oracle [Instant]Client dependency, but by applying the attached patch to your distributed version of php-5.3.3-CVE-2006-7243.patch it would be a big convenience to your users that do include OCI8 in a RHEL6 rebuild of PHP since it now compiles cleanly.
Comment 7 Tomas Hoger 2014-02-13 10:05:46 UTC 
There is another problem with the patch in the odbc extension.  The change applied to RHEL-6 php packages is identical to what was applied upstream:

http://git.php.net/?p=php-src.git;a=commitdiff;h=ce96fd6#patch10

Added check does:

  if (strlen(tmp) != Z_STRLEN_PP(tmp)) {

while it should be:

  if (strlen(Z_STRVAL_PP(tmp)) != Z_STRLEN_PP(tmp)) {

Leading to a compile warning:

/builddir/build/BUILD/php-5.3.3/ext/odbc/php_odbc.c: In function 'zif_odbc_execute':
/builddir/build/BUILD/php-5.3.3/ext/odbc/php_odbc.c:1303: warning: passing argument 1 of 'strlen' from incompatible pointer type
/usr/include/string.h:399: note: expected 'const char *' but argument is of type 'struct zval **'

This issue was never fixed upstream in 5.3 branch.  5.4 and later has different check, using CHECK_ZVAL_NULL_PATH():

http://git.php.net/?p=php-src.git;a=commitdiff;h=32b5f8a#patch19
Comment 12 Remi Collet 2014-05-22 13:23:52 UTC 
(In reply to Tomas Hoger from comment #7)
> There is another problem with the patch in the odbc extension.  The change
> applied to RHEL-6 php packages is identical to what was applied upstream:
> 
> http://git.php.net/?p=php-src.git;a=commitdiff;h=ce96fd6#patch10
> 
> Added check does:
> 
>   if (strlen(tmp) != Z_STRLEN_PP(tmp)) {
> 
> while it should be:
> 
>   if (strlen(Z_STRVAL_PP(tmp)) != Z_STRLEN_PP(tmp)) {
> 


Fix also applied upstream
http://git.php.net/?p=php-src.git;a=commit;h=adc070ca995384e4de83fa3446c6dfcf946a3f50
Comment 14 errata-xmlrpc 2014-10-14 06:37:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1465.html
Note You need to log in before you can comment on or make changes to this bug.