141132 – CAN-2004-1019 information disclosure issues

Bug 141132 - CAN-2004-1019 information disclosure issues

Summary: CAN-2004-1019 information disclosure issues

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 3
Classification:	Red Hat
Component:	php
Sub Component:
Version:	3.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Joe Orton
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:	impact=important,public=20041215
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-11-29 15:45 UTC by Josh Bressers
Modified:	2007-11-30 22:07 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-12-21 18:54:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2004:687	0	high	SHIPPED_LIVE	Important: php security update	2004-12-21 05:00:00 UTC

Description Josh Bressers 2004-11-29 15:45:37 UTC

Stefan Esser has reported to vendor sec a number of information
disclosure issues in PHP.

http://cvs.php.net/diff.php/php-src/ext/standard/var_unserializer.re?r1=1.11.4.3&r2=1.11.4.4&ty=h
http://cvs.php.net/diff.php/php-src/ext/standard/var_unserializer.c?r1=1.18.4.8&r2=1.18.4.9&ty=h

This issue should also affect RHEL2.1


I'm marking this issue as security sensitive since the upstream
release announcing this fix.  We'll make this public when the rest of
the world knows about it.

Comment 1 Josh Bressers 2004-12-06 19:49:24 UTC

An additional issue has been added to this CVE id.


= CAN-2004-1019
[07] etx/standard/var_unserializer.c
      etx/standard/var_unserializer.re - reference to already freed array
                                         element

A reference to an already freed zvalue can lead to my special friend:
controlling a ZendHashTable incl. its destructor pointer. Due to the
Zend Memory Cache it is easy to create a string that when unserialize is
performed on it will result in cross platform jumping to a specifix EIP.
(NOTE: phpBB2 is more or less easily exploitable with this, PoC exists)

http://cvs.php.net/diff.php/php-src/ext/standard/var_unserializer.re?f=&r1=0&tr1=1.11.4.6&ty=h&r2=0&tr2=1.11.4.8

Credits: Stefan Esser

Comment 2 Mark J. Cox 2004-12-15 21:57:41 UTC

Removing embargo

Comment 5 none 2004-12-17 19:14:08 UTC

Hi,
here is the URL to the Security Advisory by Stefan Esser:
http://www.hardened-php.net/advisories/012004.txt

There are a few issues: CAN-2004-1018, CAN-2004-1019, CAN-2004-1064.

Some of them are critical, please check the advisory for the full info.

Will the new 'php' package fix all the issues?

Is there any ETA for it yet?

Thanks.

Comment 6 Mark J. Cox 2004-12-17 19:23:25 UTC

The RHEL3 update is currently being worked on with the fixes for:

CAN-2004-1065 - exif_read_data() overflow on long sectionname.
CAN-2004-1018 - shmop_write() out of bounds memory write access.
CAN-2004-1019 - possible information disclosure, double free etc
CAN-2004-1018 - integer overflow/underflow in pack() and unpack()

but not the fixes for:

NA: CAN-2004-1020 - addslashes not escaping \0 correctly.
 (only applies to 4.3.9)

NA: CAN-2004-1064 - arbitrary file access through path truncation.
 (only matters for threaded servers, we don't build PHP to support
  threads)

The fix for CAN-2004-1063 (one of the safe_mode things) is non-obvious
and looks risky, so is not included.

RHEL2.1 will have a different subset of fixes, to be determined.

The Security team rate the maximum severity of these issues as
Important impact.

Comment 7 Christopher McCrory 2004-12-17 21:22:50 UTC

Can we get an unofficial people.redhat.com/PATH rpm link for a pre
release build for local QA?

Comment 8 Joe Orton 2004-12-18 00:08:09 UTC

*Test* update packages are available (but unsupported) from:
http://people.redhat.com/jorton/Taroon-php/.

Comment 9 Kenneth Porter 2004-12-18 16:46:57 UTC

Possibly related bugs:

Bug 141135
Bug 142056
Bug 143101 (similar issues in 5.0 branch)

Comment 10 none 2004-12-21 10:26:32 UTC

The PHP vulnerabilities are already being exploited in the wild:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=248046

This is really a critical issue for web hosting servers.

Is there any ETA for new php package release?

Thanks.

Comment 11 Mark J. Cox 2004-12-21 10:44:29 UTC

Updates for this issue are currently in QA and we hope to have them
available today.  

Two of the reported PHP issues could have a significant impact,
CAN-2004-1019, and CAN-2004-1065.

CAN-2004-1019 covers the flaws in the deserialisation code.  This can
be an issue if you've got (your own or third party) PHP applications
that use the unserialize function on untrusted user data.  A proof of
concept exploit as you mentioned exists that can dump memory out of
some third party PHP webapp.

CAN-2004-1065 covers flaws in the exif extension.  If you have a PHP
application that parses untrusted image files using the exif extension
then this could lead to a stack overflow.  It looks unlikely this
could lead to code execution on Fedora Core w/Exec-shield.

The remaining issues do not have a significant impact and would most
likely require a malicious PHP script in order to exploit.

Comment 12 Mark J. Cox 2004-12-21 18:54:54 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-687.html

Comment 13 Pekka Savola 2004-12-21 22:47:08 UTC

Any estimate on the progress of the RHEL 2.1 update?

Note You need to log in before you can comment on or make changes to this bug.