Bug 1547725 – CVE-2015-9253 php: Infinite loop in php-fpm when restarting a child using program execution function

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1547725 - (CVE-2015-9253) CVE-2015-9253 php: Infinite loop in php-fpm when restarting a child using program execution function

Summary:	CVE-2015-9253 php: Infinite loop in php-fpm when restarting a child using pro...

Status:	CLOSED NOTABUG

Aliases:	CVE-2015-9253

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20150803,repor...
Keywords:	Security

Depends On:	1547726
Blocks:	1547732
	Show dependency tree / graph

Reported:	2018-02-21 14:55 EST by Laura Pardo
Modified:	2018-02-27 03:23 EST (History)
CC List:	7 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-02-27 00:00:38 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Laura Pardo 2018-02-21 14:55:42 EST

An issue was discovered in PHP through 7.2.2. The php-fpm master process restarts a child process in an endless loop when using program execution functions (e.g., passthru, exec, shell_exec, or system) with a non-blocking STDIN stream. This allows a remote attacker to generate a DoS on Shared Hosting Services, performed by this php-fpm master process consuming 100% of the CPU and disk space with a large volume of error logs.


References:
https://bugs.php.net/bug.php?id=70185 [php 5.4]
https://bugs.php.net/bug.php?id=75968 [php 7.2]

Comment 1 Laura Pardo 2018-02-21 14:56:10 EST

Created php tracking bugs for this issue:

Affects: fedora-all [bug 1547726]

Comment 2 Huzaifa S. Sidhpurwala 2018-02-26 23:59:52 EST

Statement:

The Red Hat Product Security Team does not consider this issue as a security flaw because specially crafted PHP scripts (containing embedded operating system commands) are required to trigger this flaw.

Comment 3 cadonline 2018-02-27 03:23:10 EST

Correction to "containing embedded operating system commands": no embedded operating system commands are needed, only 2 php scripts are needed to CPU-DOS a shared hosting server without leaving a trace where the high load comes from, making it impossible to detect which hosting customer is to blame for.

copy from PHP Bug #75968:

Script 1:
<?php
stream_set_blocking(STDIN, false);
echo "Blah";
?>

Script 2:
<?php
passthru('/usr/bin/php /path/to/1.php');
?>

Note You need to log in before you can comment on or make changes to this bug.