Bug 651682 (CVE-2010-4156) - CVE-2010-4156 php information disclosure via mb_strcut()
Summary: CVE-2010-4156 php information disclosure via mb_strcut()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-4156
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 649186 670439 670463 670464
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-10 04:51 UTC by Huzaifa S. Sidhpurwala
Modified: 2019-09-29 12:40 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-02-04 09:11:38 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0196 normal SHIPPED_LIVE Moderate: php53 security update 2011-02-03 19:16:54 UTC

Description Huzaifa S. Sidhpurwala 2010-11-10 04:51:48 UTC
An information disclosure flaw was found in the PHP mb_struct function.

mb_strcut() returns garbage when the following conditions are met:
1. The value specified to length parameter exceeds the length of the subject 
string.
2. mbstring.internal_encoding is set to some single-byte encoding.

The garbage may consist of uncleared part of the heap that has previously been 
used for some purpose, which could lead to unexpected information exposure.
This only affects PHP 5.3 and above.

This bug was originally reported to php upstream by Mateusz Kocielski.

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4156 to
the above vulnerability

Upstream bugs:
http://bugs.php.net/bug.php?id=53273
http://bugs.php.net/bug.php?id=49354

Upstream patch:
http://svn.php.net/viewvc/?view=revision&revision=305214

References:
http://www.mandriva.com/en/security/advisories?name=MDVSA-2010:225
http://www.securityfocus.com/bid/44727
http://secunia.com/advisories/42135

Comment 1 Huzaifa S. Sidhpurwala 2010-11-10 04:57:17 UTC
Public PoC:

Test script:
---------------
<?php
$b = "bbbbbbbbbbb";
str_repeat("THIS IS A SECRET MESSAGE, ISN'T IT?", 1);
$var3 = mb_strcut($b, 0, 1000);
echo $var3;
?>


Expected result:
----------------
bbbbbbbbbbb

Actual result:
--------------
bbbbbbbbbbb??????D$Ј=m???=m?(?=m?`?=m??5<m??=m?THIS IS A SECRET MESSAGE, ISN'T 
IT??g?1@?=m?(?=m???=m?p?=m?var3

Comment 2 Huzaifa S. Sidhpurwala 2010-11-10 05:20:37 UTC
Created php tracking bugs for this issue

Affects: fedora-all [bug 649186]

Comment 4 Vincent Danen 2010-11-10 06:28:45 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4156 to
the following vulnerability:

Name: CVE-2010-4156
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4156
Assigned: 20101104
Reference: MLIST:[oss-security] 20101107 CVE Request: PHP 5.3.3, libmbfl, mb_strcut
Reference: URL: http://www.openwall.com/lists/oss-security/2010/11/07/2
Reference: MLIST:[oss-security] 20101108 Re: CVE Request: PHP 5.3.3, libmbfl, mb_strcut
Reference: URL: http://www.openwall.com/lists/oss-security/2010/11/08/13
Reference: MISC: http://pastie.org/1279428
Reference: MISC: http://pastie.org/1279682
Reference: BID:44727
Reference: URL: http://www.securityfocus.com/bid/44727
Reference: SECUNIA:42135
Reference: URL: http://secunia.com/advisories/42135

The mb_strcut function in Libmbfl 1.1.0, as used in PHP 5.3.x through
5.3.3, allows context-dependent attackers to obtain potentially
sensitive information via a large value of the third parameter (aka
the length parameter).

Comment 6 Tomas Hoger 2011-01-18 13:10:31 UTC
It seems this issue got introduced in the update of bundled libmbfl that happened between 5.3.2 and 5.3.3:

  http://svn.php.net/viewvc?view=revision&revision=296101

Comment 9 errata-xmlrpc 2011-02-03 19:17:08 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0196 https://rhn.redhat.com/errata/RHSA-2011-0196.html

Comment 10 Vincent Danen 2011-02-03 19:34:45 UTC
Statement:

This issue did not affect the version of php packages as shipped with Red Hat Enterprise Linux 4, 5 or 6.  It did affect the PHP 5.3 (php53) package on Red Hat Enterprise Linux 5.


Note You need to log in before you can comment on or make changes to this bug.