Bug 828051 - (CVE-2012-2688) CVE-2012-2688 php: Integer Signedness issues in _php_stream_scandir
CVE-2012-2688 php: Integer Signedness issues in _php_stream_scandir
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120719,reported=2...
: Security
Depends On: 865986 958614 1037490 1037491
Blocks: 828053 855229 952520
  Show dependency treegraph
 
Reported: 2012-06-04 02:59 EDT by Jan Lieskovsky
Modified: 2015-08-19 05:16 EDT (History)
8 users (show)

See Also:
Fixed In Version: php 5.4.5, php 5.3.15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-11 05:33:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-06-04 02:59:52 EDT
An integer signedness issue leading to a heap-based buffer overflow was found in the way PHP implemented its scandir() function. If scandir() was used to list files and directories from a directory containing a large number of files, it could cause PHP to crash to under some conditions execute arbitrary code with the permissions of the user running PHP.
Comment 3 Huzaifa S. Sidhpurwala 2012-06-08 05:33:48 EDT
Upstream commit for 5.3/5.4:

https://github.com/php/php-src/commit/fc74503792b1ee92e4b813690890f3ed38fa3ad5
Comment 4 Tomas Hoger 2012-06-08 05:36:38 EDT
(In reply to comment #3)
> https://github.com/php/php-src/commit/
> fc74503792b1ee92e4b813690890f3ed38fa3ad5

http://git.php.net/?p=php-src.git;a=commitdiff;h=fc74503792b1ee92e4b813690890f3ed38fa3ad5
Comment 8 Vincent Danen 2012-07-20 13:32:40 EDT
This is public and fixed in 5.4.5 and 5.3.15:

Fixed potential overflow in _php_stream_scandir (CVE-2012-2688)

(http://www.php.net/ChangeLog-5.php#5.3.15)
Comment 10 Vincent Danen 2012-07-23 10:38:17 EDT
Currently 5.3.15 and 5.4.5 are in testing for Fedora 16 and 17 respectively.
Comment 11 Eric Rich 2012-08-21 15:08:51 EDT
https://access.redhat.com/security/cve/CVE-2012-2688 states that a fix may be coming for this issue but based on comments in this bug I do not see any movement for any of the Red Hat provided packages, is there any update that can be made. 

I know of several RHEL customer show are looking for a fix to this issues.
Comment 12 Vincent Danen 2012-09-05 21:34:45 EDT
To clarify, because the description does not indicate the requisite number of files to trigger this flaw.

The number of files required in the directory that the PHP scan() function is run on is what PHP defines as INT_MAX, which is defined (in RHEL6):

main/php.h:229:#define INT_MAX 2147483647

That means you need to have more than 2,147,483,647 files in the directory being scanned for this to be a problem.

One way to mitigate this is to check, before adding or uploading files to this directory, how many are in it.  Set an upper limit of one million or even ten million files (I suspect this will cause severe performance issues before you even hit these limits), and refuse to add new files to the directory if the limit is reached, which will prevent any scripts from scanning them with too many files (although I do not believe it will be easy to get that number of files in a directory without someone noticing some severe performance degradation first).
Comment 14 swat30 2012-11-26 14:59:13 EST
This bug is now being flagged as "high severity" in PCI-DSS. Running CentOS 6 and haven't seen this one fixed yet.
Comment 15 Jan Lieskovsky 2012-11-27 05:56:00 EST
(In reply to comment #14)
> This bug is now being flagged as "high severity" in PCI-DSS. Running CentOS
> 6 and haven't seen this one fixed yet.

See statement in c#9 of this bug / https://access.redhat.com/security/cve/CVE-2012-2688.
Comment 16 errata-xmlrpc 2013-02-21 05:14:09 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0514 https://rhn.redhat.com/errata/RHSA-2013-0514.html
Comment 20 errata-xmlrpc 2013-09-30 18:12:11 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1307 https://rhn.redhat.com/errata/RHSA-2013-1307.html
Comment 22 Huzaifa S. Sidhpurwala 2013-10-03 06:58:03 EDT
Statement:

(none)
Comment 25 errata-xmlrpc 2013-12-10 21:25:51 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1814 https://rhn.redhat.com/errata/RHSA-2013-1814.html

Note You need to log in before you can comment on or make changes to this bug.