Bug 828051 (CVE-2012-2688) - CVE-2012-2688 php: Integer Signedness issues in _php_stream_scandir
Summary: CVE-2012-2688 php: Integer Signedness issues in _php_stream_scandir
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-2688
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 865986 958614 1037490 1037491
Blocks: 828053 855229 952520
TreeView+ depends on / blocked
 
Reported: 2012-06-04 06:59 UTC by Jan Lieskovsky
Modified: 2021-02-23 14:36 UTC (History)
7 users (show)

Fixed In Version: php 5.4.5, php 5.3.15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-11 10:33:21 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0514 0 normal SHIPPED_LIVE Moderate: php security, bug fix and enhancement update 2013-02-20 21:29:20 UTC
Red Hat Product Errata RHSA-2013:1307 0 normal SHIPPED_LIVE Moderate: php53 security, bug fix and enhancement update 2013-10-01 00:31:22 UTC
Red Hat Product Errata RHSA-2013:1814 0 normal SHIPPED_LIVE Critical: php security update 2013-12-11 07:25:07 UTC

Description Jan Lieskovsky 2012-06-04 06:59:52 UTC
An integer signedness issue leading to a heap-based buffer overflow was found in the way PHP implemented its scandir() function. If scandir() was used to list files and directories from a directory containing a large number of files, it could cause PHP to crash to under some conditions execute arbitrary code with the permissions of the user running PHP.

Comment 3 Huzaifa S. Sidhpurwala 2012-06-08 09:33:48 UTC
Upstream commit for 5.3/5.4:

https://github.com/php/php-src/commit/fc74503792b1ee92e4b813690890f3ed38fa3ad5

Comment 4 Tomas Hoger 2012-06-08 09:36:38 UTC
(In reply to comment #3)
> https://github.com/php/php-src/commit/
> fc74503792b1ee92e4b813690890f3ed38fa3ad5

http://git.php.net/?p=php-src.git;a=commitdiff;h=fc74503792b1ee92e4b813690890f3ed38fa3ad5

Comment 8 Vincent Danen 2012-07-20 17:32:40 UTC
This is public and fixed in 5.4.5 and 5.3.15:

Fixed potential overflow in _php_stream_scandir (CVE-2012-2688)

(http://www.php.net/ChangeLog-5.php#5.3.15)

Comment 10 Vincent Danen 2012-07-23 14:38:17 UTC
Currently 5.3.15 and 5.4.5 are in testing for Fedora 16 and 17 respectively.

Comment 11 Eric Rich 2012-08-21 19:08:51 UTC
https://access.redhat.com/security/cve/CVE-2012-2688 states that a fix may be coming for this issue but based on comments in this bug I do not see any movement for any of the Red Hat provided packages, is there any update that can be made. 

I know of several RHEL customer show are looking for a fix to this issues.

Comment 12 Vincent Danen 2012-09-06 01:34:45 UTC
To clarify, because the description does not indicate the requisite number of files to trigger this flaw.

The number of files required in the directory that the PHP scan() function is run on is what PHP defines as INT_MAX, which is defined (in RHEL6):

main/php.h:229:#define INT_MAX 2147483647

That means you need to have more than 2,147,483,647 files in the directory being scanned for this to be a problem.

One way to mitigate this is to check, before adding or uploading files to this directory, how many are in it.  Set an upper limit of one million or even ten million files (I suspect this will cause severe performance issues before you even hit these limits), and refuse to add new files to the directory if the limit is reached, which will prevent any scripts from scanning them with too many files (although I do not believe it will be easy to get that number of files in a directory without someone noticing some severe performance degradation first).

Comment 14 swat30 2012-11-26 19:59:13 UTC
This bug is now being flagged as "high severity" in PCI-DSS. Running CentOS 6 and haven't seen this one fixed yet.

Comment 15 Jan Lieskovsky 2012-11-27 10:56:00 UTC
(In reply to comment #14)
> This bug is now being flagged as "high severity" in PCI-DSS. Running CentOS
> 6 and haven't seen this one fixed yet.

See statement in c#9 of this bug / https://access.redhat.com/security/cve/CVE-2012-2688.

Comment 16 errata-xmlrpc 2013-02-21 10:14:09 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0514 https://rhn.redhat.com/errata/RHSA-2013-0514.html

Comment 20 errata-xmlrpc 2013-09-30 22:12:11 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1307 https://rhn.redhat.com/errata/RHSA-2013-1307.html

Comment 22 Huzaifa S. Sidhpurwala 2013-10-03 10:58:03 UTC
Statement:

(none)

Comment 25 errata-xmlrpc 2013-12-11 02:25:51 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1814 https://rhn.redhat.com/errata/RHSA-2013-1814.html


Note You need to log in before you can comment on or make changes to this bug.