Date: Tue, 18 Nov 2008 13:22:09 +0100 From: Jille Timmermans <jille@quis.cx> To: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Cc: freebsd-security@freebsd.org, FreeBSD-gnats-submit@freebsd.org Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 Message-ID: <4922B371.6070002@quis.cx> In-Reply-To: <20081118103433.38D5817115@shadow.codelabs.ru> References: <20081118103433.38D5817115@shadow.codelabs.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
I think there is a typo in the vuxml descriptions: "PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6" (PHP 5.6 doesn't exist (yet)) -- Jille Eygene Ryabinkin wrote: >> Number: 128956 >> Category: ports >> Synopsis: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 >> Confidential: no >> Severity: serious >> Priority: high >> Responsible: freebsd-ports-bugs >> State: open >> Quarter: >> Keywords: >> Date-Required: >> Class: sw-bug >> Submitter-Id: current-users >> Arrival-Date: Tue Nov 18 10:40:00 UTC 2008 >> Closed-Date: >> Last-Modified: >> Originator: Eygene Ryabinkin >> Release: FreeBSD 7.1-PRERELEASE amd64 >> Organization: >> > Code Labs > >> Environment: >> > > System: FreeBSD 7.1-PRERELEASE amd64 > > >> Description: >> > > There are some vulnerabilities in the stock PHP 5.2.6 that were silently > fixed in the CVS, but after 5.2.6 was out. > > >> How-To-Repeat: >> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 > > >> Fix: >> > > The following patches should fix all three issues. I had mildly > tested them in my setups. > --- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff begins here --- > diff -urN ./Makefile ../php5/Makefile > --- ./Makefile 2008-11-18 11:49:16.000000000 +0300 > +++ ../php5/Makefile 2008-11-18 11:49:27.000000000 +0300 > @@ -7,7 +7,7 @@ > > PORTNAME= php5 > PORTVERSION= 5.2.6 > -PORTREVISION?= 2 > +PORTREVISION?= 3 > CATEGORIES?= lang devel www > MASTER_SITES= ${MASTER_SITE_PHP} > MASTER_SITE_SUBDIR= distributions > diff -urN ./files/patch-CVE-2008-3659 ../php5/files/patch-CVE-2008-3659 > --- ./files/patch-CVE-2008-3659 1970-01-01 03:00:00.000000000 +0300 > +++ ../php5/files/patch-CVE-2008-3659 2008-11-18 11:49:55.000000000 +0300 > @@ -0,0 +1,27 @@ > +Patch for CVE-2008-3659. > + > +Obtained from: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch > +See also: http://news.php.net/php.cvs/52002 > +See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659 > + > +--- Zend/zend_operators.h 2007/12/31 07:20:03 1.94.2.4.2.11 > ++++ Zend/zend_operators.h 2008/08/05 20:11:17 1.94.2.4.2.12 > +@@ -17,7 +17,7 @@ > + +----------------------------------------------------------------------+ > + */ > + > +-/* $Id: zend_operators.h,v 1.94.2.4.2.11 2007/12/31 07:20:03 sebastian Exp $ */ > ++/* $Id: zend_operators.h,v 1.94.2.4.2.12 2008/08/05 20:11:17 stas Exp $ */ > + > + #ifndef ZEND_OPERATORS_H > + #define ZEND_OPERATORS_H > +@@ -220,6 +220,9 @@ > + char *p = haystack; > + char ne = needle[needle_len-1]; > + > ++ if(needle_len > end-haystack) { > ++ return NULL; > ++ } > + end -= needle_len; > + > + while (p <= end) { > diff -urN ./files/patch-CVE-2008-3660 ../php5/files/patch-CVE-2008-3660 > --- ./files/patch-CVE-2008-3660 1970-01-01 03:00:00.000000000 +0300 > +++ ../php5/files/patch-CVE-2008-3660 2008-11-18 12:15:23.000000000 +0300 > @@ -0,0 +1,82 @@ > +Patch for CVE-2008-3660 > + > +Obtained from: http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.57&r2=1.267.2.15.2.58&view=patch > +See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 > +See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987 > +Notes: removed 'Id' hunk and reapplied this patch for the php-5.2.6 > + > +--- sapi/cgi/cgi_main.c.orig 2008-04-09 13:16:40.000000000 +0400 > ++++ sapi/cgi/cgi_main.c 2008-11-18 12:08:10.000000000 +0300 > +@@ -765,6 +765,39 @@ > + } > + /* }}} */ > + > ++/* {{{ is_valid_path > ++ * > ++ * some server configurations allow '..' to slip through in the > ++ * translated path. We'll just refuse to handle such a path. > ++ */ > ++static int is_valid_path(const char *path) > ++{ > ++ const char *p; > ++ > ++ if (!path) { > ++ return 0; > ++ } > ++ p = strstr(path, ".."); > ++ if (p) { > ++ if ((p == path || IS_SLASH(*(p-1))) && > ++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) { > ++ return 0; > ++ } > ++ while (1) { > ++ p = strstr(p+1, ".."); > ++ if (!p) { > ++ break; > ++ } > ++ if (IS_SLASH(*(p-1)) && > ++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) { > ++ return 0; > ++ } > ++ } > ++ } > ++ return 1; > ++} > ++/* }}} */ > ++ > + /* {{{ init_request_info > + > + initializes request_info structure > +@@ -1061,9 +1094,7 @@ > + if (pt) { > + efree(pt); > + } > +- /* some server configurations allow '..' to slip through in the > +- translated path. We'll just refuse to handle such a path. */ > +- if (script_path_translated && !strstr(script_path_translated, "..")) { > ++ if (is_valid_path(script_path_translated)) { > + SG(request_info).path_translated = estrdup(script_path_translated); > + } > + } else { > +@@ -1094,9 +1125,7 @@ > + } else { > + SG(request_info).request_uri = env_script_name; > + } > +- /* some server configurations allow '..' to slip through in the > +- translated path. We'll just refuse to handle such a path. */ > +- if (script_path_translated && !strstr(script_path_translated, "..")) { > ++ if (is_valid_path(script_path_translated)) { > + SG(request_info).path_translated = estrdup(script_path_translated); > + } > + free(real_path); > +@@ -1114,9 +1143,7 @@ > + script_path_translated = env_path_translated; > + } > + #endif > +- /* some server configurations allow '..' to slip through in the > +- translated path. We'll just refuse to handle such a path. */ > +- if (script_path_translated && !strstr(script_path_translated, "..")) { > ++ if (is_valid_path(script_path_translated)) { > + SG(request_info).path_translated = estrdup(script_path_translated); > + } > + #if ENABLE_PATHINFO_CHECK > --- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff ends here --- > > --- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff begins here --- > diff -urN ./files/patch-CVE-2008-2829 ../php5-imap/files/patch-CVE-2008-2829 > --- ./files/patch-CVE-2008-2829 1970-01-01 03:00:00.000000000 +0300 > +++ ../php5-imap/files/patch-CVE-2008-2829 2008-11-18 13:20:19.000000000 +0300 > @@ -0,0 +1,282 @@ > +Fix for CVE-2008-2829 > + > +Obtained from: http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?r1=1.259&r2=1.260&view=patch > +Notes: reapplied to php-5.6.2, skipped 'Id' hunk and modified hunk marked > + '-3213,7 +3214,7'. > + > +--- php_imap.c.orig 2008-04-17 15:04:49.000000000 +0400 > ++++ php_imap.c 2008-11-18 13:03:02.000000000 +0300 > +@@ -40,6 +40,7 @@ > + #include "ext/standard/php_string.h" > + #include "ext/standard/info.h" > + #include "ext/standard/file.h" > ++#include "ext/standard/php_smart_str.h" > + > + #ifdef ERROR > + #undef ERROR > +@@ -66,10 +67,11 @@ > + #define SENDBUFLEN 16385 > + #endif > + > ++ > + static void _php_make_header_object(zval *myzvalue, ENVELOPE *en TSRMLS_DC); > + static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC); > +-static void _php_imap_parse_address(ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC); > +-static int _php_imap_address_size(ADDRESS *addresslist); > ++static char* _php_imap_parse_address(ADDRESS *addresslist, zval *paddress TSRMLS_DC); > ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC); > + > + /* the gets we use */ > + static char *php_mail_gets(readfn_t f, void *stream, unsigned long size, GETS_DATA *md); > +@@ -2109,7 +2111,7 @@ > + { > + zval **mailbox, **host, **personal; > + ADDRESS *addr; > +- char string[MAILTMPLEN]; > ++ char *string; > + > + if (ZEND_NUM_ARGS() != 3 || zend_get_parameters_ex(3, &mailbox, &host, &personal) == FAILURE) { > + ZEND_WRONG_PARAM_COUNT(); > +@@ -2137,13 +2139,12 @@ > + addr->error=NIL; > + addr->adl=NIL; > + > +- if (_php_imap_address_size(addr) >= MAILTMPLEN) { > ++ string = _php_rfc822_write_address(addr TSRMLS_CC); > ++ if (string) { > ++ RETVAL_STRING(string, 0); > ++ } else { > + RETURN_FALSE; > + } > +- > +- string[0]='\0'; > +- rfc822_write_address(string, addr); > +- RETVAL_STRING(string, 1); > + } > + /* }}} */ > + > +@@ -2873,7 +2874,7 @@ > + zval **streamind, **sequence, **pflags; > + pils *imap_le_struct; > + zval *myoverview; > +- char address[MAILTMPLEN]; > ++ char *address; > + long status, flags=0L; > + int myargc = ZEND_NUM_ARGS(); > + > +@@ -2908,17 +2909,19 @@ > + if (env->subject) { > + add_property_string(myoverview, "subject", env->subject, 1); > + } > +- if (env->from && _php_imap_address_size(env->from) < MAILTMPLEN) { > ++ if (env->from) { > + env->from->next=NULL; > +- address[0] = '\0'; > +- rfc822_write_address(address, env->from); > +- add_property_string(myoverview, "from", address, 1); > ++ address =_php_rfc822_write_address(env->from TSRMLS_CC); > ++ if (address) { > ++ add_property_string(myoverview, "from", address, 0); > ++ } > + } > +- if (env->to && _php_imap_address_size(env->to) < MAILTMPLEN) { > ++ if (env->to) { > + env->to->next = NULL; > +- address[0] = '\0'; > +- rfc822_write_address(address, env->to); > +- add_property_string(myoverview, "to", address, 1); > ++ address = _php_rfc822_write_address(env->to TSRMLS_CC); > ++ if (address) { > ++ add_property_string(myoverview, "to", address, 0); > ++ } > + } > + if (env->date) { > + add_property_string(myoverview, "date", env->date, 1); > +@@ -3858,6 +3861,43 @@ > + /* }}} */ > + > + /* Support Functions */ > ++ > ++#ifdef HAVE_RFC822_OUTPUT_ADDRESS_LIST > ++/* {{{ _php_rfc822_soutr > ++ */ > ++static long _php_rfc822_soutr (void *stream, char *string) > ++{ > ++ smart_str *ret = (smart_str*)stream; > ++ int len = strlen(string); > ++ > ++ smart_str_appendl(ret, string, len); > ++ return LONGT; > ++} > ++ > ++/* }}} */ > ++ > ++/* {{{ _php_rfc822_write_address > ++ */ > ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC) > ++{ > ++ char address[MAILTMPLEN]; > ++ smart_str ret = {0}; > ++ RFC822BUFFER buf; > ++ > ++ buf.beg = address; > ++ buf.cur = buf.beg; > ++ buf.end = buf.beg + sizeof(address) - 1; > ++ buf.s = &ret; > ++ buf.f = _php_rfc822_soutr; > ++ rfc822_output_address_list(&buf, addresslist, 0, NULL); > ++ rfc822_output_flush(&buf); > ++ smart_str_0(&ret); > ++ return ret.c; > ++} > ++/* }}} */ > ++ > ++#else > ++ > + /* {{{ _php_imap_get_address_size > + */ > + static int _php_imap_address_size (ADDRESS *addresslist) > +@@ -3887,26 +3927,33 @@ > + > + /* }}} */ > + > ++/* {{{ _php_rfc822_write_address > ++ */ > ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC) > ++{ > ++ char address[SENDBUFLEN]; > + > ++ if (_php_imap_address_size(addresslist) >= SENDBUFLEN) { > ++ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Address buffer overflow"); > ++ return NULL; > ++ } > ++ address[0] = 0; > ++ rfc822_write_address(address, addresslist); > ++ return estrdup(address); > ++} > ++/* }}} */ > ++#endif > + /* {{{ _php_imap_parse_address > + */ > +-static void _php_imap_parse_address (ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC) > ++static char* _php_imap_parse_address (ADDRESS *addresslist, zval *paddress TSRMLS_DC) > + { > ++ char *fulladdress; > + ADDRESS *addresstmp; > + zval *tmpvals; > +- char *tmpstr; > +- int len=0; > + > + addresstmp = addresslist; > + > +- if ((len = _php_imap_address_size(addresstmp))) { > +- tmpstr = (char *) pemalloc(len + 1, 1); > +- tmpstr[0] = '\0'; > +- rfc822_write_address(tmpstr, addresstmp); > +- *fulladdress = tmpstr; > +- } else { > +- *fulladdress = NULL; > +- } > ++ fulladdress = _php_rfc822_write_address(addresstmp TSRMLS_CC); > + > + addresstmp = addresslist; > + do { > +@@ -3918,6 +3965,7 @@ > + if (addresstmp->host) add_property_string(tmpvals, "host", addresstmp->host, 1); > + add_next_index_object(paddress, tmpvals TSRMLS_CC); > + } while ((addresstmp = addresstmp->next)); > ++ return fulladdress; > + } > + /* }}} */ > + > +@@ -3944,10 +3992,9 @@ > + if (en->to) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->to, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->to, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "toaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "toaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "to", paddress TSRMLS_CC); > + } > +@@ -3955,10 +4002,9 @@ > + if (en->from) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->from, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->from, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "fromaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "fromaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "from", paddress TSRMLS_CC); > + } > +@@ -3966,10 +4012,9 @@ > + if (en->cc) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->cc, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->cc, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "ccaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "ccaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "cc", paddress TSRMLS_CC); > + } > +@@ -3977,10 +4022,9 @@ > + if (en->bcc) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->bcc, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->bcc, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "bccaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "bccaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "bcc", paddress TSRMLS_CC); > + } > +@@ -3988,10 +4032,9 @@ > + if (en->reply_to) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->reply_to, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->reply_to, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "reply_toaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "reply_toaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "reply_to", paddress TSRMLS_CC); > + } > +@@ -3999,10 +4042,9 @@ > + if (en->sender) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->sender, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->sender, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "senderaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "senderaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "sender", paddress TSRMLS_CC); > + } > +@@ -4010,10 +4052,9 @@ > + if (en->return_path) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->return_path, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->return_path, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "return_pathaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "return_pathaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "return_path", paddress TSRMLS_CC); > + } > --- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff ends here --- > > I assume that they all will go in one shot, so the following VuXML > entries use 5.2.6_3 as the first version where issues were fixed. > --- cve-2008-2829.xml begins here --- > <vuln vid=""> > <topic>PHP 5.x -- Denial of Service and possible arbitrary code execution in the IMAP extension</topic> > <affects> > <package> > <name>php5-imap</name> > <range><lt>5.2.6_3</lt></range> > </package> > </affects> > <description> > <body xmlns="http://www.w3.org/1999/xhtml">; > <p>Entry for CVE-2008-2829 says:</p> > <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829">; > <p>php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses > obsolete API calls that allow context-dependent attackers to > cause a denial of service (crash) and possibly execute arbitrary > code via a long IMAP request, which triggers an "rfc822.c legacy > routine buffer overflow" error message.</p> > </blockquote> > </body> > </description> > <references> > <cvename>CVE-2008-2829</cvename> > <url>http://bugs.php.net/bug.php?id=42862</url>; > <url>http://bugs.php.net/bug.php?id=40925</url>; > <url>http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?view=log#rev1.260</url>; > </references> > <dates> > <discovery>2008-06-19</discovery> > </dates> > </vuln> > --- cve-2008-2829.xml ends here --- > > --- cve-2008-3659.xml begins here --- > <vuln vid=""> > <topic>PHP 5.x -- buffer overflow in the memnstr()</topic> > <affects> > <package> > <name>php5</name> > <range><lt>5.2.6_3</lt></range> > </package> > </affects> > <description> > <body xmlns="http://www.w3.org/1999/xhtml">; > <p>Entry for CVE-2008-3659 says:</p> > <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659">; > <p>Buffer overflow in the memnstr function in PHP 4.4.x before > 4.4.9 and PHP 5.6 through 5.2.6 allows context-dependent > attackers to cause a denial of service (crash) and possibly > execute arbitrary code via the delimiter argument to the explode > function.</p> > <p>NOTE: the scope of this issue is limited since most > applications would not use an attacker-controlled delimiter, but > local attacks against safe_mode are feasible.</p> > </blockquote> > </body> > </description> > <references> > <cvename>CVE-2008-3659</cvename> > <url>http://news.php.net/php.cvs/52002</url>; > <url>http://www.openwall.com/lists/oss-security/2008/08/08/2</url>; > </references> > <dates> > <discovery>2008-08-05</discovery> > </dates> > </vuln> > --- cve-2008-3659.xml ends here --- > > --- cve-2008-3660.xml begins here --- > <vuln vid=""> > <topic>PHP 5.x -- Denial of Service in the FastCGI mode</topic> > <affects> > <package> > <name>php5</name> > <range><lt>5.2.6_3</lt></range> > </package> > </affects> > <description> > <body xmlns="http://www.w3.org/1999/xhtml">; > <p>Entry for CVE-2008-3660 says:</p> > <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660">; > <p>PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6, when used > as a FastCGI module, allows remote attackers to cause a denial > of service (crash) via a request with multiple dots preceding > the extension, as demonstrated using foo..php.</p> > </blockquote> > </body> > </description> > <references> > <cvename>CVE-2008-3660</cvename> > <url>http://news.php.net/php.cvs/51129</url>; > <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987</url>; > </references> > <dates> > <discovery>2008-07-15</discovery> > </dates> > </vuln> > --- cve-2008-3660.xml ends here --- > >> Release-Note: >> Audit-Trail: >> Unformatted: >> > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4922B371.6070002>