1 |
During "software development" with Di Paola we found that latest php5 |
2 |
stable version available for gentoo (5.1.6) is affected by a double |
3 |
free in the htmlentities() function, commonly exposed to user input. |
4 |
|
5 |
This is not bug #28067, it's already patched in ubuntu and debian but |
6 |
triggerable under gentoo with this released and public poc: |
7 |
|
8 |
http://downloads.securityfocus.com/vulnerabilities/exploits/20879.php |
9 |
|
10 |
The author of the poc is Zarathu. |
11 |
|
12 |
We added some UTF tests included this in to our software on 01/17/07, |
13 |
the public poc is even older and today is 02/10/07 so probably somebody |
14 |
hasn't noticed the bug/patch. |
15 |
|
16 |
Glibc backtrace http://rafb.net/p/b35aEl20.html |
17 |
|
18 |
You can verify this comparing the file |
19 |
|
20 |
/var/tmp/portage/php-5.1.6-r6/work/php-5.1.6/ext/standard/html.c |
21 |
|
22 |
with ext/standard/html.c of ubuntu with patches applied |
23 |
|
24 |
function php_escape_html_entities(), called by php_html_entities() |
25 |
|
26 |
+- if (len + 9 > maxlen) |
27 |
++ if (len + 16 > maxlen) |
28 |
.... |
29 |
+ if (matches_map) { |
30 |
++ int l = strlen(rep); |
31 |
++ /* increase the buffer size */ |
32 |
++ if (len + 2 + l >= maxlen) { |
33 |
++ replaced = erealloc(replaced, maxlen += 128); |
34 |
++ } |
35 |
++ |
36 |
+ replaced[len++] = '&'; |
37 |
+ strcpy(replaced + len, rep); |
38 |
+- len += strlen(rep); |
39 |
++ len += l; |
40 |
+ replaced[len++] = ';'; |
41 |
+ } |
42 |
|
43 |
Original code: |
44 |
|
45 |
if (matches_map) { |
46 |
replaced[len++] = '&'; |
47 |
strcpy(replaced + len, rep); |
48 |
len += strlen(rep); |
49 |
replaced[len++] = ';'; |
50 |
} |
51 |
|
52 |
Ubuntu (not vulnerable) |
53 |
|
54 |
PHP 5.1.6 (cli) (built: Nov 2 2006 12:49:10) |
55 |
Copyright (c) 1997-2006 The PHP Group |
56 |
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies |
57 |
|
58 |
Gentoo (vulnerable) |
59 |
|
60 |
PHP 5.1.6-pl6-gentoo (cli) (built: Feb 9 2007 22:00:21) |
61 |
Copyright (c) 1997-2006 The PHP Group |
62 |
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies |
63 |
|
64 |
Stripped comm between ubuntu and gentoo: |
65 |
http://rafb.net/p/Bm2Qjb83.html |
66 |
|
67 |
Gentoo involved functions |
68 |
http://rafb.net/p/LmZCaL28.html |
69 |
http://rafb.net/p/48UWl028.html |
70 |
|
71 |
Gentoo pathcset |
72 |
http://rafb.net/p/und1hw52.html |
73 |
|
74 |
Ubuntu involved functions (prior patching) |
75 |
http://rafb.net/p/chiQsJ98.html |
76 |
|
77 |
Ubuntu/debian pathc |
78 |
http://rafb.net/p/kvvZGh68.html |
79 |
|
80 |
Moral: this is patched in the official php 5.2 source tree and in |
81 |
ubuntu/debian 5.1.6 but not in gentoo 5.1.6 so imho it could be a |
82 |
nice idea to push out a new stable version (like additional patching for |
83 |
5.1.6 or a release upgrade using the 5.2 sources). |
84 |
|
85 |
Regards, |
86 |
Francesco `ascii` Ongaro |
87 |
http://www.ush.it/ |
88 |
|
89 |
Stefano `wisec` Di Paola |
90 |
http://www.wisec.it/ |
91 |
-- |
92 |
gentoo-server@g.o mailing list |