| 1 |
During "software development" with Di Paola we found that latest php5 |
| 2 |
stable version available for gentoo (5.1.6) is affected by a double |
| 3 |
free in the htmlentities() function, commonly exposed to user input. |
| 4 |
|
| 5 |
This is not bug #28067, it's already patched in ubuntu and debian but |
| 6 |
triggerable under gentoo with this released and public poc: |
| 7 |
|
| 8 |
http://downloads.securityfocus.com/vulnerabilities/exploits/20879.php |
| 9 |
|
| 10 |
The author of the poc is Zarathu. |
| 11 |
|
| 12 |
We added some UTF tests included this in to our software on 01/17/07, |
| 13 |
the public poc is even older and today is 02/10/07 so probably somebody |
| 14 |
hasn't noticed the bug/patch. |
| 15 |
|
| 16 |
Glibc backtrace http://rafb.net/p/b35aEl20.html |
| 17 |
|
| 18 |
You can verify this comparing the file |
| 19 |
|
| 20 |
/var/tmp/portage/php-5.1.6-r6/work/php-5.1.6/ext/standard/html.c |
| 21 |
|
| 22 |
with ext/standard/html.c of ubuntu with patches applied |
| 23 |
|
| 24 |
function php_escape_html_entities(), called by php_html_entities() |
| 25 |
|
| 26 |
+- if (len + 9 > maxlen) |
| 27 |
++ if (len + 16 > maxlen) |
| 28 |
.... |
| 29 |
+ if (matches_map) { |
| 30 |
++ int l = strlen(rep); |
| 31 |
++ /* increase the buffer size */ |
| 32 |
++ if (len + 2 + l >= maxlen) { |
| 33 |
++ replaced = erealloc(replaced, maxlen += 128); |
| 34 |
++ } |
| 35 |
++ |
| 36 |
+ replaced[len++] = '&'; |
| 37 |
+ strcpy(replaced + len, rep); |
| 38 |
+- len += strlen(rep); |
| 39 |
++ len += l; |
| 40 |
+ replaced[len++] = ';'; |
| 41 |
+ } |
| 42 |
|
| 43 |
Original code: |
| 44 |
|
| 45 |
if (matches_map) { |
| 46 |
replaced[len++] = '&'; |
| 47 |
strcpy(replaced + len, rep); |
| 48 |
len += strlen(rep); |
| 49 |
replaced[len++] = ';'; |
| 50 |
} |
| 51 |
|
| 52 |
Ubuntu (not vulnerable) |
| 53 |
|
| 54 |
PHP 5.1.6 (cli) (built: Nov 2 2006 12:49:10) |
| 55 |
Copyright (c) 1997-2006 The PHP Group |
| 56 |
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies |
| 57 |
|
| 58 |
Gentoo (vulnerable) |
| 59 |
|
| 60 |
PHP 5.1.6-pl6-gentoo (cli) (built: Feb 9 2007 22:00:21) |
| 61 |
Copyright (c) 1997-2006 The PHP Group |
| 62 |
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies |
| 63 |
|
| 64 |
Stripped comm between ubuntu and gentoo: |
| 65 |
http://rafb.net/p/Bm2Qjb83.html |
| 66 |
|
| 67 |
Gentoo involved functions |
| 68 |
http://rafb.net/p/LmZCaL28.html |
| 69 |
http://rafb.net/p/48UWl028.html |
| 70 |
|
| 71 |
Gentoo pathcset |
| 72 |
http://rafb.net/p/und1hw52.html |
| 73 |
|
| 74 |
Ubuntu involved functions (prior patching) |
| 75 |
http://rafb.net/p/chiQsJ98.html |
| 76 |
|
| 77 |
Ubuntu/debian pathc |
| 78 |
http://rafb.net/p/kvvZGh68.html |
| 79 |
|
| 80 |
Moral: this is patched in the official php 5.2 source tree and in |
| 81 |
ubuntu/debian 5.1.6 but not in gentoo 5.1.6 so imho it could be a |
| 82 |
nice idea to push out a new stable version (like additional patching for |
| 83 |
5.1.6 or a release upgrade using the 5.2 sources). |
| 84 |
|
| 85 |
Regards, |
| 86 |
Francesco `ascii` Ongaro |
| 87 |
http://www.ush.it/ |
| 88 |
|
| 89 |
Stefano `wisec` Di Paola |
| 90 |
http://www.wisec.it/ |
| 91 |
-- |
| 92 |
gentoo-server@g.o mailing list |
Archives