Eygene Ryabinkin
2008-Nov-18 02:40 UTC
ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6
>Number: 128956 >Category: ports >Synopsis: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Nov 18 10:40:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization:Code Labs>Environment:System: FreeBSD 7.1-PRERELEASE amd64>Description:There are some vulnerabilities in the stock PHP 5.2.6 that were silently fixed in the CVS, but after 5.2.6 was out.>How-To-Repeat:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660>Fix:The following patches should fix all three issues. I had mildly tested them in my setups. --- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff begins here --- diff -urN ./Makefile ../php5/Makefile --- ./Makefile 2008-11-18 11:49:16.000000000 +0300 +++ ../php5/Makefile 2008-11-18 11:49:27.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= php5 PORTVERSION= 5.2.6 -PORTREVISION?= 2 +PORTREVISION?= 3 CATEGORIES?= lang devel www MASTER_SITES= ${MASTER_SITE_PHP} MASTER_SITE_SUBDIR= distributions diff -urN ./files/patch-CVE-2008-3659 ../php5/files/patch-CVE-2008-3659 --- ./files/patch-CVE-2008-3659 1970-01-01 03:00:00.000000000 +0300 +++ ../php5/files/patch-CVE-2008-3659 2008-11-18 11:49:55.000000000 +0300 @@ -0,0 +1,27 @@ +Patch for CVE-2008-3659. + +Obtained from: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch +See also: http://news.php.net/php.cvs/52002 +See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659 + +--- Zend/zend_operators.h 2007/12/31 07:20:03 1.94.2.4.2.11 ++++ Zend/zend_operators.h 2008/08/05 20:11:17 1.94.2.4.2.12 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: zend_operators.h,v 1.94.2.4.2.11 2007/12/31 07:20:03 sebastian Exp $ */ ++/* $Id: zend_operators.h,v 1.94.2.4.2.12 2008/08/05 20:11:17 stas Exp $ */ + + #ifndef ZEND_OPERATORS_H + #define ZEND_OPERATORS_H +@@ -220,6 +220,9 @@ + char *p = haystack; + char ne = needle[needle_len-1]; + ++ if(needle_len > end-haystack) { ++ return NULL; ++ } + end -= needle_len; + + while (p <= end) { diff -urN ./files/patch-CVE-2008-3660 ../php5/files/patch-CVE-2008-3660 --- ./files/patch-CVE-2008-3660 1970-01-01 03:00:00.000000000 +0300 +++ ../php5/files/patch-CVE-2008-3660 2008-11-18 12:15:23.000000000 +0300 @@ -0,0 +1,82 @@ +Patch for CVE-2008-3660 + +Obtained from: http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.57&r2=1.267.2.15.2.58&view=patch +See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 +See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987 +Notes: removed 'Id' hunk and reapplied this patch for the php-5.2.6 + +--- sapi/cgi/cgi_main.c.orig 2008-04-09 13:16:40.000000000 +0400 ++++ sapi/cgi/cgi_main.c 2008-11-18 12:08:10.000000000 +0300 +@@ -765,6 +765,39 @@ + } + /* }}} */ + ++/* {{{ is_valid_path ++ * ++ * some server configurations allow '..' to slip through in the ++ * translated path. We'll just refuse to handle such a path. ++ */ ++static int is_valid_path(const char *path) ++{ ++ const char *p; ++ ++ if (!path) { ++ return 0; ++ } ++ p = strstr(path, ".."); ++ if (p) { ++ if ((p == path || IS_SLASH(*(p-1))) && ++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) { ++ return 0; ++ } ++ while (1) { ++ p = strstr(p+1, ".."); ++ if (!p) { ++ break; ++ } ++ if (IS_SLASH(*(p-1)) && ++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) { ++ return 0; ++ } ++ } ++ } ++ return 1; ++} ++/* }}} */ ++ + /* {{{ init_request_info + + initializes request_info structure +@@ -1061,9 +1094,7 @@ + if (pt) { + efree(pt); + } +- /* some server configurations allow '..' to slip through in the +- translated path. We'll just refuse to handle such a path. */ +- if (script_path_translated && !strstr(script_path_translated, "..")) { ++ if (is_valid_path(script_path_translated)) { + SG(request_info).path_translated = estrdup(script_path_translated); + } + } else { +@@ -1094,9 +1125,7 @@ + } else { + SG(request_info).request_uri = env_script_name; + } +- /* some server configurations allow '..' to slip through in the +- translated path. We'll just refuse to handle such a path. */ +- if (script_path_translated && !strstr(script_path_translated, "..")) { ++ if (is_valid_path(script_path_translated)) { + SG(request_info).path_translated = estrdup(script_path_translated); + } + free(real_path); +@@ -1114,9 +1143,7 @@ + script_path_translated = env_path_translated; + } + #endif +- /* some server configurations allow '..' to slip through in the +- translated path. We'll just refuse to handle such a path. */ +- if (script_path_translated && !strstr(script_path_translated, "..")) { ++ if (is_valid_path(script_path_translated)) { + SG(request_info).path_translated = estrdup(script_path_translated); + } + #if ENABLE_PATHINFO_CHECK --- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff ends here --- --- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff begins here --- diff -urN ./files/patch-CVE-2008-2829 ../php5-imap/files/patch-CVE-2008-2829 --- ./files/patch-CVE-2008-2829 1970-01-01 03:00:00.000000000 +0300 +++ ../php5-imap/files/patch-CVE-2008-2829 2008-11-18 13:20:19.000000000 +0300 @@ -0,0 +1,282 @@ +Fix for CVE-2008-2829 + +Obtained from: http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?r1=1.259&r2=1.260&view=patch +Notes: reapplied to php-5.6.2, skipped 'Id' hunk and modified hunk marked + '-3213,7 +3214,7'. + +--- php_imap.c.orig 2008-04-17 15:04:49.000000000 +0400 ++++ php_imap.c 2008-11-18 13:03:02.000000000 +0300 +@@ -40,6 +40,7 @@ + #include "ext/standard/php_string.h" + #include "ext/standard/info.h" + #include "ext/standard/file.h" ++#include "ext/standard/php_smart_str.h" + + #ifdef ERROR + #undef ERROR +@@ -66,10 +67,11 @@ + #define SENDBUFLEN 16385 + #endif + ++ + static void _php_make_header_object(zval *myzvalue, ENVELOPE *en TSRMLS_DC); + static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC); +-static void _php_imap_parse_address(ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC); +-static int _php_imap_address_size(ADDRESS *addresslist); ++static char* _php_imap_parse_address(ADDRESS *addresslist, zval *paddress TSRMLS_DC); ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC); + + /* the gets we use */ + static char *php_mail_gets(readfn_t f, void *stream, unsigned long size, GETS_DATA *md); +@@ -2109,7 +2111,7 @@ + { + zval **mailbox, **host, **personal; + ADDRESS *addr; +- char string[MAILTMPLEN]; ++ char *string; + + if (ZEND_NUM_ARGS() != 3 || zend_get_parameters_ex(3, &mailbox, &host, &personal) == FAILURE) { + ZEND_WRONG_PARAM_COUNT(); +@@ -2137,13 +2139,12 @@ + addr->error=NIL; + addr->adl=NIL; + +- if (_php_imap_address_size(addr) >= MAILTMPLEN) { ++ string = _php_rfc822_write_address(addr TSRMLS_CC); ++ if (string) { ++ RETVAL_STRING(string, 0); ++ } else { + RETURN_FALSE; + } +- +- string[0]='\0'; +- rfc822_write_address(string, addr); +- RETVAL_STRING(string, 1); + } + /* }}} */ + +@@ -2873,7 +2874,7 @@ + zval **streamind, **sequence, **pflags; + pils *imap_le_struct; + zval *myoverview; +- char address[MAILTMPLEN]; ++ char *address; + long status, flags=0L; + int myargc = ZEND_NUM_ARGS(); + +@@ -2908,17 +2909,19 @@ + if (env->subject) { + add_property_string(myoverview, "subject", env->subject, 1); + } +- if (env->from && _php_imap_address_size(env->from) < MAILTMPLEN) { ++ if (env->from) { + env->from->next=NULL; +- address[0] = '\0'; +- rfc822_write_address(address, env->from); +- add_property_string(myoverview, "from", address, 1); ++ address =_php_rfc822_write_address(env->from TSRMLS_CC); ++ if (address) { ++ add_property_string(myoverview, "from", address, 0); ++ } + } +- if (env->to && _php_imap_address_size(env->to) < MAILTMPLEN) { ++ if (env->to) { + env->to->next = NULL; +- address[0] = '\0'; +- rfc822_write_address(address, env->to); +- add_property_string(myoverview, "to", address, 1); ++ address = _php_rfc822_write_address(env->to TSRMLS_CC); ++ if (address) { ++ add_property_string(myoverview, "to", address, 0); ++ } + } + if (env->date) { + add_property_string(myoverview, "date", env->date, 1); +@@ -3858,6 +3861,43 @@ + /* }}} */ + + /* Support Functions */ ++ ++#ifdef HAVE_RFC822_OUTPUT_ADDRESS_LIST ++/* {{{ _php_rfc822_soutr ++ */ ++static long _php_rfc822_soutr (void *stream, char *string) ++{ ++ smart_str *ret = (smart_str*)stream; ++ int len = strlen(string); ++ ++ smart_str_appendl(ret, string, len); ++ return LONGT; ++} ++ ++/* }}} */ ++ ++/* {{{ _php_rfc822_write_address ++ */ ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC) ++{ ++ char address[MAILTMPLEN]; ++ smart_str ret = {0}; ++ RFC822BUFFER buf; ++ ++ buf.beg = address; ++ buf.cur = buf.beg; ++ buf.end = buf.beg + sizeof(address) - 1; ++ buf.s = &ret; ++ buf.f = _php_rfc822_soutr; ++ rfc822_output_address_list(&buf, addresslist, 0, NULL); ++ rfc822_output_flush(&buf); ++ smart_str_0(&ret); ++ return ret.c; ++} ++/* }}} */ ++ ++#else ++ + /* {{{ _php_imap_get_address_size + */ + static int _php_imap_address_size (ADDRESS *addresslist) +@@ -3887,26 +3927,33 @@ + + /* }}} */ + ++/* {{{ _php_rfc822_write_address ++ */ ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC) ++{ ++ char address[SENDBUFLEN]; + ++ if (_php_imap_address_size(addresslist) >= SENDBUFLEN) { ++ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Address buffer overflow"); ++ return NULL; ++ } ++ address[0] = 0; ++ rfc822_write_address(address, addresslist); ++ return estrdup(address); ++} ++/* }}} */ ++#endif + /* {{{ _php_imap_parse_address + */ +-static void _php_imap_parse_address (ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC) ++static char* _php_imap_parse_address (ADDRESS *addresslist, zval *paddress TSRMLS_DC) + { ++ char *fulladdress; + ADDRESS *addresstmp; + zval *tmpvals; +- char *tmpstr; +- int len=0; + + addresstmp = addresslist; + +- if ((len = _php_imap_address_size(addresstmp))) { +- tmpstr = (char *) pemalloc(len + 1, 1); +- tmpstr[0] = '\0'; +- rfc822_write_address(tmpstr, addresstmp); +- *fulladdress = tmpstr; +- } else { +- *fulladdress = NULL; +- } ++ fulladdress = _php_rfc822_write_address(addresstmp TSRMLS_CC); + + addresstmp = addresslist; + do { +@@ -3918,6 +3965,7 @@ + if (addresstmp->host) add_property_string(tmpvals, "host", addresstmp->host, 1); + add_next_index_object(paddress, tmpvals TSRMLS_CC); + } while ((addresstmp = addresstmp->next)); ++ return fulladdress; + } + /* }}} */ + +@@ -3944,10 +3992,9 @@ + if (en->to) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->to, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->to, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "toaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "toaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "to", paddress TSRMLS_CC); + } +@@ -3955,10 +4002,9 @@ + if (en->from) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->from, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->from, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "fromaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "fromaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "from", paddress TSRMLS_CC); + } +@@ -3966,10 +4012,9 @@ + if (en->cc) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->cc, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->cc, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "ccaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "ccaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "cc", paddress TSRMLS_CC); + } +@@ -3977,10 +4022,9 @@ + if (en->bcc) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->bcc, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->bcc, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "bccaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "bccaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "bcc", paddress TSRMLS_CC); + } +@@ -3988,10 +4032,9 @@ + if (en->reply_to) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->reply_to, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->reply_to, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "reply_toaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "reply_toaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "reply_to", paddress TSRMLS_CC); + } +@@ -3999,10 +4042,9 @@ + if (en->sender) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->sender, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->sender, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "senderaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "senderaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "sender", paddress TSRMLS_CC); + } +@@ -4010,10 +4052,9 @@ + if (en->return_path) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->return_path, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->return_path, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "return_pathaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "return_pathaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "return_path", paddress TSRMLS_CC); + } --- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff ends here --- I assume that they all will go in one shot, so the following VuXML entries use 5.2.6_3 as the first version where issues were fixed. --- cve-2008-2829.xml begins here --- <vuln vid=""> <topic>PHP 5.x -- Denial of Service and possible arbitrary code execution in the IMAP extension</topic> <affects> <package> <name>php5-imap</name> <range><lt>5.2.6_3</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Entry for CVE-2008-2829 says:</p> <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829"> <p>php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long IMAP request, which triggers an "rfc822.c legacy routine buffer overflow" error message.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-2829</cvename> <url>http://bugs.php.net/bug.php?id=42862</url> <url>http://bugs.php.net/bug.php?id=40925</url> <url>http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?view=log#rev1.260</url> </references> <dates> <discovery>2008-06-19</discovery> </dates> </vuln> --- cve-2008-2829.xml ends here --- --- cve-2008-3659.xml begins here --- <vuln vid=""> <topic>PHP 5.x -- buffer overflow in the memnstr()</topic> <affects> <package> <name>php5</name> <range><lt>5.2.6_3</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Entry for CVE-2008-3659 says:</p> <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659"> <p>Buffer overflow in the memnstr function in PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via the delimiter argument to the explode function.</p> <p>NOTE: the scope of this issue is limited since most applications would not use an attacker-controlled delimiter, but local attacks against safe_mode are feasible.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-3659</cvename> <url>http://news.php.net/php.cvs/52002</url> <url>http://www.openwall.com/lists/oss-security/2008/08/08/2</url> </references> <dates> <discovery>2008-08-05</discovery> </dates> </vuln> --- cve-2008-3659.xml ends here --- --- cve-2008-3660.xml begins here --- <vuln vid=""> <topic>PHP 5.x -- Denial of Service in the FastCGI mode</topic> <affects> <package> <name>php5</name> <range><lt>5.2.6_3</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Entry for CVE-2008-3660 says:</p> <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660"> <p>PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6, when used as a FastCGI module, allows remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension, as demonstrated using foo..php.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-3660</cvename> <url>http://news.php.net/php.cvs/51129</url> <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987</url> </references> <dates> <discovery>2008-07-15</discovery> </dates> </vuln> --- cve-2008-3660.xml ends here --->Release-Note: >Audit-Trail: >Unformatted:
miwi@FreeBSD.org
2008-Nov-18 03:50 UTC
ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6
Synopsis: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 Responsible-Changed-From-To: freebsd-ports-bugs->miwi Responsible-Changed-By: miwi Responsible-Changed-When: Tue Nov 18 11:50:28 UTC 2008 Responsible-Changed-Why: I'll take it. http://www.freebsd.org/cgi/query-pr.cgi?pr=128956
Eygene Ryabinkin
2008-Nov-18 04:29 UTC
ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6
Jille, good day. Tue, Nov 18, 2008 at 01:22:09PM +0100, Jille Timmermans wrote:> I think there is a typo in the vuxml descriptions: > "PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6" > (PHP 5.6 doesn't exist (yet))Yes: it was written in that way at the CVE entry. I had spotted this, but was not sure how to handle this. Perhaps VuXML entry should really say "PHP 5.2 through 5.2.6" to avoid reader's confusion. Thanks for spotting this! -- Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook {_.-``-' {_/ # -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20081118/dbe0e357/attachment.pgp
Jille Timmermans
2008-Nov-18 04:38 UTC
ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6
I think there is a typo in the vuxml descriptions: "PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6" (PHP 5.6 doesn't exist (yet)) -- Jille Eygene Ryabinkin wrote:>> Number: 128956 >> Category: ports >> Synopsis: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 >> Confidential: no >> Severity: serious >> Priority: high >> Responsible: freebsd-ports-bugs >> State: open >> Quarter: >> Keywords: >> Date-Required: >> Class: sw-bug >> Submitter-Id: current-users >> Arrival-Date: Tue Nov 18 10:40:00 UTC 2008 >> Closed-Date: >> Last-Modified: >> Originator: Eygene Ryabinkin >> Release: FreeBSD 7.1-PRERELEASE amd64 >> Organization: >> > Code Labs > >> Environment: >> > > System: FreeBSD 7.1-PRERELEASE amd64 > > >> Description: >> > > There are some vulnerabilities in the stock PHP 5.2.6 that were silently > fixed in the CVS, but after 5.2.6 was out. > > >> How-To-Repeat: >> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 > > >> Fix: >> > > The following patches should fix all three issues. I had mildly > tested them in my setups. > --- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff begins here --- > diff -urN ./Makefile ../php5/Makefile > --- ./Makefile 2008-11-18 11:49:16.000000000 +0300 > +++ ../php5/Makefile 2008-11-18 11:49:27.000000000 +0300 > @@ -7,7 +7,7 @@ > > PORTNAME= php5 > PORTVERSION= 5.2.6 > -PORTREVISION?= 2 > +PORTREVISION?= 3 > CATEGORIES?= lang devel www > MASTER_SITES= ${MASTER_SITE_PHP} > MASTER_SITE_SUBDIR= distributions > diff -urN ./files/patch-CVE-2008-3659 ../php5/files/patch-CVE-2008-3659 > --- ./files/patch-CVE-2008-3659 1970-01-01 03:00:00.000000000 +0300 > +++ ../php5/files/patch-CVE-2008-3659 2008-11-18 11:49:55.000000000 +0300 > @@ -0,0 +1,27 @@ > +Patch for CVE-2008-3659. > + > +Obtained from: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch > +See also: http://news.php.net/php.cvs/52002 > +See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659 > + > +--- Zend/zend_operators.h 2007/12/31 07:20:03 1.94.2.4.2.11 > ++++ Zend/zend_operators.h 2008/08/05 20:11:17 1.94.2.4.2.12 > +@@ -17,7 +17,7 @@ > + +----------------------------------------------------------------------+ > + */ > + > +-/* $Id: zend_operators.h,v 1.94.2.4.2.11 2007/12/31 07:20:03 sebastian Exp $ */ > ++/* $Id: zend_operators.h,v 1.94.2.4.2.12 2008/08/05 20:11:17 stas Exp $ */ > + > + #ifndef ZEND_OPERATORS_H > + #define ZEND_OPERATORS_H > +@@ -220,6 +220,9 @@ > + char *p = haystack; > + char ne = needle[needle_len-1]; > + > ++ if(needle_len > end-haystack) { > ++ return NULL; > ++ } > + end -= needle_len; > + > + while (p <= end) { > diff -urN ./files/patch-CVE-2008-3660 ../php5/files/patch-CVE-2008-3660 > --- ./files/patch-CVE-2008-3660 1970-01-01 03:00:00.000000000 +0300 > +++ ../php5/files/patch-CVE-2008-3660 2008-11-18 12:15:23.000000000 +0300 > @@ -0,0 +1,82 @@ > +Patch for CVE-2008-3660 > + > +Obtained from: http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.57&r2=1.267.2.15.2.58&view=patch > +See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 > +See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987 > +Notes: removed 'Id' hunk and reapplied this patch for the php-5.2.6 > + > +--- sapi/cgi/cgi_main.c.orig 2008-04-09 13:16:40.000000000 +0400 > ++++ sapi/cgi/cgi_main.c 2008-11-18 12:08:10.000000000 +0300 > +@@ -765,6 +765,39 @@ > + } > + /* }}} */ > + > ++/* {{{ is_valid_path > ++ * > ++ * some server configurations allow '..' to slip through in the > ++ * translated path. We'll just refuse to handle such a path. > ++ */ > ++static int is_valid_path(const char *path) > ++{ > ++ const char *p; > ++ > ++ if (!path) { > ++ return 0; > ++ } > ++ p = strstr(path, ".."); > ++ if (p) { > ++ if ((p == path || IS_SLASH(*(p-1))) && > ++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) { > ++ return 0; > ++ } > ++ while (1) { > ++ p = strstr(p+1, ".."); > ++ if (!p) { > ++ break; > ++ } > ++ if (IS_SLASH(*(p-1)) && > ++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) { > ++ return 0; > ++ } > ++ } > ++ } > ++ return 1; > ++} > ++/* }}} */ > ++ > + /* {{{ init_request_info > + > + initializes request_info structure > +@@ -1061,9 +1094,7 @@ > + if (pt) { > + efree(pt); > + } > +- /* some server configurations allow '..' to slip through in the > +- translated path. We'll just refuse to handle such a path. */ > +- if (script_path_translated && !strstr(script_path_translated, "..")) { > ++ if (is_valid_path(script_path_translated)) { > + SG(request_info).path_translated = estrdup(script_path_translated); > + } > + } else { > +@@ -1094,9 +1125,7 @@ > + } else { > + SG(request_info).request_uri = env_script_name; > + } > +- /* some server configurations allow '..' to slip through in the > +- translated path. We'll just refuse to handle such a path. */ > +- if (script_path_translated && !strstr(script_path_translated, "..")) { > ++ if (is_valid_path(script_path_translated)) { > + SG(request_info).path_translated = estrdup(script_path_translated); > + } > + free(real_path); > +@@ -1114,9 +1143,7 @@ > + script_path_translated = env_path_translated; > + } > + #endif > +- /* some server configurations allow '..' to slip through in the > +- translated path. We'll just refuse to handle such a path. */ > +- if (script_path_translated && !strstr(script_path_translated, "..")) { > ++ if (is_valid_path(script_path_translated)) { > + SG(request_info).path_translated = estrdup(script_path_translated); > + } > + #if ENABLE_PATHINFO_CHECK > --- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff ends here --- > > --- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff begins here --- > diff -urN ./files/patch-CVE-2008-2829 ../php5-imap/files/patch-CVE-2008-2829 > --- ./files/patch-CVE-2008-2829 1970-01-01 03:00:00.000000000 +0300 > +++ ../php5-imap/files/patch-CVE-2008-2829 2008-11-18 13:20:19.000000000 +0300 > @@ -0,0 +1,282 @@ > +Fix for CVE-2008-2829 > + > +Obtained from: http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?r1=1.259&r2=1.260&view=patch > +Notes: reapplied to php-5.6.2, skipped 'Id' hunk and modified hunk marked > + '-3213,7 +3214,7'. > + > +--- php_imap.c.orig 2008-04-17 15:04:49.000000000 +0400 > ++++ php_imap.c 2008-11-18 13:03:02.000000000 +0300 > +@@ -40,6 +40,7 @@ > + #include "ext/standard/php_string.h" > + #include "ext/standard/info.h" > + #include "ext/standard/file.h" > ++#include "ext/standard/php_smart_str.h" > + > + #ifdef ERROR > + #undef ERROR > +@@ -66,10 +67,11 @@ > + #define SENDBUFLEN 16385 > + #endif > + > ++ > + static void _php_make_header_object(zval *myzvalue, ENVELOPE *en TSRMLS_DC); > + static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC); > +-static void _php_imap_parse_address(ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC); > +-static int _php_imap_address_size(ADDRESS *addresslist); > ++static char* _php_imap_parse_address(ADDRESS *addresslist, zval *paddress TSRMLS_DC); > ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC); > + > + /* the gets we use */ > + static char *php_mail_gets(readfn_t f, void *stream, unsigned long size, GETS_DATA *md); > +@@ -2109,7 +2111,7 @@ > + { > + zval **mailbox, **host, **personal; > + ADDRESS *addr; > +- char string[MAILTMPLEN]; > ++ char *string; > + > + if (ZEND_NUM_ARGS() != 3 || zend_get_parameters_ex(3, &mailbox, &host, &personal) == FAILURE) { > + ZEND_WRONG_PARAM_COUNT(); > +@@ -2137,13 +2139,12 @@ > + addr->error=NIL; > + addr->adl=NIL; > + > +- if (_php_imap_address_size(addr) >= MAILTMPLEN) { > ++ string = _php_rfc822_write_address(addr TSRMLS_CC); > ++ if (string) { > ++ RETVAL_STRING(string, 0); > ++ } else { > + RETURN_FALSE; > + } > +- > +- string[0]='\0'; > +- rfc822_write_address(string, addr); > +- RETVAL_STRING(string, 1); > + } > + /* }}} */ > + > +@@ -2873,7 +2874,7 @@ > + zval **streamind, **sequence, **pflags; > + pils *imap_le_struct; > + zval *myoverview; > +- char address[MAILTMPLEN]; > ++ char *address; > + long status, flags=0L; > + int myargc = ZEND_NUM_ARGS(); > + > +@@ -2908,17 +2909,19 @@ > + if (env->subject) { > + add_property_string(myoverview, "subject", env->subject, 1); > + } > +- if (env->from && _php_imap_address_size(env->from) < MAILTMPLEN) { > ++ if (env->from) { > + env->from->next=NULL; > +- address[0] = '\0'; > +- rfc822_write_address(address, env->from); > +- add_property_string(myoverview, "from", address, 1); > ++ address =_php_rfc822_write_address(env->from TSRMLS_CC); > ++ if (address) { > ++ add_property_string(myoverview, "from", address, 0); > ++ } > + } > +- if (env->to && _php_imap_address_size(env->to) < MAILTMPLEN) { > ++ if (env->to) { > + env->to->next = NULL; > +- address[0] = '\0'; > +- rfc822_write_address(address, env->to); > +- add_property_string(myoverview, "to", address, 1); > ++ address = _php_rfc822_write_address(env->to TSRMLS_CC); > ++ if (address) { > ++ add_property_string(myoverview, "to", address, 0); > ++ } > + } > + if (env->date) { > + add_property_string(myoverview, "date", env->date, 1); > +@@ -3858,6 +3861,43 @@ > + /* }}} */ > + > + /* Support Functions */ > ++ > ++#ifdef HAVE_RFC822_OUTPUT_ADDRESS_LIST > ++/* {{{ _php_rfc822_soutr > ++ */ > ++static long _php_rfc822_soutr (void *stream, char *string) > ++{ > ++ smart_str *ret = (smart_str*)stream; > ++ int len = strlen(string); > ++ > ++ smart_str_appendl(ret, string, len); > ++ return LONGT; > ++} > ++ > ++/* }}} */ > ++ > ++/* {{{ _php_rfc822_write_address > ++ */ > ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC) > ++{ > ++ char address[MAILTMPLEN]; > ++ smart_str ret = {0}; > ++ RFC822BUFFER buf; > ++ > ++ buf.beg = address; > ++ buf.cur = buf.beg; > ++ buf.end = buf.beg + sizeof(address) - 1; > ++ buf.s = &ret; > ++ buf.f = _php_rfc822_soutr; > ++ rfc822_output_address_list(&buf, addresslist, 0, NULL); > ++ rfc822_output_flush(&buf); > ++ smart_str_0(&ret); > ++ return ret.c; > ++} > ++/* }}} */ > ++ > ++#else > ++ > + /* {{{ _php_imap_get_address_size > + */ > + static int _php_imap_address_size (ADDRESS *addresslist) > +@@ -3887,26 +3927,33 @@ > + > + /* }}} */ > + > ++/* {{{ _php_rfc822_write_address > ++ */ > ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC) > ++{ > ++ char address[SENDBUFLEN]; > + > ++ if (_php_imap_address_size(addresslist) >= SENDBUFLEN) { > ++ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Address buffer overflow"); > ++ return NULL; > ++ } > ++ address[0] = 0; > ++ rfc822_write_address(address, addresslist); > ++ return estrdup(address); > ++} > ++/* }}} */ > ++#endif > + /* {{{ _php_imap_parse_address > + */ > +-static void _php_imap_parse_address (ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC) > ++static char* _php_imap_parse_address (ADDRESS *addresslist, zval *paddress TSRMLS_DC) > + { > ++ char *fulladdress; > + ADDRESS *addresstmp; > + zval *tmpvals; > +- char *tmpstr; > +- int len=0; > + > + addresstmp = addresslist; > + > +- if ((len = _php_imap_address_size(addresstmp))) { > +- tmpstr = (char *) pemalloc(len + 1, 1); > +- tmpstr[0] = '\0'; > +- rfc822_write_address(tmpstr, addresstmp); > +- *fulladdress = tmpstr; > +- } else { > +- *fulladdress = NULL; > +- } > ++ fulladdress = _php_rfc822_write_address(addresstmp TSRMLS_CC); > + > + addresstmp = addresslist; > + do { > +@@ -3918,6 +3965,7 @@ > + if (addresstmp->host) add_property_string(tmpvals, "host", addresstmp->host, 1); > + add_next_index_object(paddress, tmpvals TSRMLS_CC); > + } while ((addresstmp = addresstmp->next)); > ++ return fulladdress; > + } > + /* }}} */ > + > +@@ -3944,10 +3992,9 @@ > + if (en->to) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->to, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->to, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "toaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "toaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "to", paddress TSRMLS_CC); > + } > +@@ -3955,10 +4002,9 @@ > + if (en->from) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->from, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->from, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "fromaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "fromaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "from", paddress TSRMLS_CC); > + } > +@@ -3966,10 +4012,9 @@ > + if (en->cc) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->cc, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->cc, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "ccaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "ccaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "cc", paddress TSRMLS_CC); > + } > +@@ -3977,10 +4022,9 @@ > + if (en->bcc) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->bcc, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->bcc, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "bccaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "bccaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "bcc", paddress TSRMLS_CC); > + } > +@@ -3988,10 +4032,9 @@ > + if (en->reply_to) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->reply_to, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->reply_to, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "reply_toaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "reply_toaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "reply_to", paddress TSRMLS_CC); > + } > +@@ -3999,10 +4042,9 @@ > + if (en->sender) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->sender, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->sender, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "senderaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "senderaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "sender", paddress TSRMLS_CC); > + } > +@@ -4010,10 +4052,9 @@ > + if (en->return_path) { > + MAKE_STD_ZVAL(paddress); > + array_init(paddress); > +- _php_imap_parse_address(en->return_path, &fulladdress, paddress TSRMLS_CC); > ++ fulladdress = _php_imap_parse_address(en->return_path, paddress TSRMLS_CC); > + if (fulladdress) { > +- add_property_string(myzvalue, "return_pathaddress", fulladdress, 1); > +- free(fulladdress); > ++ add_property_string(myzvalue, "return_pathaddress", fulladdress, 0); > + } > + add_assoc_object(myzvalue, "return_path", paddress TSRMLS_CC); > + } > --- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff ends here --- > > I assume that they all will go in one shot, so the following VuXML > entries use 5.2.6_3 as the first version where issues were fixed. > --- cve-2008-2829.xml begins here --- > <vuln vid=""> > <topic>PHP 5.x -- Denial of Service and possible arbitrary code execution in the IMAP extension</topic> > <affects> > <package> > <name>php5-imap</name> > <range><lt>5.2.6_3</lt></range> > </package> > </affects> > <description> > <body xmlns="http://www.w3.org/1999/xhtml"> > <p>Entry for CVE-2008-2829 says:</p> > <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829"> > <p>php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses > obsolete API calls that allow context-dependent attackers to > cause a denial of service (crash) and possibly execute arbitrary > code via a long IMAP request, which triggers an "rfc822.c legacy > routine buffer overflow" error message.</p> > </blockquote> > </body> > </description> > <references> > <cvename>CVE-2008-2829</cvename> > <url>http://bugs.php.net/bug.php?id=42862</url> > <url>http://bugs.php.net/bug.php?id=40925</url> > <url>http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?view=log#rev1.260</url> > </references> > <dates> > <discovery>2008-06-19</discovery> > </dates> > </vuln> > --- cve-2008-2829.xml ends here --- > > --- cve-2008-3659.xml begins here --- > <vuln vid=""> > <topic>PHP 5.x -- buffer overflow in the memnstr()</topic> > <affects> > <package> > <name>php5</name> > <range><lt>5.2.6_3</lt></range> > </package> > </affects> > <description> > <body xmlns="http://www.w3.org/1999/xhtml"> > <p>Entry for CVE-2008-3659 says:</p> > <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659"> > <p>Buffer overflow in the memnstr function in PHP 4.4.x before > 4.4.9 and PHP 5.6 through 5.2.6 allows context-dependent > attackers to cause a denial of service (crash) and possibly > execute arbitrary code via the delimiter argument to the explode > function.</p> > <p>NOTE: the scope of this issue is limited since most > applications would not use an attacker-controlled delimiter, but > local attacks against safe_mode are feasible.</p> > </blockquote> > </body> > </description> > <references> > <cvename>CVE-2008-3659</cvename> > <url>http://news.php.net/php.cvs/52002</url> > <url>http://www.openwall.com/lists/oss-security/2008/08/08/2</url> > </references> > <dates> > <discovery>2008-08-05</discovery> > </dates> > </vuln> > --- cve-2008-3659.xml ends here --- > > --- cve-2008-3660.xml begins here --- > <vuln vid=""> > <topic>PHP 5.x -- Denial of Service in the FastCGI mode</topic> > <affects> > <package> > <name>php5</name> > <range><lt>5.2.6_3</lt></range> > </package> > </affects> > <description> > <body xmlns="http://www.w3.org/1999/xhtml"> > <p>Entry for CVE-2008-3660 says:</p> > <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660"> > <p>PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6, when used > as a FastCGI module, allows remote attackers to cause a denial > of service (crash) via a request with multiple dots preceding > the extension, as demonstrated using foo..php.</p> > </blockquote> > </body> > </description> > <references> > <cvename>CVE-2008-3660</cvename> > <url>http://news.php.net/php.cvs/51129</url> > <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987</url> > </references> > <dates> > <discovery>2008-07-15</discovery> > </dates> > </vuln> > --- cve-2008-3660.xml ends here --- > >> Release-Note: >> Audit-Trail: >> Unformatted: >> > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >