Date: Tue, 18 Nov 2008 13:34:33 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 Message-ID: <20081118103433.38D5817115@shadow.codelabs.ru> Resent-Message-ID: <200811181040.mAIAe1Ki077639@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 128956 >Category: ports >Synopsis: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Nov 18 10:40:00 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: There are some vulnerabilities in the stock PHP 5.2.6 that were silently fixed in the CVS, but after 5.2.6 was out. >How-To-Repeat: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 >Fix: The following patches should fix all three issues. I had mildly tested them in my setups. --- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff begins here --- diff -urN ./Makefile ../php5/Makefile --- ./Makefile 2008-11-18 11:49:16.000000000 +0300 +++ ../php5/Makefile 2008-11-18 11:49:27.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= php5 PORTVERSION= 5.2.6 -PORTREVISION?= 2 +PORTREVISION?= 3 CATEGORIES?= lang devel www MASTER_SITES= ${MASTER_SITE_PHP} MASTER_SITE_SUBDIR= distributions diff -urN ./files/patch-CVE-2008-3659 ../php5/files/patch-CVE-2008-3659 --- ./files/patch-CVE-2008-3659 1970-01-01 03:00:00.000000000 +0300 +++ ../php5/files/patch-CVE-2008-3659 2008-11-18 11:49:55.000000000 +0300 @@ -0,0 +1,27 @@ +Patch for CVE-2008-3659. + +Obtained from: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch +See also: http://news.php.net/php.cvs/52002 +See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659 + +--- Zend/zend_operators.h 2007/12/31 07:20:03 1.94.2.4.2.11 ++++ Zend/zend_operators.h 2008/08/05 20:11:17 1.94.2.4.2.12 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: zend_operators.h,v 1.94.2.4.2.11 2007/12/31 07:20:03 sebastian Exp $ */ ++/* $Id: zend_operators.h,v 1.94.2.4.2.12 2008/08/05 20:11:17 stas Exp $ */ + + #ifndef ZEND_OPERATORS_H + #define ZEND_OPERATORS_H +@@ -220,6 +220,9 @@ + char *p = haystack; + char ne = needle[needle_len-1]; + ++ if(needle_len > end-haystack) { ++ return NULL; ++ } + end -= needle_len; + + while (p <= end) { diff -urN ./files/patch-CVE-2008-3660 ../php5/files/patch-CVE-2008-3660 --- ./files/patch-CVE-2008-3660 1970-01-01 03:00:00.000000000 +0300 +++ ../php5/files/patch-CVE-2008-3660 2008-11-18 12:15:23.000000000 +0300 @@ -0,0 +1,82 @@ +Patch for CVE-2008-3660 + +Obtained from: http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.57&r2=1.267.2.15.2.58&view=patch +See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 +See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987 +Notes: removed 'Id' hunk and reapplied this patch for the php-5.2.6 + +--- sapi/cgi/cgi_main.c.orig 2008-04-09 13:16:40.000000000 +0400 ++++ sapi/cgi/cgi_main.c 2008-11-18 12:08:10.000000000 +0300 +@@ -765,6 +765,39 @@ + } + /* }}} */ + ++/* {{{ is_valid_path ++ * ++ * some server configurations allow '..' to slip through in the ++ * translated path. We'll just refuse to handle such a path. ++ */ ++static int is_valid_path(const char *path) ++{ ++ const char *p; ++ ++ if (!path) { ++ return 0; ++ } ++ p = strstr(path, ".."); ++ if (p) { ++ if ((p == path || IS_SLASH(*(p-1))) && ++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) { ++ return 0; ++ } ++ while (1) { ++ p = strstr(p+1, ".."); ++ if (!p) { ++ break; ++ } ++ if (IS_SLASH(*(p-1)) && ++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) { ++ return 0; ++ } ++ } ++ } ++ return 1; ++} ++/* }}} */ ++ + /* {{{ init_request_info + + initializes request_info structure +@@ -1061,9 +1094,7 @@ + if (pt) { + efree(pt); + } +- /* some server configurations allow '..' to slip through in the +- translated path. We'll just refuse to handle such a path. */ +- if (script_path_translated && !strstr(script_path_translated, "..")) { ++ if (is_valid_path(script_path_translated)) { + SG(request_info).path_translated = estrdup(script_path_translated); + } + } else { +@@ -1094,9 +1125,7 @@ + } else { + SG(request_info).request_uri = env_script_name; + } +- /* some server configurations allow '..' to slip through in the +- translated path. We'll just refuse to handle such a path. */ +- if (script_path_translated && !strstr(script_path_translated, "..")) { ++ if (is_valid_path(script_path_translated)) { + SG(request_info).path_translated = estrdup(script_path_translated); + } + free(real_path); +@@ -1114,9 +1143,7 @@ + script_path_translated = env_path_translated; + } + #endif +- /* some server configurations allow '..' to slip through in the +- translated path. We'll just refuse to handle such a path. */ +- if (script_path_translated && !strstr(script_path_translated, "..")) { ++ if (is_valid_path(script_path_translated)) { + SG(request_info).path_translated = estrdup(script_path_translated); + } + #if ENABLE_PATHINFO_CHECK --- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff ends here --- --- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff begins here --- diff -urN ./files/patch-CVE-2008-2829 ../php5-imap/files/patch-CVE-2008-2829 --- ./files/patch-CVE-2008-2829 1970-01-01 03:00:00.000000000 +0300 +++ ../php5-imap/files/patch-CVE-2008-2829 2008-11-18 13:20:19.000000000 +0300 @@ -0,0 +1,282 @@ +Fix for CVE-2008-2829 + +Obtained from: http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?r1=1.259&r2=1.260&view=patch +Notes: reapplied to php-5.6.2, skipped 'Id' hunk and modified hunk marked + '-3213,7 +3214,7'. + +--- php_imap.c.orig 2008-04-17 15:04:49.000000000 +0400 ++++ php_imap.c 2008-11-18 13:03:02.000000000 +0300 +@@ -40,6 +40,7 @@ + #include "ext/standard/php_string.h" + #include "ext/standard/info.h" + #include "ext/standard/file.h" ++#include "ext/standard/php_smart_str.h" + + #ifdef ERROR + #undef ERROR +@@ -66,10 +67,11 @@ + #define SENDBUFLEN 16385 + #endif + ++ + static void _php_make_header_object(zval *myzvalue, ENVELOPE *en TSRMLS_DC); + static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC); +-static void _php_imap_parse_address(ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC); +-static int _php_imap_address_size(ADDRESS *addresslist); ++static char* _php_imap_parse_address(ADDRESS *addresslist, zval *paddress TSRMLS_DC); ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC); + + /* the gets we use */ + static char *php_mail_gets(readfn_t f, void *stream, unsigned long size, GETS_DATA *md); +@@ -2109,7 +2111,7 @@ + { + zval **mailbox, **host, **personal; + ADDRESS *addr; +- char string[MAILTMPLEN]; ++ char *string; + + if (ZEND_NUM_ARGS() != 3 || zend_get_parameters_ex(3, &mailbox, &host, &personal) == FAILURE) { + ZEND_WRONG_PARAM_COUNT(); +@@ -2137,13 +2139,12 @@ + addr->error=NIL; + addr->adl=NIL; + +- if (_php_imap_address_size(addr) >= MAILTMPLEN) { ++ string = _php_rfc822_write_address(addr TSRMLS_CC); ++ if (string) { ++ RETVAL_STRING(string, 0); ++ } else { + RETURN_FALSE; + } +- +- string[0]='\0'; +- rfc822_write_address(string, addr); +- RETVAL_STRING(string, 1); + } + /* }}} */ + +@@ -2873,7 +2874,7 @@ + zval **streamind, **sequence, **pflags; + pils *imap_le_struct; + zval *myoverview; +- char address[MAILTMPLEN]; ++ char *address; + long status, flags=0L; + int myargc = ZEND_NUM_ARGS(); + +@@ -2908,17 +2909,19 @@ + if (env->subject) { + add_property_string(myoverview, "subject", env->subject, 1); + } +- if (env->from && _php_imap_address_size(env->from) < MAILTMPLEN) { ++ if (env->from) { + env->from->next=NULL; +- address[0] = '\0'; +- rfc822_write_address(address, env->from); +- add_property_string(myoverview, "from", address, 1); ++ address =_php_rfc822_write_address(env->from TSRMLS_CC); ++ if (address) { ++ add_property_string(myoverview, "from", address, 0); ++ } + } +- if (env->to && _php_imap_address_size(env->to) < MAILTMPLEN) { ++ if (env->to) { + env->to->next = NULL; +- address[0] = '\0'; +- rfc822_write_address(address, env->to); +- add_property_string(myoverview, "to", address, 1); ++ address = _php_rfc822_write_address(env->to TSRMLS_CC); ++ if (address) { ++ add_property_string(myoverview, "to", address, 0); ++ } + } + if (env->date) { + add_property_string(myoverview, "date", env->date, 1); +@@ -3858,6 +3861,43 @@ + /* }}} */ + + /* Support Functions */ ++ ++#ifdef HAVE_RFC822_OUTPUT_ADDRESS_LIST ++/* {{{ _php_rfc822_soutr ++ */ ++static long _php_rfc822_soutr (void *stream, char *string) ++{ ++ smart_str *ret = (smart_str*)stream; ++ int len = strlen(string); ++ ++ smart_str_appendl(ret, string, len); ++ return LONGT; ++} ++ ++/* }}} */ ++ ++/* {{{ _php_rfc822_write_address ++ */ ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC) ++{ ++ char address[MAILTMPLEN]; ++ smart_str ret = {0}; ++ RFC822BUFFER buf; ++ ++ buf.beg = address; ++ buf.cur = buf.beg; ++ buf.end = buf.beg + sizeof(address) - 1; ++ buf.s = &ret; ++ buf.f = _php_rfc822_soutr; ++ rfc822_output_address_list(&buf, addresslist, 0, NULL); ++ rfc822_output_flush(&buf); ++ smart_str_0(&ret); ++ return ret.c; ++} ++/* }}} */ ++ ++#else ++ + /* {{{ _php_imap_get_address_size + */ + static int _php_imap_address_size (ADDRESS *addresslist) +@@ -3887,26 +3927,33 @@ + + /* }}} */ + ++/* {{{ _php_rfc822_write_address ++ */ ++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC) ++{ ++ char address[SENDBUFLEN]; + ++ if (_php_imap_address_size(addresslist) >= SENDBUFLEN) { ++ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Address buffer overflow"); ++ return NULL; ++ } ++ address[0] = 0; ++ rfc822_write_address(address, addresslist); ++ return estrdup(address); ++} ++/* }}} */ ++#endif + /* {{{ _php_imap_parse_address + */ +-static void _php_imap_parse_address (ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC) ++static char* _php_imap_parse_address (ADDRESS *addresslist, zval *paddress TSRMLS_DC) + { ++ char *fulladdress; + ADDRESS *addresstmp; + zval *tmpvals; +- char *tmpstr; +- int len=0; + + addresstmp = addresslist; + +- if ((len = _php_imap_address_size(addresstmp))) { +- tmpstr = (char *) pemalloc(len + 1, 1); +- tmpstr[0] = '\0'; +- rfc822_write_address(tmpstr, addresstmp); +- *fulladdress = tmpstr; +- } else { +- *fulladdress = NULL; +- } ++ fulladdress = _php_rfc822_write_address(addresstmp TSRMLS_CC); + + addresstmp = addresslist; + do { +@@ -3918,6 +3965,7 @@ + if (addresstmp->host) add_property_string(tmpvals, "host", addresstmp->host, 1); + add_next_index_object(paddress, tmpvals TSRMLS_CC); + } while ((addresstmp = addresstmp->next)); ++ return fulladdress; + } + /* }}} */ + +@@ -3944,10 +3992,9 @@ + if (en->to) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->to, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->to, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "toaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "toaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "to", paddress TSRMLS_CC); + } +@@ -3955,10 +4002,9 @@ + if (en->from) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->from, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->from, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "fromaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "fromaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "from", paddress TSRMLS_CC); + } +@@ -3966,10 +4012,9 @@ + if (en->cc) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->cc, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->cc, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "ccaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "ccaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "cc", paddress TSRMLS_CC); + } +@@ -3977,10 +4022,9 @@ + if (en->bcc) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->bcc, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->bcc, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "bccaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "bccaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "bcc", paddress TSRMLS_CC); + } +@@ -3988,10 +4032,9 @@ + if (en->reply_to) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->reply_to, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->reply_to, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "reply_toaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "reply_toaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "reply_to", paddress TSRMLS_CC); + } +@@ -3999,10 +4042,9 @@ + if (en->sender) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->sender, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->sender, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "senderaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "senderaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "sender", paddress TSRMLS_CC); + } +@@ -4010,10 +4052,9 @@ + if (en->return_path) { + MAKE_STD_ZVAL(paddress); + array_init(paddress); +- _php_imap_parse_address(en->return_path, &fulladdress, paddress TSRMLS_CC); ++ fulladdress = _php_imap_parse_address(en->return_path, paddress TSRMLS_CC); + if (fulladdress) { +- add_property_string(myzvalue, "return_pathaddress", fulladdress, 1); +- free(fulladdress); ++ add_property_string(myzvalue, "return_pathaddress", fulladdress, 0); + } + add_assoc_object(myzvalue, "return_path", paddress TSRMLS_CC); + } --- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff ends here --- I assume that they all will go in one shot, so the following VuXML entries use 5.2.6_3 as the first version where issues were fixed. --- cve-2008-2829.xml begins here --- <vuln vid=""> <topic>PHP 5.x -- Denial of Service and possible arbitrary code execution in the IMAP extension</topic> <affects> <package> <name>php5-imap</name> <range><lt>5.2.6_3</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Entry for CVE-2008-2829 says:</p> <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829">; <p>php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long IMAP request, which triggers an "rfc822.c legacy routine buffer overflow" error message.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-2829</cvename> <url>http://bugs.php.net/bug.php?id=42862</url>; <url>http://bugs.php.net/bug.php?id=40925</url>; <url>http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?view=log#rev1.260</url>; </references> <dates> <discovery>2008-06-19</discovery> </dates> </vuln> --- cve-2008-2829.xml ends here --- --- cve-2008-3659.xml begins here --- <vuln vid=""> <topic>PHP 5.x -- buffer overflow in the memnstr()</topic> <affects> <package> <name>php5</name> <range><lt>5.2.6_3</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Entry for CVE-2008-3659 says:</p> <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659">; <p>Buffer overflow in the memnstr function in PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via the delimiter argument to the explode function.</p> <p>NOTE: the scope of this issue is limited since most applications would not use an attacker-controlled delimiter, but local attacks against safe_mode are feasible.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-3659</cvename> <url>http://news.php.net/php.cvs/52002</url>; <url>http://www.openwall.com/lists/oss-security/2008/08/08/2</url>; </references> <dates> <discovery>2008-08-05</discovery> </dates> </vuln> --- cve-2008-3659.xml ends here --- --- cve-2008-3660.xml begins here --- <vuln vid=""> <topic>PHP 5.x -- Denial of Service in the FastCGI mode</topic> <affects> <package> <name>php5</name> <range><lt>5.2.6_3</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Entry for CVE-2008-3660 says:</p> <blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660">; <p>PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6, when used as a FastCGI module, allows remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension, as demonstrated using foo..php.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-3660</cvename> <url>http://news.php.net/php.cvs/51129</url>; <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987</url>; </references> <dates> <discovery>2008-07-15</discovery> </dates> </vuln> --- cve-2008-3660.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081118103433.38D5817115>