ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Tue Nov 18 02:40:01 PST 2008
>Number: 128956
>Category: ports
>Synopsis: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Nov 18 10:40:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.1-PRERELEASE amd64
>Description:
There are some vulnerabilities in the stock PHP 5.2.6 that were silently
fixed in the CVS, but after 5.2.6 was out.
>How-To-Repeat:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660
>Fix:
The following patches should fix all three issues. I had mildly
tested them in my setups.
--- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff begins here ---
diff -urN ./Makefile ../php5/Makefile
--- ./Makefile 2008-11-18 11:49:16.000000000 +0300
+++ ../php5/Makefile 2008-11-18 11:49:27.000000000 +0300
@@ -7,7 +7,7 @@
PORTNAME= php5
PORTVERSION= 5.2.6
-PORTREVISION?= 2
+PORTREVISION?= 3
CATEGORIES?= lang devel www
MASTER_SITES= ${MASTER_SITE_PHP}
MASTER_SITE_SUBDIR= distributions
diff -urN ./files/patch-CVE-2008-3659 ../php5/files/patch-CVE-2008-3659
--- ./files/patch-CVE-2008-3659 1970-01-01 03:00:00.000000000 +0300
+++ ../php5/files/patch-CVE-2008-3659 2008-11-18 11:49:55.000000000 +0300
@@ -0,0 +1,27 @@
+Patch for CVE-2008-3659.
+
+Obtained from: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch
+See also: http://news.php.net/php.cvs/52002
+See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659
+
+--- Zend/zend_operators.h 2007/12/31 07:20:03 1.94.2.4.2.11
++++ Zend/zend_operators.h 2008/08/05 20:11:17 1.94.2.4.2.12
+@@ -17,7 +17,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: zend_operators.h,v 1.94.2.4.2.11 2007/12/31 07:20:03 sebastian Exp $ */
++/* $Id: zend_operators.h,v 1.94.2.4.2.12 2008/08/05 20:11:17 stas Exp $ */
+
+ #ifndef ZEND_OPERATORS_H
+ #define ZEND_OPERATORS_H
+@@ -220,6 +220,9 @@
+ char *p = haystack;
+ char ne = needle[needle_len-1];
+
++ if(needle_len > end-haystack) {
++ return NULL;
++ }
+ end -= needle_len;
+
+ while (p <= end) {
diff -urN ./files/patch-CVE-2008-3660 ../php5/files/patch-CVE-2008-3660
--- ./files/patch-CVE-2008-3660 1970-01-01 03:00:00.000000000 +0300
+++ ../php5/files/patch-CVE-2008-3660 2008-11-18 12:15:23.000000000 +0300
@@ -0,0 +1,82 @@
+Patch for CVE-2008-3660
+
+Obtained from: http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.57&r2=1.267.2.15.2.58&view=patch
+See also: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660
+See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987
+Notes: removed 'Id' hunk and reapplied this patch for the php-5.2.6
+
+--- sapi/cgi/cgi_main.c.orig 2008-04-09 13:16:40.000000000 +0400
++++ sapi/cgi/cgi_main.c 2008-11-18 12:08:10.000000000 +0300
+@@ -765,6 +765,39 @@
+ }
+ /* }}} */
+
++/* {{{ is_valid_path
++ *
++ * some server configurations allow '..' to slip through in the
++ * translated path. We'll just refuse to handle such a path.
++ */
++static int is_valid_path(const char *path)
++{
++ const char *p;
++
++ if (!path) {
++ return 0;
++ }
++ p = strstr(path, "..");
++ if (p) {
++ if ((p == path || IS_SLASH(*(p-1))) &&
++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
++ return 0;
++ }
++ while (1) {
++ p = strstr(p+1, "..");
++ if (!p) {
++ break;
++ }
++ if (IS_SLASH(*(p-1)) &&
++ (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
++ return 0;
++ }
++ }
++ }
++ return 1;
++}
++/* }}} */
++
+ /* {{{ init_request_info
+
+ initializes request_info structure
+@@ -1061,9 +1094,7 @@
+ if (pt) {
+ efree(pt);
+ }
+- /* some server configurations allow '..' to slip through in the
+- translated path. We'll just refuse to handle such a path. */
+- if (script_path_translated && !strstr(script_path_translated, "..")) {
++ if (is_valid_path(script_path_translated)) {
+ SG(request_info).path_translated = estrdup(script_path_translated);
+ }
+ } else {
+@@ -1094,9 +1125,7 @@
+ } else {
+ SG(request_info).request_uri = env_script_name;
+ }
+- /* some server configurations allow '..' to slip through in the
+- translated path. We'll just refuse to handle such a path. */
+- if (script_path_translated && !strstr(script_path_translated, "..")) {
++ if (is_valid_path(script_path_translated)) {
+ SG(request_info).path_translated = estrdup(script_path_translated);
+ }
+ free(real_path);
+@@ -1114,9 +1143,7 @@
+ script_path_translated = env_path_translated;
+ }
+ #endif
+- /* some server configurations allow '..' to slip through in the
+- translated path. We'll just refuse to handle such a path. */
+- if (script_path_translated && !strstr(script_path_translated, "..")) {
++ if (is_valid_path(script_path_translated)) {
+ SG(request_info).path_translated = estrdup(script_path_translated);
+ }
+ #if ENABLE_PATHINFO_CHECK
--- 5.2.6_2-to-5.2.6_3-fix-cve-2008-3659.3660.diff ends here ---
--- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff begins here ---
diff -urN ./files/patch-CVE-2008-2829 ../php5-imap/files/patch-CVE-2008-2829
--- ./files/patch-CVE-2008-2829 1970-01-01 03:00:00.000000000 +0300
+++ ../php5-imap/files/patch-CVE-2008-2829 2008-11-18 13:20:19.000000000 +0300
@@ -0,0 +1,282 @@
+Fix for CVE-2008-2829
+
+Obtained from: http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?r1=1.259&r2=1.260&view=patch
+Notes: reapplied to php-5.6.2, skipped 'Id' hunk and modified hunk marked
+ '-3213,7 +3214,7'.
+
+--- php_imap.c.orig 2008-04-17 15:04:49.000000000 +0400
++++ php_imap.c 2008-11-18 13:03:02.000000000 +0300
+@@ -40,6 +40,7 @@
+ #include "ext/standard/php_string.h"
+ #include "ext/standard/info.h"
+ #include "ext/standard/file.h"
++#include "ext/standard/php_smart_str.h"
+
+ #ifdef ERROR
+ #undef ERROR
+@@ -66,10 +67,11 @@
+ #define SENDBUFLEN 16385
+ #endif
+
++
+ static void _php_make_header_object(zval *myzvalue, ENVELOPE *en TSRMLS_DC);
+ static void _php_imap_add_body(zval *arg, BODY *body TSRMLS_DC);
+-static void _php_imap_parse_address(ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC);
+-static int _php_imap_address_size(ADDRESS *addresslist);
++static char* _php_imap_parse_address(ADDRESS *addresslist, zval *paddress TSRMLS_DC);
++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC);
+
+ /* the gets we use */
+ static char *php_mail_gets(readfn_t f, void *stream, unsigned long size, GETS_DATA *md);
+@@ -2109,7 +2111,7 @@
+ {
+ zval **mailbox, **host, **personal;
+ ADDRESS *addr;
+- char string[MAILTMPLEN];
++ char *string;
+
+ if (ZEND_NUM_ARGS() != 3 || zend_get_parameters_ex(3, &mailbox, &host, &personal) == FAILURE) {
+ ZEND_WRONG_PARAM_COUNT();
+@@ -2137,13 +2139,12 @@
+ addr->error=NIL;
+ addr->adl=NIL;
+
+- if (_php_imap_address_size(addr) >= MAILTMPLEN) {
++ string = _php_rfc822_write_address(addr TSRMLS_CC);
++ if (string) {
++ RETVAL_STRING(string, 0);
++ } else {
+ RETURN_FALSE;
+ }
+-
+- string[0]='\0';
+- rfc822_write_address(string, addr);
+- RETVAL_STRING(string, 1);
+ }
+ /* }}} */
+
+@@ -2873,7 +2874,7 @@
+ zval **streamind, **sequence, **pflags;
+ pils *imap_le_struct;
+ zval *myoverview;
+- char address[MAILTMPLEN];
++ char *address;
+ long status, flags=0L;
+ int myargc = ZEND_NUM_ARGS();
+
+@@ -2908,17 +2909,19 @@
+ if (env->subject) {
+ add_property_string(myoverview, "subject", env->subject, 1);
+ }
+- if (env->from && _php_imap_address_size(env->from) < MAILTMPLEN) {
++ if (env->from) {
+ env->from->next=NULL;
+- address[0] = '\0';
+- rfc822_write_address(address, env->from);
+- add_property_string(myoverview, "from", address, 1);
++ address =_php_rfc822_write_address(env->from TSRMLS_CC);
++ if (address) {
++ add_property_string(myoverview, "from", address, 0);
++ }
+ }
+- if (env->to && _php_imap_address_size(env->to) < MAILTMPLEN) {
++ if (env->to) {
+ env->to->next = NULL;
+- address[0] = '\0';
+- rfc822_write_address(address, env->to);
+- add_property_string(myoverview, "to", address, 1);
++ address = _php_rfc822_write_address(env->to TSRMLS_CC);
++ if (address) {
++ add_property_string(myoverview, "to", address, 0);
++ }
+ }
+ if (env->date) {
+ add_property_string(myoverview, "date", env->date, 1);
+@@ -3858,6 +3861,43 @@
+ /* }}} */
+
+ /* Support Functions */
++
++#ifdef HAVE_RFC822_OUTPUT_ADDRESS_LIST
++/* {{{ _php_rfc822_soutr
++ */
++static long _php_rfc822_soutr (void *stream, char *string)
++{
++ smart_str *ret = (smart_str*)stream;
++ int len = strlen(string);
++
++ smart_str_appendl(ret, string, len);
++ return LONGT;
++}
++
++/* }}} */
++
++/* {{{ _php_rfc822_write_address
++ */
++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC)
++{
++ char address[MAILTMPLEN];
++ smart_str ret = {0};
++ RFC822BUFFER buf;
++
++ buf.beg = address;
++ buf.cur = buf.beg;
++ buf.end = buf.beg + sizeof(address) - 1;
++ buf.s = &ret;
++ buf.f = _php_rfc822_soutr;
++ rfc822_output_address_list(&buf, addresslist, 0, NULL);
++ rfc822_output_flush(&buf);
++ smart_str_0(&ret);
++ return ret.c;
++}
++/* }}} */
++
++#else
++
+ /* {{{ _php_imap_get_address_size
+ */
+ static int _php_imap_address_size (ADDRESS *addresslist)
+@@ -3887,26 +3927,33 @@
+
+ /* }}} */
+
++/* {{{ _php_rfc822_write_address
++ */
++static char* _php_rfc822_write_address(ADDRESS *addresslist TSRMLS_DC)
++{
++ char address[SENDBUFLEN];
+
++ if (_php_imap_address_size(addresslist) >= SENDBUFLEN) {
++ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Address buffer overflow");
++ return NULL;
++ }
++ address[0] = 0;
++ rfc822_write_address(address, addresslist);
++ return estrdup(address);
++}
++/* }}} */
++#endif
+ /* {{{ _php_imap_parse_address
+ */
+-static void _php_imap_parse_address (ADDRESS *addresslist, char **fulladdress, zval *paddress TSRMLS_DC)
++static char* _php_imap_parse_address (ADDRESS *addresslist, zval *paddress TSRMLS_DC)
+ {
++ char *fulladdress;
+ ADDRESS *addresstmp;
+ zval *tmpvals;
+- char *tmpstr;
+- int len=0;
+
+ addresstmp = addresslist;
+
+- if ((len = _php_imap_address_size(addresstmp))) {
+- tmpstr = (char *) pemalloc(len + 1, 1);
+- tmpstr[0] = '\0';
+- rfc822_write_address(tmpstr, addresstmp);
+- *fulladdress = tmpstr;
+- } else {
+- *fulladdress = NULL;
+- }
++ fulladdress = _php_rfc822_write_address(addresstmp TSRMLS_CC);
+
+ addresstmp = addresslist;
+ do {
+@@ -3918,6 +3965,7 @@
+ if (addresstmp->host) add_property_string(tmpvals, "host", addresstmp->host, 1);
+ add_next_index_object(paddress, tmpvals TSRMLS_CC);
+ } while ((addresstmp = addresstmp->next));
++ return fulladdress;
+ }
+ /* }}} */
+
+@@ -3944,10 +3992,9 @@
+ if (en->to) {
+ MAKE_STD_ZVAL(paddress);
+ array_init(paddress);
+- _php_imap_parse_address(en->to, &fulladdress, paddress TSRMLS_CC);
++ fulladdress = _php_imap_parse_address(en->to, paddress TSRMLS_CC);
+ if (fulladdress) {
+- add_property_string(myzvalue, "toaddress", fulladdress, 1);
+- free(fulladdress);
++ add_property_string(myzvalue, "toaddress", fulladdress, 0);
+ }
+ add_assoc_object(myzvalue, "to", paddress TSRMLS_CC);
+ }
+@@ -3955,10 +4002,9 @@
+ if (en->from) {
+ MAKE_STD_ZVAL(paddress);
+ array_init(paddress);
+- _php_imap_parse_address(en->from, &fulladdress, paddress TSRMLS_CC);
++ fulladdress = _php_imap_parse_address(en->from, paddress TSRMLS_CC);
+ if (fulladdress) {
+- add_property_string(myzvalue, "fromaddress", fulladdress, 1);
+- free(fulladdress);
++ add_property_string(myzvalue, "fromaddress", fulladdress, 0);
+ }
+ add_assoc_object(myzvalue, "from", paddress TSRMLS_CC);
+ }
+@@ -3966,10 +4012,9 @@
+ if (en->cc) {
+ MAKE_STD_ZVAL(paddress);
+ array_init(paddress);
+- _php_imap_parse_address(en->cc, &fulladdress, paddress TSRMLS_CC);
++ fulladdress = _php_imap_parse_address(en->cc, paddress TSRMLS_CC);
+ if (fulladdress) {
+- add_property_string(myzvalue, "ccaddress", fulladdress, 1);
+- free(fulladdress);
++ add_property_string(myzvalue, "ccaddress", fulladdress, 0);
+ }
+ add_assoc_object(myzvalue, "cc", paddress TSRMLS_CC);
+ }
+@@ -3977,10 +4022,9 @@
+ if (en->bcc) {
+ MAKE_STD_ZVAL(paddress);
+ array_init(paddress);
+- _php_imap_parse_address(en->bcc, &fulladdress, paddress TSRMLS_CC);
++ fulladdress = _php_imap_parse_address(en->bcc, paddress TSRMLS_CC);
+ if (fulladdress) {
+- add_property_string(myzvalue, "bccaddress", fulladdress, 1);
+- free(fulladdress);
++ add_property_string(myzvalue, "bccaddress", fulladdress, 0);
+ }
+ add_assoc_object(myzvalue, "bcc", paddress TSRMLS_CC);
+ }
+@@ -3988,10 +4032,9 @@
+ if (en->reply_to) {
+ MAKE_STD_ZVAL(paddress);
+ array_init(paddress);
+- _php_imap_parse_address(en->reply_to, &fulladdress, paddress TSRMLS_CC);
++ fulladdress = _php_imap_parse_address(en->reply_to, paddress TSRMLS_CC);
+ if (fulladdress) {
+- add_property_string(myzvalue, "reply_toaddress", fulladdress, 1);
+- free(fulladdress);
++ add_property_string(myzvalue, "reply_toaddress", fulladdress, 0);
+ }
+ add_assoc_object(myzvalue, "reply_to", paddress TSRMLS_CC);
+ }
+@@ -3999,10 +4042,9 @@
+ if (en->sender) {
+ MAKE_STD_ZVAL(paddress);
+ array_init(paddress);
+- _php_imap_parse_address(en->sender, &fulladdress, paddress TSRMLS_CC);
++ fulladdress = _php_imap_parse_address(en->sender, paddress TSRMLS_CC);
+ if (fulladdress) {
+- add_property_string(myzvalue, "senderaddress", fulladdress, 1);
+- free(fulladdress);
++ add_property_string(myzvalue, "senderaddress", fulladdress, 0);
+ }
+ add_assoc_object(myzvalue, "sender", paddress TSRMLS_CC);
+ }
+@@ -4010,10 +4052,9 @@
+ if (en->return_path) {
+ MAKE_STD_ZVAL(paddress);
+ array_init(paddress);
+- _php_imap_parse_address(en->return_path, &fulladdress, paddress TSRMLS_CC);
++ fulladdress = _php_imap_parse_address(en->return_path, paddress TSRMLS_CC);
+ if (fulladdress) {
+- add_property_string(myzvalue, "return_pathaddress", fulladdress, 1);
+- free(fulladdress);
++ add_property_string(myzvalue, "return_pathaddress", fulladdress, 0);
+ }
+ add_assoc_object(myzvalue, "return_path", paddress TSRMLS_CC);
+ }
--- imap-5.2.6_2-to-5.2.6_3-fix-cve-2008-2829.diff ends here ---
I assume that they all will go in one shot, so the following VuXML
entries use 5.2.6_3 as the first version where issues were fixed.
--- cve-2008-2829.xml begins here ---
<vuln vid="">
<topic>PHP 5.x -- Denial of Service and possible arbitrary code execution in the IMAP extension</topic>
<affects>
<package>
<name>php5-imap</name>
<range><lt>5.2.6_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Entry for CVE-2008-2829 says:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829">
<p>php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses
obsolete API calls that allow context-dependent attackers to
cause a denial of service (crash) and possibly execute arbitrary
code via a long IMAP request, which triggers an "rfc822.c legacy
routine buffer overflow" error message.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-2829</cvename>
<url>http://bugs.php.net/bug.php?id=42862</url>
<url>http://bugs.php.net/bug.php?id=40925</url>
<url>http://cvs.php.net/viewvc.cgi/php-src/ext/imap/php_imap.c?view=log#rev1.260</url>
</references>
<dates>
<discovery>2008-06-19</discovery>
</dates>
</vuln>
--- cve-2008-2829.xml ends here ---
--- cve-2008-3659.xml begins here ---
<vuln vid="">
<topic>PHP 5.x -- buffer overflow in the memnstr()</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.2.6_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Entry for CVE-2008-3659 says:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659">
<p>Buffer overflow in the memnstr function in PHP 4.4.x before
4.4.9 and PHP 5.6 through 5.2.6 allows context-dependent
attackers to cause a denial of service (crash) and possibly
execute arbitrary code via the delimiter argument to the explode
function.</p>
<p>NOTE: the scope of this issue is limited since most
applications would not use an attacker-controlled delimiter, but
local attacks against safe_mode are feasible.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-3659</cvename>
<url>http://news.php.net/php.cvs/52002</url>
<url>http://www.openwall.com/lists/oss-security/2008/08/08/2</url>
</references>
<dates>
<discovery>2008-08-05</discovery>
</dates>
</vuln>
--- cve-2008-3659.xml ends here ---
--- cve-2008-3660.xml begins here ---
<vuln vid="">
<topic>PHP 5.x -- Denial of Service in the FastCGI mode</topic>
<affects>
<package>
<name>php5</name>
<range><lt>5.2.6_3</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Entry for CVE-2008-3660 says:</p>
<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660">
<p>PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6, when used
as a FastCGI module, allows remote attackers to cause a denial
of service (crash) via a request with multiple dots preceding
the extension, as demonstrated using foo..php.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-3660</cvename>
<url>http://news.php.net/php.cvs/51129</url>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987</url>
</references>
<dates>
<discovery>2008-07-15</discovery>
</dates>
</vuln>
--- cve-2008-3660.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-security
mailing list