Debian Bug report logs -
#783099
php5: CVE-2015-4604 CVE-2015-4605
Reported by: Henri Salo <henri@nerv.fi>
Date: Wed, 22 Apr 2015 08:39:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Merged with 783107
Found in version php5/5.6.7+dfsg-1
Fixed in versions php5/5.6.9+dfsg-0+deb8u1, php5/5.6.9+dfsg-1, php5/5.4.41-0+deb7u1, 5.6.9+dfsg-1
Done: Lior Kaplan <kaplanlior@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#783099; Package src:php5.
(Wed, 22 Apr 2015 08:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Wed, 22 Apr 2015 08:39:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Source: php5
Version: 5.6.7+dfsg-1
Severity: grave
Tags: security, upstream, fixed-upstream
Hi,
the following vulnerability was published for PHP5,
"""
When calling finfo::file() or finfo::buffer() with a crafted string, PHP will
crash by either segfaulting or trying to allocate an large amount of memory
(4GiB).
This was found in the wild when a user uploaded a file (running finfo on
arbitrary files uploaded by users is one of its main use cases.). I've since
anonymised the file, and made it more minimal. At this stage, very small changes
to the string make it produce different behaviour - removing the remaining 'a',
's', or 'y' characters, for instance, will allow finfo to process it fine.
"""
For further information see:
https://bugs.php.net/bug.php?id=68819
https://git.php.net/?p=php-src.git;a=commitdiff;h=f938112c495b0d26572435c0be73ac0bfe642ecd
- --
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJVN11hAAoJECet96ROqnV0NFwP/1WyM6/jYhMkuyyjIDuGJLR6
5agci0HcM64R5It7Dvoy7HPtP431Qg5XvtJBn2P5YRq9Kgh4g0T7NeA4jbQIQEQs
lj/zO4zfBSnhCvkCbsqhLDYDASx1M2esXgfXy4EDejBPvVMSPtSr3GjVt9Ptufty
/GgA3FRf+XDDNNDebGsDVvkKH5pAvK7QN8R8UsmG8uiEYP9+vdlwdAK5pykrWsGa
yZEm7x/OXjETTnjIoz+0p89ExFBBuNyryhMQGVfiJxivTMHaHMBuZ/2BlBhIM0S2
VTf42JtlLTmG6NZW71OplY2kN1f+p+ADXy/OUtwbV700tuk58wIwt+r5Ymqa9wmA
crO2xyNm2CgA0K6Vew0vEYBWVc7fFQQuGhQX6lKOwng3OXaM3Xo9BzEvrOGVrTgz
sw7ilWb4kfUTjtZoAYVOqL0YTafMi3CzjmH3MzeFMyxMRtYlqgc7S+KrqJXWMX2A
TlqA2WhAOMIHNG8xxuXdwlzzVRoPakY0Jkgx5XdUlU9QdNmeIljcxdPAIXHAeEAj
IPSBQFUjAZABB7GWKgZcyJv6p2Z9nc5GkQ9RYm297QtGbPVYGUfmBZsJOloJfXIF
V4dRZWkVoonbaC5WtjaGPyOIHnl35AZ7Hl4MkQ5JMzScbN3u1BooY1+NXNBsHTPL
JLN2O58YQiTodP1AZWfx
=y0h8
-----END PGP SIGNATURE-----
Merged 783099 783107
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 22 Apr 2015 13:12:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#783099; Package src:php5.
(Thu, 23 Apr 2015 07:33:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Thu, 23 Apr 2015 07:33:08 GMT) (full text, mbox, link).
Message #14 received at 783099@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 783099 unreproducible
thanks
Henri Salo wrote...
> When calling finfo::file() or finfo::buffer() with a crafted string, PHP will
> crash by either segfaulting or trying to allocate an large amount of memory
> (4GiB).
(...)
> https://git.php.net/?p=php-src.git;a=commitdiff;h=f938112c495b0d26572435c0be73ac0bfe642ecd
What kind of alert is this?
* "Saw this, just forwarding, your job"
* "Tried a few things, file seems to be robust, thought you might be
interested anyway"
* "It's vulnerable, reproducer attached/available upon request"
So assuming the first:
Using to the reproducer generators I was indeed able to segfault
php5 in wheezy (both) and jessie (001 only) every time - not
squeeze-lts though. However, running the file program against a dump
of any generated file worked flawlessly. In fact, I couldn't trigger
a segfault in any upstream release I've tested between 5.04 and 5.22.
According to the patch php5 applied this seems to be a duplicate of
CVE-2014-3538 which is fixed in all Debian versions of the file
package. However, testing upstream commits around the fix
(FILE5_18-69-g4a284c8g) still shows no abnormal behaviour. Also,
php5 did fix this issue last year, too. However the softmagic.c file
differs between file and php5 anyway so it might be a pure php5
problem.
If you have different information, please submit in due course.
Christoph
[signature.asc (application/pgp-signature, inline)]
Added tag(s) unreproducible.
Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
to control@bugs.debian.org.
(Thu, 23 Apr 2015 07:33:15 GMT) (full text, mbox, link).
Removed tag(s) unreproducible.
Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
to control@bugs.debian.org.
(Thu, 23 Apr 2015 07:45:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#783099; Package src:php5.
(Thu, 23 Apr 2015 14:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Thu, 23 Apr 2015 14:09:04 GMT) (full text, mbox, link).
Message #23 received at 783099@bugs.debian.org (full text, mbox, reply):
I reported this issue to Debian BTS to notify package maintainers and in the
long run trying to get security issues fixed. Maintainers are not always
following security issues in upstream and so on (not saying this about PHP). I
verified that the segfault condition occurred and did not do more detailed
analysis of the issue. If there is no security issue in PHP with the poc we can
close this bug.
--
Henri Salo
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#783099; Package src:php5.
(Fri, 24 Apr 2015 08:36:21 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Fri, 24 Apr 2015 08:36:21 GMT) (full text, mbox, link).
Message #28 received at 783099@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Henri Salo wrote...
> I reported this issue to Debian BTS to notify package maintainers and in the
> long run trying to get security issues fixed. Maintainers are not always
> following security issues in upstream and so on (not saying this about PHP). I
This is appreciated but a short report about what has been done so far
helps the maintainer to organize the next steps. Even if it's just an
"I didn't take a closer look so it might be a non-issue".
> verified that the segfault condition occurred and did not do more detailed
> analysis of the issue. If there is no security issue in PHP with the poc we can
> close this bug.
The crucial question is: Did you verify this in php5 or in file?
Repeating myself another time, just in other words:
* php5 certainly is affected.
* file: I cannot see be that. Neither from the source code nor from
the reproducers that segfault php.
However, I can be convinced otherwise. Just provide a reproducer.
Christoph
[signature.asc (application/pgp-signature, inline)]
Marked as fixed in versions php5/5.6.9+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 12 Jun 2015 05:39:09 GMT) (full text, mbox, link).
Marked as fixed in versions php5/5.6.9+dfsg-0+deb8u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 12 Jun 2015 05:39:11 GMT) (full text, mbox, link).
Marked as fixed in versions php5/5.4.41-0+deb7u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 12 Jun 2015 05:39:13 GMT) (full text, mbox, link).
Changed Bug title to 'php5: CVE-2015-4604 CVE-2015-4605' from 'php5: Fileinfo on specific file causes spurious OOM and/or segfault'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 17 Jun 2015 07:21:08 GMT) (full text, mbox, link).
Reply sent
to Lior Kaplan <kaplanlior@gmail.com>:
You have taken responsibility.
(Mon, 17 Aug 2015 11:45:04 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Mon, 17 Aug 2015 11:45:04 GMT) (full text, mbox, link).
Message #41 received at 783099-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 5.6.9+dfsg-1
This issue has been fixed for unstable, testing, stable and oldstable.
Closing the bug.
[Message part 2 (text/html, inline)]
Reply sent
to Lior Kaplan <kaplanlior@gmail.com>:
You have taken responsibility.
(Mon, 17 Aug 2015 11:45:05 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Mon, 17 Aug 2015 11:45:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 18 Feb 2016 07:26:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:12:23 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon