Debian Bug report logs -
#800564
php5: trivial hash complexity DoS attack
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#800564
; Package php5-cli
.
(Wed, 30 Sep 2015 23:30:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "brian m. carlson" <sandals@crustytoothpaste.net>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Wed, 30 Sep 2015 23:30:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: php5-cli
Version: 5.6.13+dfsg-2
Severity: important
Tags: security
PHP uses the DJB "times 33" hash to hash strings in its hash tables,
without the use of any secret key. Hash values are therefore the same
between multiple invocations. As a result, it's trivial to precompute a
set of values that all hash to the same bucket and cause positively
abysmal performance.
If a script accepts untrusted hash keys, such as from JSON input, it is
subject to a DoS attack. PHP implemented the max_input_vars option, but
this is not effective in the general case, especially in the era of
JSON-laden POST requests. Perl, Python, and Ruby have all addressed
their CVEs properly, but PHP has not and as a result is still
vulnerable.
Cloning my example repository[0] and running
"php scripts/exploited.php < example/1048576.json" demonstrates the
problem very quickly. The similar Perl and Python scripts are not
vulnerable to this attack. A JSON file containing only 65536 entries
takes PHP 5.6 22 seconds to process.
A new CVE should probably be allocated and the bug should be fixed
correctly this time, probably by seeding a key from /dev/urandom and
using SipHash-2-4 or the like.
[0] https://github.com/bk2204/php-hash-dos
-- Package-specific info:
==== Additional PHP 5 information ====
++++ PHP 5 SAPI (php5query -S): ++++
cli
++++ PHP 5 Extensions (php5query -M -v): ++++
pdo (Enabled for cli by maintainer script)
readline (Enabled for cli by maintainer script)
json (Enabled for cli by maintainer script)
opcache (Enabled for cli by maintainer script)
++++ Configuration files: ++++
[PHP]
engine = On
short_open_tag = Off
asp_tags = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = 17
disable_functions =
disable_classes =
zend.enable_gc = On
expose_php = On
max_execution_time = 30
max_input_time = 60
memory_limit = -1
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = On
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 8M
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
default_charset = "UTF-8"
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 2M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
[CLI Server]
cli_server.color = On
[Date]
[filter]
[iconv]
[intl]
[sqlite]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket=
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
mail.add_x_header = On
[SQL]
sql.safe_mode = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[Interbase]
ibase.allow_persistent = 1
ibase.max_persistent = -1
ibase.max_links = -1
ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
ibase.dateformat = "%Y-%m-%d"
ibase.timeformat = "%H:%M:%S"
[MySQL]
mysql.allow_local_infile = On
mysql.allow_persistent = On
mysql.cache_size = 2000
mysql.max_persistent = -1
mysql.max_links = -1
mysql.default_port =
mysql.default_socket =
mysql.default_host =
mysql.default_user =
mysql.default_password =
mysql.connect_timeout = 60
mysql.trace_mode = Off
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[Sybase-CT]
sybct.allow_persistent = On
sybct.max_persistent = -1
sybct.max_links = -1
sybct.min_server_severity = 10
sybct.min_client_severity = 10
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
[MSSQL]
mssql.allow_persistent = On
mssql.max_persistent = -1
mssql.max_links = -1
mssql.min_error_severity = 10
mssql.min_message_severity = 10
mssql.compatibility_mode = Off
mssql.secure_connection = Off
[Assertion]
[COM]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[mcrypt]
[dba]
[opcache]
[curl]
[openssl]
**** /etc/php5/cli/conf.d/20-json.ini ****
extension=json.so
**** /etc/php5/cli/conf.d/05-opcache.ini ****
zend_extension=opcache.so
**** /etc/php5/cli/conf.d/10-pdo.ini ****
extension=pdo.so
**** /etc/php5/cli/conf.d/20-readline.ini ****
extension=readline.so
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_US.UTF-8, LC_CTYPE=es_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages php5-cli depends on:
ii libbz2-1.0 1.0.6-8
ii libc6 2.19-22
ii libcomerr2 1.42.13-1
ii libdb5.3 5.3.28-11
ii libedit2 3.1-20150325-1
ii libgssapi-krb5-2 1.13.2+dfsg-2
ii libk5crypto3 1.13.2+dfsg-2
ii libkrb5-3 1.13.2+dfsg-2
ii libmagic1 1:5.25-2
ii libonig2 5.9.6-1
ii libpcre3 2:8.35-7.2
ii libqdbm14 1.8.78-6
ii libssl1.0.0 1.0.2d-1
ii libxml2 2.9.2+zdfsg1-4
ii mime-support 3.59
ii php5-common 5.6.13+dfsg-2
ii php5-json 1.3.7-1
ii tzdata 2015f-1
ii ucf 3.0030
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages php5-cli recommends:
ii php5-readline 5.6.13+dfsg-2
Versions of packages php5-cli suggests:
pn php-pear <none>
Versions of packages php5-common depends on:
ii libc6 2.19-22
ii lsof 4.89+dfsg-0.1
ii psmisc 22.21-2.1
ii sed 4.2.2-6.1
ii ucf 3.0030
Versions of packages php5-common suggests:
pn php5-user-cache <none>
-- no debconf information
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#800564
; Package php5-cli
.
(Fri, 02 Oct 2015 12:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "brian m. carlson" <sandals@crustytoothpaste.net>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Fri, 02 Oct 2015 12:39:04 GMT) (full text, mbox, link).
Message #10 received at 800564@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, Sep 30, 2015 at 11:27:39PM +0000, brian m. carlson wrote:
> Package: php5-cli
> Version: 5.6.13+dfsg-2
> Severity: important
> Tags: security
>
> PHP uses the DJB "times 33" hash to hash strings in its hash tables,
> without the use of any secret key. Hash values are therefore the same
> between multiple invocations. As a result, it's trivial to precompute a
> set of values that all hash to the same bucket and cause positively
> abysmal performance.
>
> If a script accepts untrusted hash keys, such as from JSON input, it is
> subject to a DoS attack. PHP implemented the max_input_vars option, but
> this is not effective in the general case, especially in the era of
> JSON-laden POST requests. Perl, Python, and Ruby have all addressed
> their CVEs properly, but PHP has not and as a result is still
> vulnerable.
It was pointed out to me that I should mention which CVEs apply here for
reference.
Python had CVE-2012-1150 and CVE-2013-7040. Ruby had CVE-2011-4815. I
can't find a CVE for Perl's 2003 fix, if one exists. The fix, which
went into 5.8, was incomplete and was addressed by CVE-2013-1667.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#800564
; Package php5-cli
.
(Sun, 04 Oct 2015 19:57:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@sury.org>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Sun, 04 Oct 2015 19:57:11 GMT) (full text, mbox, link).
Message #15 received at 800564@bugs.debian.org (full text, mbox, reply):
Hi Brian,
did you already reported this to php security or should I do that?
Cheers,
Ondrej
On Fri, Oct 2, 2015, at 14:37, brian m. carlson wrote:
> On Wed, Sep 30, 2015 at 11:27:39PM +0000, brian m. carlson wrote:
> > Package: php5-cli
> > Version: 5.6.13+dfsg-2
> > Severity: important
> > Tags: security
> >
> > PHP uses the DJB "times 33" hash to hash strings in its hash tables,
> > without the use of any secret key. Hash values are therefore the same
> > between multiple invocations. As a result, it's trivial to precompute a
> > set of values that all hash to the same bucket and cause positively
> > abysmal performance.
> >
> > If a script accepts untrusted hash keys, such as from JSON input, it is
> > subject to a DoS attack. PHP implemented the max_input_vars option, but
> > this is not effective in the general case, especially in the era of
> > JSON-laden POST requests. Perl, Python, and Ruby have all addressed
> > their CVEs properly, but PHP has not and as a result is still
> > vulnerable.
>
> It was pointed out to me that I should mention which CVEs apply here for
> reference.
>
> Python had CVE-2012-1150 and CVE-2013-7040. Ruby had CVE-2011-4815. I
> can't find a CVE for Perl's 2003 fix, if one exists. The fix, which
> went into 5.8, was incomplete and was addressed by CVE-2013-1667.
> --
> brian m. carlson / brian with sandals: Houston, Texas, US
> +1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
> OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
> Email had 1 attachment:
> + signature.asc
> 1k (application/pgp-signature)
--
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#800564
; Package php5-cli
.
(Sun, 04 Oct 2015 22:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "brian m. carlson" <sandals@crustytoothpaste.net>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Sun, 04 Oct 2015 22:24:04 GMT) (full text, mbox, link).
Message #20 received at 800564@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, Oct 04, 2015 at 09:55:43PM +0200, Ondřej Surý wrote:
> Hi Brian,
>
> did you already reported this to php security or should I do that?
You should probably do that. I didn't contact PHP Security or the
Debian Security Team because I expect that due to similar
vulnerabilities in other languages, any attacker already knows about
this and can exploit it with minimal effort. Secrecy doesn't therefore
benefit anyone, so I just filed a bug.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#800564
; Package php5-cli
.
(Sun, 04 Oct 2015 22:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@sury.org>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Sun, 04 Oct 2015 22:36:04 GMT) (full text, mbox, link).
Message #25 received at 800564@bugs.debian.org (full text, mbox, reply):
On Mon, Oct 5, 2015, at 00:20, brian m. carlson wrote:
> On Sun, Oct 04, 2015 at 09:55:43PM +0200, Ondřej Surý wrote:
> > Hi Brian,
> >
> > did you already reported this to php security or should I do that?
>
> You should probably do that.
I already did.
> I didn't contact PHP Security or the
> Debian Security Team because I expect that due to similar
> vulnerabilities in other languages, any attacker already knows about
> this and can exploit it with minimal effort. Secrecy doesn't therefore
> benefit anyone, so I just filed a bug.
Yeah, I agree. Just they are the guys who will have to fix it, so it
would have been faster to start with them.
Cheers,
--
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#800564
; Package php5-cli
.
(Sun, 02 Oct 2016 19:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "brian m. carlson" <sandals@crustytoothpaste.net>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Sun, 02 Oct 2016 19:09:05 GMT) (full text, mbox, link).
Message #32 received at 800564@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, Oct 05, 2015 at 12:32:33AM +0200, Ondřej Surý wrote:
> On Mon, Oct 5, 2015, at 00:20, brian m. carlson wrote:
> > On Sun, Oct 04, 2015 at 09:55:43PM +0200, Ondřej Surý wrote:
> > > Hi Brian,
> > >
> > > did you already reported this to php security or should I do that?
> >
> > You should probably do that.
>
> I already did.
>
> > I didn't contact PHP Security or the
> > Debian Security Team because I expect that due to similar
> > vulnerabilities in other languages, any attacker already knows about
> > this and can exploit it with minimal effort. Secrecy doesn't therefore
> > benefit anyone, so I just filed a bug.
>
> Yeah, I agree. Just they are the guys who will have to fix it, so it
> would have been faster to start with them.
This still hasn't been fixed upstream after over a year. Security Team,
can you allocate a CVE for this, please? Perhaps that will get upstream
moving.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>
:
You have taken responsibility.
(Fri, 13 Jan 2017 13:07:26 GMT) (full text, mbox, link).
Notification sent
to "brian m. carlson" <sandals@crustytoothpaste.net>
:
Bug acknowledged by developer.
(Fri, 13 Jan 2017 13:07:26 GMT) (full text, mbox, link).
Message #37 received at 800564-done@bugs.debian.org (full text, mbox, reply):
Version: 5.6.26+dfsg-1+rm
Dear submitter,
as the package php5 has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/841781
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 11 Feb 2017 07:34:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:10:03 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.