CVE-2011-3379: is_a() will trigger autoload in PHP 5.3.8

Debian Bug report logs - #646675
CVE-2011-3379: is_a() will trigger autoload in PHP 5.3.8

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ingo Juergensmann <ij@2011.bluespice.org>

To: submit@bugs.debian.org

Subject: [roundcube] RC doesn't load INBOX anymore - suhosin reports URL is not allowed

Date: Wed, 26 Oct 2011 07:36:19 +0200

Package: roundcube
Version: 0.6+dfsg-1
Severity: serious
Tags: security
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org

--- Please enter the report below this line. ---

Hi!

Well, yesterday out of nothing my webmailer roundcube started to refuse 
to work. At least as I remember it. For some reasons reloading the Inbox 
just showed the "Loading..." message on the screen, but there was no 
list of mails anymore. Funny enough other folders do actually work as 
before. But anyway, doing an update did not help and improve anything. 
(I really don't know whether I updated before or after because of the 
first occurence of this issue.)

There's an entry in syslog when loading the Inbox folder:

    Oct 26 07:24:59 muaddib suhosin[32432]: ALERT - Include filename 
('http://www.gnu.org/s/hello/manual/automake/ ?.php') is an URL that is 
not allowed (attacker '127.0.0.1', file 
'/usr/share/roundcube/program/include/iniset.php', line 110

This lead to bug #1488086 in the Roundcube issue tracker which states:

    This messages made me wonder why suhosin thinks there's an include 
going on. Line 111 of iniset.php shows:

    include_once("$filename.php");

    It seems like roundcube wants to include what is displayed in the 
subject, which happens to be a url - and suhosin legitimately blocks 
this attempt.

    In short, I can send an email to a user on a suhosin protected mail 
server and make his inbox unavailable. Needless to say, the user cannot 
delete this email himself via RoundCube. In my case, I had to delete the 
email file on the server to make roundcube show the inbox again.

In Debian there's bug #619411 that is related to PATH setting in 
iniset.php, but I'm not sure if this is really related to #1488086 in 
the Roundcube issue tracker and my problem? However, disabling suhosin 
doesn't seem the right way to "solve" this issue and the trac issue 
tracker suggests a security related problem.

Regards,
Ingo

--- System information. ---
Architecture: amd64
Kernel:       Linux 3.0.0-2-amd64

Debian Release: wheezy/sid
  500 unstable        www.debian-multimedia.org
  500 unstable        ftp.de.debian.org

--- Package information. ---
Depends                    (Version) | Installed
====================================-+-================
roundcube-core        (= 0.6+dfsg-1) | 0.6+dfsg-1
dbconfig-common                      | 1.8.47
debconf                    (>= 0.5)  | 1.5.41
 OR debconf-2.0                      |
ucf                                  | 3.0025+nmu2
apache2                              | 2.2.21-2
 OR lighttpd                         |
 OR httpd                            |
php5                                 | 5.3.8-2
php5-mcrypt                          | 5.3.8-2
php5-gd                              | 5.3.8-2
php5-intl                            | 5.3.8-2
php-mdb2                  (>= 2.5.0) | 2.5.0b2-1
php-auth                             | 1.6.2-1
php-net-smtp              (>= 1.4.2) | 1.6.0-1
php-net-socket                       | 1.0.9-2
php-mail-mime             (>= 1.8.0) | 1.8.0-2
php5-pspell                          | 5.3.8-2
tinymce                       (>= 3) | 3.4.3.2+dfsg0-1
libjs-jquery              (>= 1.6.4) | 1.6.4-1
libmagic1                            | 5.09-2
roundcube-sqlite     (= 0.6+dfsg-1)  | 0.6+dfsg-1
 OR roundcube-mysql  (= 0.6+dfsg-1)  | 0.6+dfsg-1
 OR roundcube-pgsql   (= 0.6+dfsg-1) | 0.6+dfsg-1


Package's Recommends field is empty.

Suggests               (Version) | Installed
================================-+-===========
php-auth-sasl         (>= 1.0.3) |
php-crypt-gpg                    |
roundcube-plugins                |


-- 
Ciao...            //      Fon: 0381-2744150
      Ingo       \X/       http://blog.windfluechter.net
Please don't share this address with Facebook or Google!
gpg pubkey: http://www.juergensmann.de/ij_public_key.asc

Message #10 received at 646675@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: 646675@bugs.debian.org

Cc: 646675-submitter@bugs.debian.org

Subject: "out of nowhere"?

Date: Wed, 26 Oct 2011 09:01:07 +0200

Hi Ingo,

I use roundcube with suhosin, but not 0.6 yet. What do you mean by "out of 
nowhere"?


cheers,
	Holger

Message #18 received at 646675@bugs.debian.org (full text, mbox, reply):

From: Ingo Jürgensmann <ij@2011.bluespice.org>

To: Holger Levsen <holger@layer-acht.org>, <646675-quiet@bugs.debian.org>

Cc: <646675@bugs.debian.org>, <646675-submitter@bugs.debian.org>

Subject: Re: Bug#646675: "out of nowhere"?

Date: Wed, 26 Oct 2011 09:27:58 +0200

On 26.10.2011 09:01, Holger Levsen wrote:

> I use roundcube with suhosin, but not 0.6 yet. What do you mean by 
> "out of
> nowhere"?

Ha! Just discovered: it's working again. BUT: when I used reportbug-ng 
this morning to report the bug, it started iceweasel - and I use 
iceweasel to sort my mails into folders. So when it started up it 
started filtering my mails and apparently filtered the mail in question 
out of the way.

So, my best guess is: when you receive an email with an URL in the 
subject, this bug will hit you as well.

-- 
Ciao...          //    Fon: 0381-2744150
.     Ingo     \X/     http://blog.windfluechter.net

gpg pubkey: http://www.juergensmann.de/ij_public_key.

Message #31 received at 646675@bugs.debian.org (full text, mbox, reply):

From: Ingo Jürgensmann <ij@2011.bluespice.org>

To: Holger Levsen <holger@layer-acht.org>, 646675-quiet@bugs.debian.org

Cc: 646675@bugs.debian.org, 646675-submitter@bugs.debian.org

Subject: Re: Bug#646675: "out of nowhere"?

Date: Wed, 26 Oct 2011 09:22:16 +0200

On Wed, Oct 26, 2011 at 09:01:07AM +0200, Holger Levsen wrote:

> I use roundcube with suhosin, but not 0.6 yet. What do you mean by "out of 
> nowhere"?

Well, I was at work, enjoying a working roundcube and reading my mails and
then, as far as I remember, I reloaded the Inbox and it said "Loading..."
and "Loading..." and "Loading..." all the time. This sometime happens
because I'm behind a restrictive firewall and using a Apache mod-proxy
forward from my dedicated server to my home server via VPN and from now and
then the connection gets stalled. Usually I restart the involved apaches
then and it usually is working again. But not yesterday. 
Then I made a dist-upgrade on my home server, but no improvement. I then
looked into syslog and roundcube log and decided to postpone this issue when
I'm back home to exclude any mod-proxy issues. 
When home again the problem still persisted even when using my home server
locally. Dovecot imapd still works as tested with mail.app on OSX and
mutt+iceweasel on Debian. 

The "out of nowhere" relates to my memorization that RC actually did work,
but then suddenly stopped working without doing an upgrade first. But
reading the trac issue on RC it might be that I received a mail with an URL
in the Subject, which then caused RC to not work anymore: "out of nowhere". 

-- 
Ciao...            //      Fon: 0381-2744150 
      Ingo       \X/       http://blog.windfluechter.net
Please don't share this address with Facebook or Google!
gpg pubkey: http://www.juergensmann.de/ij_public_key.asc

Message #44 received at 646675@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: 646675@bugs.debian.org

Cc: 646675-submitter@bugs.debian.org, control@bugs.debian.org

Subject: Re: Bug#646675: "out of nowhere"?

Date: Wed, 26 Oct 2011 10:06:14 +0200

severity 646675 important
thanks

On Mittwoch, 26. Oktober 2011, Ingo Jürgensmann wrote:
> So, my best guess is: when you receive an email with an URL in the
> subject, this bug will hit you as well.

Message #54 received at 646675@bugs.debian.org (full text, mbox, reply):

From: Philipp Kern <pkern@debian.org>

To: Holger Levsen <holger@layer-acht.org>, 646675@bugs.debian.org

Cc: 646675-submitter@bugs.debian.org, control@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#646675: "out of nowhere"?

Date: Wed, 26 Oct 2011 13:07:17 +0200

[Message part 1 (text/plain, inline)]

tag 646675 + security
severity 646675 serious
thanks

Erhm,

On Wed, Oct 26, 2011 at 10:06:14AM +0200, Holger Levsen wrote:
> severity 646675 important
> thanks

am I the only one who has insanely loud alarm bells when reading his report,
the ticket and everything?

It includes a foreign site and we can be happy that suhosin blocks it.  (I'm
working from the information in the roundcube ticket[0].  I didn't investigate
it myself.)  But suhosin is not the default?

Kind regards
Philipp Kern

[0] http://trac.roundcube.net/ticket/1488086

[signature.asc (application/pgp-signature, inline)]

Message #64 received at 646675@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Philipp Kern <pkern@debian.org>

Cc: 646675@bugs.debian.org

Subject: Re: Bug#646675: "out of nowhere"?

Date: Wed, 26 Oct 2011 13:38:06 +0200

Hi Philipp,

On Mittwoch, 26. Oktober 2011, Philipp Kern wrote:
> It includes a foreign site and we can be happy that suhosin blocks it. 
> (I'm working from the information in the roundcube ticket[0]. 
> 
> [0] http://trac.roundcube.net/ticket/1488086

I missed the details in that ticket... thanks for correcting me!


cheers,
	Holger

Message #69 received at 646675@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Philipp Kern <pkern@debian.org>

Cc: 646675-quiet@bugs.debian.org, Holger Levsen <holger@layer-acht.org>, 646675@bugs.debian.org, 646675-submitter@bugs.debian.org, team@security.debian.org, control@bugs.debian.org

Subject: Re: Bug#646675: "out of nowhere"?

Date: Wed, 26 Oct 2011 19:48:08 +0200

[Message part 1 (text/plain, inline)]

tags 646675 + patch
thanks

OoO Peu avant le début de l'après-midi du mercredi 26 octobre 2011, vers
13:07, Philipp Kern <pkern@debian.org> disait :

>> severity 646675 important
>> thanks

> am I the only one who has insanely loud alarm bells when reading his report,
> the ticket and everything?

> It includes a foreign site and we can be happy that suhosin blocks it.  (I'm
> working from the information in the roundcube ticket[0].  I didn't investigate
> it myself.)  But suhosin is not the default?

Yes, the problem seems pretty severe.  I am unable to reproduce it, even
with the conditions  listed in the ticket [0]. The  ticket is not marked
as  fixed  but  the patch  has  been  applied  [1].  0.6 does  not  seem
vulnerable, only 0.5.4 and older.

Ingo, you reported the bug against 0.6. Is it really the version that is
affected by the problem? It seems already patched.

[0]: http://trac.roundcube.net/ticket/1488086
[1]: http://trac.roundcube.net/changeset/5222
-- 
Vincent Bernat ☯ http://vincent.bernat.im

die_if_kernel("Penguin instruction from Penguin mode??!?!", regs);
	2.2.16 /usr/src/linux/arch/sparc/kernel/traps.c

[Message part 2 (application/pgp-signature, inline)]

Message #84 received at 646675@bugs.debian.org (full text, mbox, reply):

From: Ingo Jürgensmann <ij@2011.bluespice.org>

To: Vincent Bernat <bernat@debian.org>, <646675-quiet@bugs.debian.org>

Cc: Philipp Kern <pkern@debian.org>, Holger Levsen <holger@layer-acht.org>, <646675@bugs.debian.org>, <646675-submitter@bugs.debian.org>, <team@security.debian.org>, <control@bugs.debian.org>

Subject: Re: Bug#646675: "out of nowhere"?

Date: Wed, 26 Oct 2011 20:12:56 +0200

On 26.10.2011 19:48, Vincent Bernat wrote:

> Ingo, you reported the bug against 0.6. Is it really the version that 
> is
> affected by the problem? It seems already patched.

Well, yes, I wrote the bug report on the same machine where RC is 
running.

The message in question is most likely this one:

To: debian-devel@lists.debian.org, webmasters@gnu.org
Cc: Ivan Shmakov <oneingray@gmail.com>
Subject: http://www.gnu.org/s/hello/manual/automake/ ?
Message-ID: <86r521mn20.fsf_-_@gray.siamics.net>

At least that's the same URL in the subject line suhosin is complaining 
about.

-- 
Ciao...          //    Fon: 0381-2744150
.     Ingo     \X/     http://blog.windfluechter.net

gpg pubkey: http://www.juergensmann.de/ij_public_key.

Message #97 received at 646675@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Ingo Jürgensmann <ij@2011.bluespice.org>

Cc: 646675@bugs.debian.org, <646675-quiet@bugs.debian.org>, Philipp Kern <pkern@debian.org>, Holger Levsen <holger@layer-acht.org>, <646675-submitter@bugs.debian.org>, <team@security.debian.org>

Subject: Re: Bug#646675: "out of nowhere"?

Date: Wed, 26 Oct 2011 22:40:43 +0200

[Message part 1 (text/plain, inline)]

OoO Pendant le journal télévisé du mercredi 26 octobre 2011, vers 20:12,
Ingo Jürgensmann <ij@2011.bluespice.org> disait :

>> Ingo, you reported the bug against 0.6. Is it really the version that
>> is affected by the problem? It seems already patched.

> Well, yes, I wrote the bug report on the same machine where RC is
> running.

> The message in question is most likely this one:

> To: debian-devel@lists.debian.org, webmasters@gnu.org
> Cc: Ivan Shmakov <oneingray@gmail.com>
> Subject: http://www.gnu.org/s/hello/manual/automake/ ?
> Message-ID: <86r521mn20.fsf_-_@gray.siamics.net>

> At least that's the same URL in the subject line suhosin is
> complaining about.

Now that  the message is in  another folder, you don't  have the problem
any more, even if you visit  this folder? Does the problem comes back if
you move the message to inbox?
-- 
Vincent Bernat ☯ http://vincent.bernat.im

Don't just echo the code with comments - make every comment count.
            - The Elements of Programming Style (Kernighan & Plauger)

[Message part 2 (application/pgp-signature, inline)]

Message #110 received at 646675@bugs.debian.org (full text, mbox, reply):

From: Ingo Jürgensmann <ij@2011.bluespice.org>

To: Vincent Bernat <bernat@debian.org>, 646675-quiet@bugs.debian.org

Cc: 646675@bugs.debian.org, Philipp Kern <pkern@debian.org>, Holger Levsen <holger@layer-acht.org>, <646675-submitter@bugs.debian.org>, <team@security.debian.org>

Subject: Re: Bug#646675: "out of nowhere"?

Date: Wed, 26 Oct 2011 22:55:15 +0200

Am 26.10.2011 um 22:40 schrieb Vincent Bernat:

> Now that  the message is in  another folder, you don't  have the problem
> any more, even if you visit  this folder? Does the problem comes back if
> you move the message to inbox?

When I access my Debian-Devel folder the problem occurs in that folder. When I move it back to Inbox it happens there again... so, it's reproducible over here... 

-- 
Ciao...            //      Fon: 0381-2744150
      Ingo       \X/       http://blog.windfluechter.net


gpg pubkey:  http://www.juergensmann.de/ij_public_key.asc

Message #123 received at 646675@bugs.debian.org (full text, mbox, reply):

From: Vincent Bernat <bernat@debian.org>

To: Ingo Jürgensmann <ij@2011.bluespice.org>

Cc: 646675-quiet@bugs.debian.org, 646675@bugs.debian.org, Philipp Kern <pkern@debian.org>, Holger Levsen <holger@layer-acht.org>, <646675-submitter@bugs.debian.org>, <team@security.debian.org>, control@bugs.debian.org

Subject: Re: Bug#646675: "out of nowhere"?

Date: Wed, 26 Oct 2011 23:55:05 +0200

[Message part 1 (text/plain, inline)]

reassign 646675 src:php5
retitle 646675 CVE-2011-3379: is_a() will trigger autoload in PHP 5.3.8
tags 646675 + patch
thanks

OoO  En cette  soirée bien  amorcée du  mercredi 26  octobre  2011, vers
22:55, Ingo Jürgensmann <ij@2011.bluespice.org> disait :

>> Now that  the message is in  another folder, you don't  have the problem
>> any more, even if you visit  this folder? Does the problem comes back if
>> you move the message to inbox?

> When I access my Debian-Devel folder the problem occurs in that
> folder. When I move it back to Inbox it happens there again... so,
> it's reproducible over here...

The  problem has  been fixed  in  roundcube 0.6.  It was  related to  an
incorrect use of is_a() function. Since PHP 5.3.8, is_a() function would
trigger autoload when the first argument is a string. Roundcube prior to
0.6 is affected but 0.6 is not. However, you hit the bug because MDB2 is
affected by it too (we don't use the shipped copy).

More info about this change in this bug report:
 https://bugs.php.net/bug.php?id=55475

It has been assigned CVE ID 2011-3379 and it has been decided by the PHP
project to revert the change:
 http://svn.php.net/viewvc/?view=revision&amp;revision=317183

This fix has not been applied to Debian package yet.

There are two possible outcomes :
 1. Patch a lot of PHP stuff to handle this new behaviour of is_a() (and
    the old behaviour too) by testing if the first argument is an object
    first. This means that this bug should be cloned for MDB2.
 2. Consider this bug as a PHP  bug and apply the mentioned patch to PHP
    5.3.8 in Debian.

I think that the most reasonable outcome is the second one since the fix
has been commited  to land in PHP 5.3.9. Therefore,  I reassign this bug
to src:php5. Tell me if you disagree.
-- 
Vincent Bernat ☯ http://vincent.bernat.im

Write and test a big program in small pieces.
            - The Elements of Programming Style (Kernighan & Plauger)

[Message part 2 (application/pgp-signature, inline)]

Message #142 received at 646675-done@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: 646675-done@bugs.debian.org

Subject: Fixed in 5.3.9-1

Date: Mon, 23 Jan 2012 11:31:30 +0100

Version: 5.3.9-1

 php5 (5.3.9-1) unstable; urgency=low
 .
   * Remove obsolete sqlite(2) module from php5-sqlite
   * Use correct signals in php5-fpm init script (Closes: #645934)
   * Imported Upstream version 5.3.9
   * Adapt debian/patches to 5.3.9 release

-- 
Ondřej Surý <ondrej@sury.org>

Send a report that this bug log contains spam.