Debian Bug report logs -
#359904
[CVE-2006-1490] Binary safety issue in html_entity_decode() may leak information
Reported by: Moritz Naumann <info@moritz-naumann.com>
Date: Wed, 29 Mar 2006 13:33:01 UTC
Severity: grave
Tags: patch, security
Found in versions php4/4:4.4.2-1, php4/4:4.3.10-16
Fixed in version php4/4:4.4.2-1.1
Done: "Steinar H. Gunderson" <sesse@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#359904
; Package php4
.
(full text, mbox, link).
Acknowledgement sent to Moritz Naumann <info@moritz-naumann.com>
:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: php4
Version: 4:4.4.2-1
Severity: grave
Tags: security
Justification: user security hole
A security issue in PHP has been reported which may allow for disclosing
partial working memory contents on some PHP applications.
Quoting Stefan Esser:
> The bug is a binary safety issue in html_entity_decode. A function
> that is not usually used on user input, because user input is usually
> not expected in HTML format and then decoded. Even if the function is
> used on user input it can only leak memory to a potential attacker if
> the decoded user input is send back to the client.
>
> The bug was found in late February by one of the japanese PHP
> developers and was fixed in CVS one day later. Because the bug is a
> local memory leak it was not considered top critical and is among the
> usual bugfixes. PHP 5.1.3-RC1 which was released in the beginning of
> March already fixes this issue.
References:
[1]
http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/044544.html
(follow the thread)
[2]
http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/thread.html
(search the page for 'Critical PHP bug' to find additional threads)
[3] http://bugs.gentoo.org/127939
Credits:
- - Developer advisory: "One of the japanese PHP developers" (according to
S. Esser)
- - Public disclosure: Tõnu Samuel (tonu at jes.ee)
- -- System Information:
Debian Release: testing/unstable
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEKoian6GkvSd/BgwRAlMGAJ0YQKNcPE3mWExK5vDsWfIuEwbEnQCdGNv3
IvHaWA6pqJF882uBSaOEunc=
=j/Io
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#359904
; Package php4
.
(full text, mbox, link).
Acknowledgement sent to Moritz Naumann <info@moritz-naumann.com>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #10 received at 359904@bugs.debian.org (full text, mbox, reply):
I'm sorry for this. Please mark this a duplicate of 359905 and close.
Thanks.
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#359904
; Package php4
.
(full text, mbox, link).
Acknowledgement sent to Moritz Naumann <bugs.debian.org@moritz-naumann.com>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #15 received at 359904@bugs.debian.org (full text, mbox, reply):
Did I say "Please mark this a duplicate of 359905 and close."?
Of course, I meant "Please mark this a duplicate of 359906 and close".
I did not *mean to* destroy your day.
/me looking for a good place to hide away.
Bug closed, send any further explanations to Moritz Naumann <info@moritz-naumann.com>
Request was from Filipus Klutiero <ido@vif.com>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug reopened, originator not changed.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#359904
; Package php4
.
(full text, mbox, link).
Acknowledgement sent to Sven Mueller <sven@incase.de>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #24 received at 359904@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Tags 359904 + patch
Found 359904 4:4.3.10-16
Thanks
Hi.
Patch ported to 4.3.10-16 is attached. Actually, I also allowed myself
to fix a small possible bug in debian/rules way of applying patches. The
problem here is that you assume the patches to have appliled in
alphabetical order when trying to deapply them. However, the shell is
not guaranteed to expand patterns in alphabetical order, so sorting the
patches explicitly is the safer option. Out of habit, I also created
changelog entries for the two changes (which are much longer than the
changes themselves).
All changes are small and easy enough to get seperated should you want that.
Regards,
Dven
[php4-html-entity-decode.patch (text/x-patch, inline)]
diff -urN php4-4.3.10-orig/debian/changelog php4-4.3.10/debian/changelog
--- php4-4.3.10-orig/debian/changelog 2006-03-31 17:02:02.000000000 +0200
+++ php4-4.3.10/debian/changelog 2006-03-31 17:25:25.000000000 +0200
@@ -1,3 +1,14 @@
+php4 (4:4.3.10-17) stable-security; urgency=low
+
+ Sven Mueller <debian@incase.de>:
+ * Patch ext/standard/html.c to fix a possible information disclosure bug in
+ html_entity_decode() (closes: #359904)
+ * Fix a small issue in debian/rules regarding the order in which patches are
+ applied (`ls` as well as shell pattern expansion might sort differently
+ than `sort`)
+
+ -- Sven Mueller <debian@incase.de> Fri, 31 Mar 2006 17:24:18 +0200
+
php4 (4:4.3.10-16) stable-security; urgency=high
Adam Conrad <adconrad@0c3.net>:
diff -urN php4-4.3.10-orig/debian/patches/052-html_entity_decode_fix.patch php4-4.3.10/debian/patches/052-html_entity_decode_fix.patch
--- php4-4.3.10-orig/debian/patches/052-html_entity_decode_fix.patch 1970-01-01 01:00:00.000000000 +0100
+++ php4-4.3.10/debian/patches/052-html_entity_decode_fix.patch 2006-03-31 17:21:13.000000000 +0200
@@ -0,0 +1,12 @@
+diff -ur php4-4.3.10-orig/ext/standard/html.c php4-4.3.10/ext/standard/html.c
+--- php4-4.3.10-orig/ext/standard/html.c 2004-07-13 19:15:13.000000000 +0200
++++ php4-4.3.10/ext/standard/html.c 2006-03-31 17:15:33.000000000 +0200
+@@ -791,7 +791,7 @@
+ enum entity_charset charset = determine_charset(hint_charset TSRMLS_CC);
+ unsigned char replacement[15];
+
+- ret = estrdup(old);
++ ret = estrdup(old,oldlen);
+ retlen = oldlen;
+ if (!retlen) {
+ goto empty_source;
diff -urN php4-4.3.10-orig/debian/rules php4-4.3.10/debian/rules
--- php4-4.3.10-orig/debian/rules 2006-03-31 17:02:02.000000000 +0200
+++ php4-4.3.10/debian/rules 2006-03-31 17:24:02.000000000 +0200
@@ -85,7 +85,7 @@
patch: patch-stamp
patch-stamp:
dh_testdir
- for patch in debian/patches/*.patch; do \
+ for patch in `ls debian/patches/*.patch | sort`; do \
echo '->'`basename $$patch`:; \
if ! patch -p1 --ignore-whitespace --dry-run < $$patch; \
then \
Tags added: patch
Request was from Sven Mueller <sven@incase.de>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as found in version 4:4.3.10-16.
Request was from Sven Mueller <sven@incase.de>
to control@bugs.debian.org
.
(full text, mbox, link).
Changed Bug title.
Request was from Filipus Klutiero <chealer@vif.com>
to control@bugs.debian.org
.
(full text, mbox, link).
Changed Bug title.
Request was from Filipus Klutiero <chealer@vif.com>
to control@bugs.debian.org
.
(full text, mbox, link).
Tags added: fixed
Request was from sesse@debian.org (Steinar H. Gunderson)
to control@bugs.debian.org
.
(full text, mbox, link).
Tags removed: fixed
Request was from "Steinar H. Gunderson" <sesse@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as fixed in version 4:4.4.2-1.1, send any further explanations to Moritz Naumann <info@moritz-naumann.com>
Request was from "Steinar H. Gunderson" <sesse@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 24 Jun 2007 10:16:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:48:38 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.