Please roll out security fixes from PHP 5.2.6

Bug #227464 reported by spinkham on 2008-05-06
272
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Hardy Backports
Undecided
Unassigned
php5 (Debian)
Fix Released
Unknown
php5 (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Jamie Strandboge
Feisty
Undecided
Jamie Strandboge
Gutsy
Undecided
Jamie Strandboge
Hardy
Undecided
Jamie Strandboge

Bug Description

Binary package hint: php5

PHP 5.2.6 fixes important security bugs

From the release log:
Security Fixes

    * Fixed possible stack buffer overflow in FastCGI SAPI. (Andrei Nigmatulin)
    * Properly address incomplete multibyte chars inside escapeshellcmd() (Ilia, Stefan Esser)
    * Fixed security issue detailed in CVE-2008-0599. (Rasmus)
    * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. (Ilia)
    * Upgraded PCRE to version 7.6 (Nuno)

This has been out for a while, is there a reason this hasn't been acted on?

spinkham (steve-pinkham) wrote :

Fix released in Debian onMay 11.
Fixes are available both upstream in Debian and upstream in main package.
How can I help move this bug along?

Changed in php5:
status: Unknown → Fix Committed
Changed in php5:
status: Fix Committed → Fix Released

I'll merge this into Intrepid next week.

:-Dustin

This has been fixed for intrepid. Thanks for the bug report.

Regards
Chuck

Changed in php5:
status: New → Fix Released
Doug Holton (edtechdev) wrote :

Hi, at our university they are shutting off network access to computers that aren't running at least PHP 5.2.6 because of these security holes.
I am running Ubuntu Hardy server, is there a timeline for this update to be released to Hardy, or else is there a backport available. I can always compile php/apache/etc. myself like in them yon olden days, but I'd prefer not to.
Thank you

I second what DH asked? Will this be in hardy? It's been in Debian for ages now.

Chuck Short (zulcss) wrote :

Unfortunately php5 is not a good candidate to backport into the stable release. There are several reasons for this:

- php interfaces can change between release and release.
- Adding more bugs that what we already have.
- Investing time in really testing the new version and not breaking anything.

However:

- The security fixes in php 5.2.6 will be backported by the security team.
- You are always welcome to build your own version of php. The wiki explains how to do this.

Sorry

Regards
chuck

Dustin Kirkland  (kirkland) wrote :

These are the security fixes as shown in the current changelog at:
        http://www.php.net/ChangeLog-5.php

I chased down the CVS commit log messages against 5_2 for each of these.
Most of the fixes look relatively compact, with the exception of the
last, which is comparatively huge.

Version 5.2.6
01-May-2008
      * Security Fixes
              * Fixed possible stack buffer overflow in FastCGI SAPI.
                (Andrei Nigmatulin)
                      * http://marc.info/?l=php-cvs&m=120721829703242&w=2
              * Properly address incomplete multibyte chars inside
                escapeshellcmd() (Ilia, Stefan Esser)
                      * http://marc.info/?l=php-cvs&m=120579496007399&w=2
              * Fixed security issue detailed in CVE-2008-0599. (Rasmus)
                      * http://marc.info/?l=php-cvs&m=120415902925033&w=2
              * Fixed a safe_mode bypass in cURL identified by
                Maksymilian Arciemowicz. (Ilia)
                      * http://marc.info/?l=php-cvs&m=119963956428826&w=2
              * Upgraded PCRE to version 7.6 (Nuno)
                      * http://marc.info/?l=php-cvs&m=120163838831816&w=2
                      * Note, this is a very LARGE patch

:-Dustin

Mathias Gug (mathiaz) wrote :

If you need a fix for these bugs in previous versions of Ubuntu, you should request a backport of the package by following the instructions for "How to request new packages" at https://help.ubuntu.com/community/UbuntuBackports#request-new-packages

I just modified the bug description, and added the Hardy-Backports project.

Packages are available in my PPA for testing.

:-Dustin

Tormod Volden (tormodvolden) wrote :

Mathias, shouldn't all security fixes go as SRU in hardy-security (or hardy-updates) and not in backports? Backports are for new features.

On Wed, Jun 4, 2008 at 3:58 PM, Tormod Volden <email address hidden> wrote:
> Mathias, shouldn't all security fixes go as SRU in hardy-security (or
> hardy-updates) and not in backports? Backports are for new features.

A complete merge of 5.2.6 would constitute a backport, as the version
has been bumped and new features have been added in addition to
security fixes.

Regarding SRU, see this comment:
https://bugs.edge.launchpad.net/ubuntu/+source/php5/+bug/227464/comments/8

I painstakingly collected url's to each of the PHP commit messages of
every security fix committed to PHP 5.2.6. We're going to work on
applying each of those patches to PHP and proposing an SRU. It's just
taking some time to get around to it ;-) If someone else can prepare
a debdiff and attach to this bug, I'll be happy to review it.

:-Dustin

Sounds good. I think my point is really that people mix up backports and SRU, and justifying a request for a package backport by needing security fixes is wrong, unless it turns out that it is too difficult to backport those fixes. I don't see anyone requesting any of the new features here. So I disagree with Mathias's comment, and we should follow https://wiki.ubuntu.com/StableReleaseUpdates instead. I do acknowledge that it is faster to get a backport out than a SRU though, which is a little unfortunate. It would be ideal to have the SRU out first, so that people are not "tricked" into installing a backport that could cause incompatibility problems.

BTW, the last, "huge" patch contains a lot of cosmetic fixes and changes in comments which should be taken out for the SRU patch (you might wonder why they squeezed all that into a "security fix"). I can take a look at it if that can speed up things.

(Dustin, please don't quote people's email addresses in your bug posts)

Tormod Volden (tormodvolden) wrote :

I stripped out the documentation and comment changes in the "Upgraded PCRE to version 7.6 (Nuno)" patch. The remaining changes in config.h and pcre.h just bumps the version number. If this is not needed (by the other patches) only the pcre_compile.c changes should be left for SRU.

diffstat nlopess-20080129202548.security.patch
 config.h | 6 +++---
 pcre.h | 4 ++--
 pcre_compile.c | 14 ++++++++++++++
 3 files changed, 19 insertions(+), 5 deletions(-)

Tormod Volden (tormodvolden) wrote :

Here's a debdiff with the 5 stripped down security patches:

 php5 (5.2.4-2ubuntu5.2) hardy-proposed; urgency=low
 .
   * Backport security fixes from 5.2.6: (LP: #227464)
     - debian/patches/security526-fastcgi.patch:
       + Fixed possible stack buffer overflow in FastCGI SAPI
       + Fixed sending of uninitialized paddings which may contain some
         information
     - debian/patches/security526-exec.patch:
       + Properly address incomplete multibyte chars inside escapeshellcmd()
     - debian/patches/security526-cgi_main.patch:
       + Fixed security issue detailed in CVE-2008-0599
     - debian/patches/security526-interface.patch:
       + Fixed a safe_mode bypass in cURL identified by Maksymilian
         Arciemowicz
     - debian/patches/security526-pcre_compile.patch:
       + avoid stack overflow (fix from pcre 7.6)

Changed in hardy-backports:
status: New → Invalid

Test packages with the above debdiff applied are in my PPA.

On Thu, Jun 5, 2008 at 3:51 PM, Tormod Volden <email address hidden> wrote:
> Here's a debdiff with the 5 stripped down security patches:

Thanks Tormod.

I've reviewed this debdiff. It applies cleanly and php builds cleanly for me.

Kees and Jamie generally review these sorts of security fixes, so I'm
going to subscribe the ubuntu-security team to this bug in Launchpad.
They should be able to review it and sponsor it for SRU.

:-Dustin

For what it's worth, I also built php5 with and without Tormod's debdiff.

I'm attaching a diff of the resulting test-results.txt (a regression test suite built and run as part of php5's debuild).

No regressions reported by the test-results.txt diff.

:-Dustin

spinkham (steve-pinkham) wrote :

Another month has passed, no release for Hardy.
I'm not savvy enough with the Ubuntu release procedures to even know who to contact about this.
Could someone tell me what it would take to get these bugs fixed in the current stable, advertised for server use Ubuntu?
There are 3 remote code execution vulnerabilities fixed in these patches, that's no small thing, and makes it impossible for me to recommend Ubuntu for web server use at the moment.

Agreed spinkham, debian got the release out fast, what's going on here?

On Thu, Jul 10, 2008 at 10:14 AM, Andrew Cholakian
<email address hidden> wrote:
> Agreed spinkham, debian got the release out fast, what's going on here?

The Stable Release Update process for an Long Term Support release
such as Hardy involves a bit a work and justification on our end in
order to roll this out. See:
 * https://wiki.ubuntu.com/StableReleaseUpdates

In the mean time, there's an unofficial, though usable, php-5.2.6
package in my PPA:
 * https://launchpad.net/~kirkland/+archive

:-Dustin

Well this sounds like it meets the first criteria: "Bugs which may,
under realistic circumstances, directly cause a *security
vulnerability*. These are done by the security team and are documented
at SecurityUpdateProcedures
<https://wiki.ubuntu.com/SecurityUpdateProcedures>."

So what stage is it at?

Dustin Kirkland wrote:
> On Thu, Jul 10, 2008 at 10:14 AM, Andrew Cholakian
> <email address hidden> wrote:
>
>> Agreed spinkham, debian got the release out fast, what's going on here?
>>
>
> The Stable Release Update process for an Long Term Support release
> such as Hardy involves a bit a work and justification on our end in
> order to roll this out. See:
> * https://wiki.ubuntu.com/StableReleaseUpdates
>
> In the mean time, there's an unofficial, though usable, php-5.2.6
> package in my PPA:
> * https://launchpad.net/~kirkland/+archive
>
> :-Dustin
>
>

spinkham (steve-pinkham) wrote :

I'm sorry for whining to the people who are subscribed to and care about this bug, but over 2 months since the release of a package with 3 claimed remotely exploitable code injection bugs makes me VERY hesitant to ever recommend Ubuntu for server use ever again.
By this time even the slow moving redhat has updated and Ubuntu doesn't even have a package in -proposed.
It seems all the hard work was completed over a month ago, and sits in Tormod Volden PPA, with no action since.
As far as I can tell, everything else is political will.
If there is no more forward, I will have to start explaining to the world how broken Ubuntu's security updating strategy is.
I would prefer to put my effort in something more useful then being the squeaky wheel, and will take all suggestions of how I can help.
I prefer action over complaining any day ;-)

spinkham (steve-pinkham) wrote :

Impact:
  Fixed possible stack buffer overflow in FastCGI SAPI
    Impact:Potential DOS and remote code execution if using FastCGI
  Updated PCRE to deal with issues fixed in USN-581-1
    Impact:potential DOS and code execution
  Fixes CVE-2008-0599
    Impact:Potential DOS and remote code execution
  Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz.
    Impact: Potential overwriting of system files if cURL is in use
    POC code in the advisory: http://securityreason.com/achievement_securityalert/51
  Properly address incomplete multibyte chars inside escapeshellcmd()
    Impact: If I understand correctly, useful for bypassing character based filtering, leading to remotely running arbitrary commands on the shell

spinkham (steve-pinkham) wrote :

Sorry, my listing of cURL exploit is not quite accurate, here's an updated version with that and some other fixes (let that be a lesson for you, not to post hastefully and in anger ;-)
Impact:
  Fixed possible stack buffer overflow in FastCGI SAPI
    Impact:Potential DOS and remote code execution if using FastCGI
  Updated PCRE to deal with issues fixed in USN-581-1
    Impact:Potential DOS and remote code execution
  Fixes CVE-2008-0599
    Impact:Potential DOS and remote code execution
  Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz.
    Impact: Potential overwriting or stealing files on the server if cURL is in use
  Properly address incomplete multibyte chars inside escapeshellcmd()
    Impact: Bypassing character based filtering, leading to potentially remotely running arbitrary commands on the shell

spinkham (steve-pinkham) wrote :

This has been addressed in Intrepid buy updating to PHP 5 here: https://launchpad.net/ubuntu/intrepid/+source/php5/5.2.6-1ubuntu1
Minimal patch above in this post https://bugs.launchpad.net/ubuntu/+source/php5/+bug/227464/comments/15
Re: test cases: I've not yet seen widely published exploit code, and I'm not about to change that.
Regression potential:
  It is vaguely possible the escapeshellcmd() change could have unintended affects, but extremely unlikely due to the limited use case
    of the function combined with necessity of using illegal characters in a multi-byte character set. The patches have also been widely tested at this point.
  The rest are pure bug fixes with infinitesimally low chance of side effects.

spinkham (steve-pinkham) wrote :

This has been addressed in Intrepid by updating to PHP 5 here: https://launchpad.net/ubuntu/intrepid/+source/php5/5.2.6-1ubuntu1
Minimal patch above in this post https://bugs.launchpad.net/ubuntu/+source/php5/+bug/227464/comments/15
Re: test cases: I've not yet seen widely published exploit code, and I'm not about to change that.
Regression potential:
  It is vaguely possible the escapeshellcmd() change could have unintended affects, but extremely unlikely due to the limited use case
    of the function combined with necessity of using illegal characters in a multi-byte character set. The patches have also been widely tested at this point.
  The rest are pure bug fixes with infinitesimally low chance of side effects.

Kees Cook (kees) wrote :

Sorry for the delays in getting this update published. The Ubuntu
Security Team has been very busy lately. As an explaination, most of
the vulnerabilities are hard to exploit, so this has been lower on the
list of things to do.

All that said, now that Bind and the latest cycles of kernel updates are
finishing up, we'll be having time for PHP. :)

Tormod Volden (tormodvolden) wrote :

I agree with spinkham. It is a shame that a security issue in a main package (and php5 is pretty prominent when it comes to servers) has a tested debdiff sitting untouched for 5 weeks. Can't blame Kees and his two other colleagues - they have certainly been busy - but yes, there are only 3 (three) persons in the ubuntu-security team. Is that size sane for a major Linux distro, which advertises its Server Edition with all that buzz? Sorry, I should probably ask this somewhere else.

Jamie Strandboge (jdstrand) wrote :

While the debdiff is much appreciated, there are several issues involved beyond pushing out this debdiff:

1) updates need to be backported and tested for all for released versions (not just hardy)
2) the patches in the debdiff are not in line with Debian or other distributions, so they need to be investigated for correctness
3) several other CVEs not addressed in this debdiff will be included in the upcoming security upload
4) as Kees said, the vulnerabilities addressed in this debdiff are either hard to exploit or low risk

Please be assured that fixes for these CVEs (and others) are actively being worked on.

Changed in php5:
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
assignee: nobody → jdstrand
status: New → In Progress
Changed in php5:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.2.4-2ubuntu5.3

---------------
php5 (5.2.4-2ubuntu5.3) hardy-security; urgency=low

  [ Tormod Volden ]
  * Backport security fixes from 5.2.6: (LP: #227464)
    - debian/patches/SECURITY_CVE-2008-2050.patch
      + Fixed possible stack buffer overflow in FastCGI SAPI
      + Fixed sending of uninitialized paddings which may contain some
        information
    - debian/patches/SECURITY_CVE-2008-0599.patch
      + Fixed security issue detailed in CVE-2008-0599
    - debian/patches/SECURITY_CVE-2007-4850.patch
      + Fixed a safe_mode bypass in cURL identified by Maksymilian
        Arciemowicz
    - debian/patches/security526-pcre_compile.patch:
      + avoid stack overflow (fix from pcre 7.6)

  [ Jamie Strandboge ]
  * debian/patches/SECURITY_CVE-2008-2051.patch: properly address incomplete
    multibyte chars inside escapeshellcmd() (thanks Tormod Volden)
  * Add debian/patches/SECURITY_CVE-2007-5898.patch: don't accept partial utf8
    sequences. Backported upstream fixes.
  * Add debian/patches/SECURITY_CVE-2007-5899.patch: don't send session id to
    remote forms. Backported upstream fixes.
  * Add debian/patches/SECURITY_CVE-2008-2829.patch: unsafe usage of
    deprecated imap functions (patch from Debian)
  * Add debian/patches/SECURITY_CVE-2008-1384.patch: integer overflow in
    printf() (patch from Debian)
  * Add debian/patches/SECURITY_CVE-2008-2107+2108.patch: weak random number
    seed. Backported upstream patches.
  * Add debian/patches/SECURITY_CVE-2007-4782.patch: DoS via long string in
    the fnmatch functions
  * Add debian/patches/SECURITY_CVE-2008-2371.patch: buffer overflow.
    Backported upstream patches.
  * References
    CVE-2008-2050
    CVE-2008-2051
    CVE-2008-0599
    CVE-2007-4850
    CVE-2007-5898
    CVE-2007-5899
    CVE-2008-2829
    CVE-2008-1384
    CVE-2008-2107
    CVE-2008-2108
    CVE-2007-4782
    CVE-2008-2371

 -- Jamie Strandboge <email address hidden> Fri, 18 Jul 2008 11:50:38 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.2.3-1ubuntu6.4

---------------
php5 (5.2.3-1ubuntu6.4) gutsy-security; urgency=low

  * debian/patches/SECURITY_CVE-2008-2050.patch: possible stack overflow and
    sending of unitialized paddings
  * debian/patches/SECURITY_CVE-2008-2051.patch: properly address incomplete
    multibyte chars inside escapeshellcmd()
  * debian/patches/SECURITY_CVE-2008-0599.patch: properly consider operator
    precedence when calculating length of PATH_TRANSLATED
  * debian/patches/SECURITY_CVE-2007-4850.patch: fixed a safe_mode bypass in
    cURL
  * Add debian/patches/SECURITY_CVE-2008-2829.patch: unsafe usage of
    deprecated imap functions (patch from Debian)
  * Add debian/patches/SECURITY_CVE-2008-1384.patch: integer overflow in
    printf() (patch from Debian)
  * Add debian/patches/SECURITY_CVE-2008-2107+2108.patch: weak random number
    seed.
  * Add debian/patches/SECURITY_CVE-2007-4782.patch: DoS via long string in
    the fnmatch functions
  * debian/patches/SECURITY_526-pcre_compile.patch: avoid stack overflow (fix
    from pcre 7.6)
  * Update debian/patches/207-htmlentity-utf8-fix.patch: fail on improperly
    finished UTF sequence
  * Add debian/patches/SECURITY_CVE-2008-2371.patch: buffer overflow.
    Backported upstream patches.
  * References
    CVE-2008-2050
    CVE-2008-2051
    CVE-2008-0599
    CVE-2007-4850
    CVE-2008-2829
    CVE-2008-1384
    CVE-2008-2107
    CVE-2008-2108
    CVE-2007-4782
    CVE-2007-5898
    CVE-2008-2371
    LP: #227464

 -- Jamie Strandboge <email address hidden> Tue, 22 Jul 2008 16:32:16 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.2.1-0ubuntu1.6

---------------
php5 (5.2.1-0ubuntu1.6) feisty-security; urgency=low

  * debian/patches/209-CVE-2008-2050.patch: possible stack overflow and
    sending of unitialized paddings
  * debian/patches/210-CVE-2008-2051.patch: properly address incomplete
    multibyte chars inside escapeshellcmd()
  * debian/patches/211-CVE-2007-4850.patch: fixed a safe_mode bypass in cURL
  * debian/patches/212-CVE-2008-2829.patch: unsafe usage of deprecated imap
    functions (patch from Debian)
  * debian/patches/213-CVE-2008-1384.patch: integer overflow in printf()
    (patch from Debian)
  * debian/patches/214-CVE-2008-2107+2108.patch: weak random number seed
  * debian/patches/215-CVE-2007-4782.patch: DoS via long string in the fnmatch
    functions
  * debian/patches/216-pcre-compile.patch: avoid stack overflow (fix from
    pcre 7.6)
  * Update debian/patches/207-htmlentity-utf8-fix.patch: fail on improperly
    finished UTF sequence
  * References
    CVE-2008-2050
    CVE-2008-2051
    CVE-2007-4850
    CVE-2008-2829
    CVE-2008-1384
    CVE-2008-2107
    CVE-2008-2108
    CVE-2007-4782
    CVE-2007-5898
    LP: #227464

 -- Jamie Strandboge <email address hidden> Wed, 16 Jul 2008 15:45:20 -0400

Changed in php5:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :
Changed in php5:
status: Fix Committed → Fix Released
Thom Craver (thom-saunders) wrote :

Thank you for the fixes. Everyone seems to complain, but no one seems to want to thank you.

Thank you, too, for being great netizens and working balls-out to fix the huge DNS holes.

The bind updates were seriously needed and (I can only presume) required a LOT of time. I realize that the catastrophicness of the DNS exploits had to be addressed as quickly as possible, it is a shame that the PHP5 security holes couldn't have been fixed sooner. It is likely to be installed on a greater number of installations. There are two, currentLTS releases that should be being supported in a more timely fashion.

If Red Hat did, in fact, update PHP 5 security holes faster than Ubuntu, then clearly the LTS security team needs to seriously consider hiring additional able coders.

spinkham (steve-pinkham) wrote :

We're way off topic now (sorry) but in fact Ubuntu does seem to realize there is a problem and is addressing it.
My biggest complaint is that there was no news, and no clear way for me to help.
They are now advertising for more security engineers, and I am applying.
http://webapps.ubuntu.com/employment/canonical_SECE/
Thanks for listening Ubuntu, and hopefully your changes will both improve your security process and help take some of the load off the overworked security people. I believe some of both are necessary, but I'm only an outsider.
If you're qualified, please consider applying for this job also, as we who are interested in Ubuntu's ongoing security will all benefit from them hiring the best person available for the job.

Ondřej Surý (ondrej) wrote :

People, could you stop chatting about issues unrelated to this bug? There are plenty people who are subscribed to this bug. Take this to some relevant mailling list pretty please.

Tarkus (tarkus) wrote :

still not in backport ..........

John Dong (jdong) wrote :

The security fixes in the mentioned PHP releases have been in the -security repositories for all supported distributions, over 3 months ago. A backport task is not necessary or appropriate for this case and the task has been marked invalid.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.