php

phpinfo() Type Confusion Information Leak Vulnerability

Bug #1335652 reported by Kurt Cancemi on 2014-06-29

This bug report is a duplicate of: Bug #1338170: PHP 5 infoleak vulnerability leading to potential SSL key disclosure. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	php	Unknown	Unknown	auto-bugs.php.net #67498
	php5 (Ubuntu)	New	Undecided	Unassigned

Bug Description

Reported in php as bug #67498 by Stefan Esser.

Here is an excerpt from the bug of some of the capabilities of this security bug:

Because this is only exploitable in case these variables are overwritten
as integers, which is less likely in a remote context this has to be
mostly considered a local information leak only. However if you are
running as mod_php and there is mod_ssl this could be used to steal the
private SSL key from memory (if you can inject PHP code).

I attached the upstream fix.

Tags:

CVE References

2014-4721

Revision history for this message

Kurt Cancemi (x64architecture) wrote on 2014-06-29:

bug67948.patch Edit (2.0 KiB, text/plain)

information type:

Private Security → Public Security

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2014-06-29:

The attachment "bug67948.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Seth Arnold (seth-arnold) on 2014-06-30

information type:

Public Security → Public

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2014-06-30:

Thanks for reporting this issue; however, I do not believe this is a security fix, rather a simple reliability fix.

he PHP team has been clear that the interpreter is not designed nor intended to provide any kind of security layer and scripts executing in the interpreter should be considered to have full, legitimate, access to everything that is available to the PHP interpreter.

In this case that means that TLS private keys available to mod_ssl are intentionally available to all PHP scripts running via mod_php. Any administrator that wants to keep TLS private keys away from PHP must use a mechanism such as CGI, FastCGI, or PHP FPM to execute the scripts in a different address space and with different privileges.

Thanks

Revision history for this message

Ondřej Surý (ondrej) wrote on 2014-07-01:

Seth, I don't think that mod_php has functions to access random memory chunks under normal conditions...

Thus I don't think that TLS private keys are available to PHP scripts if the permissions are correctly set in the apache2.

I believe this is worth fixing anyway.

Revision history for this message

Robie Basak (racb) wrote on 2014-07-11:

Link to upstream bug: https://bugs.php.net/bug.php?id=67498

Which specific versions of PHP in Ubuntu are affected, please? And can we have the specific upstream VCS commits that we would be cherry-picking to Ubuntu?

> I believe this is worth fixing anyway.

What is the exact impact to ordinary users here? What will go wrong for our users if it is not patched?

Revision history for this message

Kurt Cancemi (x64architecture) wrote on 2014-07-11:

This can be closed because this CVE and a whole other bunch of CVE's were fixed in bug #1338170 which was filed after this bug report.