[SRU] stack smashing detected when calling xmlrpc_set_type

Bug #239513 reported by Russ Brown on 2008-06-12
4
Affects Status Importance Assigned to Milestone
php
Unknown
Unknown
php5 (Ubuntu)
Undecided
Chuck Short
Hardy
Undecided
Unassigned
Intrepid
Undecided
Marc Deslauriers
Jaunty
Undecided
Marc Deslauriers

Bug Description

Binary package hint: php5-xmlrpc

$ lsb_release -rd
Description: Ubuntu 8.04
Release: 8.04

php5-xmlrpc:
  Installed: 5.2.4-2ubuntu5.1
  Candidate: 5.2.4-2ubuntu5.1
  Version table:
 *** 5.2.4-2ubuntu5.1 0
        500 http://us.archive.ubuntu.com hardy-updates/main Packages
        100 /var/lib/dpkg/status
     5.2.4-2ubuntu5 0
        500 http://us.archive.ubuntu.com hardy/main Packages

The following script reproduces:

<?php
        $params = array(new DateTime());

        $params[0] = $params[0]->format(DATE_ISO8601);

        xmlrpc_set_type($params[0], 'datetime');
?>

$ php xmlrpc_datetime.php
*** stack smashing detected ***: php terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7a38138]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xb7a380f0]
/usr/lib/php5/20060613+lfs/xmlrpc.so[0xb71fc1c4]
/usr/lib/php5/20060613+lfs/xmlrpc.so[0xb71f990e]
/usr/lib/php5/20060613+lfs/xmlrpc.so(XMLRPC_CreateValueDateTime_ISO8601+0x37)[0xb71fa247]
/usr/lib/php5/20060613+lfs/xmlrpc.so(set_zval_xmlrpc_type+0x108)[0xb71f1238]
/usr/lib/php5/20060613+lfs/xmlrpc.so(zif_xmlrpc_set_type+0xf4)[0xb71f2ed4]
php[0x82f35eb]
php(execute+0x188)[0x82e4048]
php(zend_execute_scripts+0x183)[0x82c2f13]
php(php_execute_script+0x210)[0x8278d90]
php(main+0x19da)[0x83553ea]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7961450]
php[0x8097ec1]
======= Memory map: ========
08048000-0855e000 r-xp 00000000 08:04 323708 /usr/bin/php5
0855e000-08594000 rw-p 00516000 08:04 323708 /usr/bin/php5
08594000-08732000 rw-p 08594000 00:00 0 [heap]
b7178000-b717c000 r-xp 00000000 08:04 2997 /lib/tls/i686/cmov/libnss_dns-2.7.so
b717c000-b717e000 rw-p 00003000 08:04 2997 /lib/tls/i686/cmov/libnss_dns-2.7.so
b717e000-b7187000 r-xp 00000000 08:04 2994 /lib/tls/i686/cmov/libnss_files-2.7.so
b7187000-b7189000 rw-p 00008000 08:04 2994 /lib/tls/i686/cmov/libnss_files-2.7.so
b7189000-b71bc000 r-xp 00000000 08:04 40256 /usr/lib/libxslt.so.1.1.22
b71bc000-b71bd000 rw-p 00033000 08:04 40256 /usr/lib/libxslt.so.1.1.22
b71bd000-b71cd000 r-xp 00000000 08:04 27924 /usr/lib/libexslt.so.0.8.13
b71cd000-b71ce000 rw-p 0000f000 08:04 27924 /usr/lib/libexslt.so.0.8.13
b71e6000-b71ec000 r-xp 00000000 08:04 323704 /usr/lib/php5/20060613+lfs/xsl.so
b71ec000-b71ed000 rw-p 00005000 08:04 323704 /usr/lib/php5/20060613+lfs/xsl.so
b71ed000-b71ff000 r-xp 00000000 08:04 323720 /usr/lib/php5/20060613+lfs/xmlrpc.so
b71ff000-b7200000 rw-p 00012000 08:04 323720 /usr/lib/php5/20060613+lfs/xmlrpc.so
b7200000-b721e000 r-xp 00000000 08:04 32549 /usr/lib/libpq.so.5.1
b721e000-b721f000 rw-p 0001e000 08:04 32549 /usr/lib/libpq.so.5.1
b721f000-b7236000 r-xp 00000000 08:04 323735 /usr/lib/php5/20060613+lfs/pgsql.so
b7236000-b7237000 rw-p 00017000 08:04 323735 /usr/lib/php5/20060613+lfs/pgsql.so
b7237000-b724e000 r-xp 00000000 08:04 323746 /usr/lib/php5/20060613+lfs/mysqli.so
b724e000-b7250000 rw-p 00016000 08:04 323746 /usr/lib/php5/20060613+lfs/mysqli.so
b7250000-b73ec000 r-xp 00000000 08:04 90534 /usr/lib/libmysqlclient.so.15.0.0
b73ec000-b742f000 rw-p 0019b000 08:04 90534 /usr/lib/libmysqlclient.so.15.0.0
b742f000-b7430000 rw-p b742f000 00:00 0
b7433000-b7446000 r-xp 00000000 08:04 323769 /usr/lib/php5/20060613+lfs/pdo.so
b7446000-b7448000 rw-p 00012000 08:04 323769 /usr/lib/php5/20060613+lfs/pdo.so
b7448000-b7493000 r-xp 00000000 08:04 3077 /lib/libgcrypt.so.11.2.3
b7493000-b7495000 rw-p 0004a000 08:04 3077 /lib/libgcrypt.so.11.2.3
b7495000-b74a4000 r-xp 00000000 08:04 39957 /usr/lib/libtasn1.so.3.0.12
b74a4000-b74a5000 rw-p 0000e000 08:04 39957 /usr/lib/libtasn1.so.3.0.12
b74a5000-b7516000 r-xp 00000000 08:04 627694 /usr/lib/libgnutls.so.13.9.1
b7516000-b751b000 rw-p 00071000 08:04 627694 /usr/lib/libgnutls.so.13.9.1
b751b000-b7531000 r-xp 00000000 08:04 30923 /usr/lib/libsasl2.so.2.0.22
b7531000-b7532000 rw-p 00015000 08:04 30923 /usr/lib/libsasl2.so.2.0.22
b7532000-b753e000 r-xp 00000000 08:04 358399 /usr/lib/liblber-2.4.so.2.0.3
b753e000-b753f000 rw-p 0000b000 08:04 358399 /usr/lib/liblber-2.4.so.2.0.3
b753f000-b757b000 r-xp 00000000 08:04 358400 /usr/lib/libldap_r-2.4.so.2.0.3
b757b000-b757d000 rw-p 0003b000 08:04 358400 /usr/lib/libldap_r-2.4.so.2.0.3
b757d000-b757e000 rw-p b757d000 00:00 0
b757e000-b75ae000 r-xp 00000000 08:04 41008 /usr/lib/libidn.so.11.5.30
b75ae000-b75af000 rw-p 0002f000 08:04 41008 /usr/lib/libidn.so.11.5.30
b75af000-b75ea000 r-xp 00000000 08:04 41074 /usr/lib/libcurl.so.4.0.1
b75ea000-b75eb000 rw-p 0003b000 08:04 41074 /usr/lib/libcurl.so.4.0.1
b75f0000-b75f6000 r-xp 00000000 08:04 323736 /usr/lib/php5/20060613+lfs/pdo_pgsql.so
b75f6000-b75f7000 rw-p 00005000 08:04 323736 /usr/lib/php5/20060613+lfs/pdo_pgsql.so
b75f7000-b7602000 r-xp 00000000 08:04 323745 /usr/lib/php5/20060613+lfs/mysql.so
b7602000-b7603000 rw-p 0000a000 08:04 323745 /usr/lib/php5/20060613+lfs/mysql.so
b7603000-b7628000 r-xp 00000000 08:04 39913 /usr/lib/libmcrypt.so.4.4.7
b7628000-b762a000 rw-p 00025000 08:04 39913 /usr/lib/libmcrypt.so.4.4.7
b762a000-b7630000 rw-p b762a000 00:00 0
b7633000-b7639000 r-xp 00000000 08:04 323747 /usr/lib/php5/20060613+lfs/pdo_mysql.so
b7639000-b763a000 rw-p 00005000 08:04 323747 /usr/lib/php5/20060613+lfs/pdo_mysql.so
b763a000-b7647000 r-xp 00000000 08:04 323754 /usr/lib/php5/20060613+lfs/curl.so
b7647000-b7648000 rw-p 0000d000 08:04 323754 /usr/lib/php5/20060613+lfs/curl.so
b7648000-b7651000 r-xp 00000000 08:04 91233 /lib/libpam.so.0.81.6
b7651000-b7652000 rw-p 00008000 08:04 91233 /lib/libpam.so.0.81.6
b7652000-b7755000 r-xp 00000000 08:04 32594 /usr/lib/libc-client.so.2007.0
b7755000-b775c000 rw-p 00102000 08:04 32594 /usr/lib/libc-client.so.2007.0
b775c000-b775d000 rw-p b775c000 00:00 0
b775d000-b7773000 r-xp 00000000 08:04 29854 /usr/lib/php5/20060613+lfs/imap.so
b7773000-b7774000 rw-p 00016000 08:04 29854 /usr/lib/php5/20060613+lfs/imap.so
b7774000-b777b000 r--s 00000000 08:04 31126 /usr/lib/gconv/gconv-modules.cache
b777b000-b77ba000 r--p 00000000 08:04 35546 /usr/lib/locale/en_US.utf8/LC_CTYPE
b77d5000-b77df000 r-xp 00000000 08:04 3693 /lib/libgcc_s.so.1
b77df000-b77e0000 rw-p 0000a000 08:04 3693 /lib/libgcc_s.so.1
b77f8000-b77fa000 rw-p b77f8000 00:00 0
bAborted

Russ Brown (pickscrape) wrote :

Seems to have ignored my package choice...

Chuck Short (zulcss) wrote :

on what arch is this? I am not able to reproduce it on x86_64.

Thanks
chuck

Changed in php5:
status: New → Incomplete
Russ Brown (pickscrape) wrote :

$ uname -a
Linux dorian 2.6.24-18-generic #1 SMP Wed May 28 20:27:26 UTC 2008 i686 GNU/Linux

Chuck Short (zulcss) wrote :

I was able to reproduce this error on both hardy and intrepid. As a consequence I have opened up a bug in the php bug tracker.

http://bugs.php.net/bug.php?id=45465

Thanks for the bug report.

Regards
chuck

Changed in php5:
status: Incomplete → Confirmed

I confirm this bug, with php5-xmlrpc 5.2.4-2ubuntu5 !

(Commit comment: "Import Jeff Lawsons patches for XML datetime bug fixes")

Chuck Short (zulcss) wrote :

Thanks ill be doing an SRU for php soon enough.

chuck

Changed in php5:
status: Confirmed → In Progress
Chuck Short (zulcss) wrote :

This bug has been fixed for jaunty.

With the following patch attached this does not happen anymore. I have included the patch for your review.

Steps to Reproduce:

1. On i386 install php5-cgi php5-libxml.
2. Run the script in the above bug-report.
3. Expected result is that it doesnt cause PHP to have a stack smashing.

If you have any questions please let me know.

Regards
chuck

Chuck Short (zulcss) wrote :
Martin Pitt (pitti) wrote :

I rejected the 5.2.4-2ubuntu5.4 upload. Its changelog referred to the fix for this bug, but the upload didn't actually include it. Please upload a new version with this patch actually applied.

While you are at it, please clean up use_embedded_timezonedb.patch to not contain the .orig file. Thanks!

Martin Pitt (pitti) wrote :

Accepted into hardy-proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in php5:
status: New → Fix Committed
Steve Beattie (sbeattie) wrote :

I am able to reproduce this error with php5-xmlrpc 5.2.4-2ubuntu5.3 from hardy-updates on i386, and can confirm that php5-xmlrpc 5.2.4-2ubuntu5.4 in hardy-proposed address the issue. It also passes the security team's regression tests (I've added the above to their testsuite).

More checks for regressions would be useful, though.

Steve Beattie (sbeattie) wrote :

One last comment: I rebuilt the php package (on i386) using the sources in hardy-proposed; as part of its build, php runs a fairly extensive set of regression tests. There are a couple of new failures versus the results (recorded in the security team's qa-regression-testing bzr tree) from 5.2.4-2ubuntu5.3:

  Bug #20382 [2] (strtotime ("Monday", $date) produces wrong result on DST changeover) [ext/date/tests/bug20382-2.phpt]

  Bug #41567 (json_encode() double conversion is inconsistent with PHP) [ext/json/tests/bug41567.phpt]

  microtime() function [ext/standard/tests/time/001.phpt] (warn: system dependent)

None of these looks very serious, but might be worth double-checking. Thanks.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.2.4-2ubuntu5.4

---------------
php5 (5.2.4-2ubuntu5.4) hardy-proposed; urgency=low

  * debian/rules:
    - Use system tzdata.
  * debian/patches/use_embedded_timezonedb.patch
    - Patch taken from intrepid, allows us to default to using the system
      provided timezone database insteam of the one bundled with PHP.
      (LP: #279980)
  * debian/patches/fix-xmlrpc-datetime.diff
    - Patch taken from php CVS, prevents stack smashing when using xmlrpc and datetime.
      (LP: #239513)

 -- Chuck Short <email address hidden> Wed, 22 Oct 2008 13:08:33 +0000

Changed in php5:
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

Chuck, please fix this in Jaunty ASAP.

Changed in php5:
assignee: nobody → zulcss
Chuck Short (zulcss) wrote :

This should already be fixed.

Changed in php5:
status: In Progress → Fix Released
Steve Beattie (sbeattie) wrote :

Per mdeslaurs (and confirmed by myself), this is still an issue in jaunty; re-opening.

Changed in php5 (Ubuntu Jaunty):
status: Fix Released → Triaged
Marc Deslauriers (mdeslaur) wrote :

This is still an issue in Intrepid also.

Changed in php5 (Ubuntu Intrepid):
status: New → Confirmed
Changed in php5 (Ubuntu Intrepid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in php5 (Ubuntu Jaunty):
assignee: Chuck Short (zulcss) → Marc Deslauriers (mdeslaur)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.2.6.dfsg.1-3ubuntu4.4

---------------
php5 (5.2.6.dfsg.1-3ubuntu4.4) jaunty-security; urgency=low

  * SECURITY UPDATE: certificate spoofing via null-byte certs (LP: #446313)
    - debian/patches/CVE-2009-3291.patch: validate certificate's CN length
      in ext/openssl/openssl.c.
    - CVE-2009-3291
  * SECURITY UPDATE: denial of service via malformed exif images
    (LP: #446313)
    - debian/patches/CVE-2009-3292.patch: check length, return codes, and
      nesting level in ext/exif/exif.c.
    - CVE-2009-3292
  * SECURITY UPDATE: safe_mode bypass via tempam function
    - debian/patches/CVE-2009-3557.patch: check for safe_mode in
      ext/standard/file.c.
    - CVE-2009-3557
  * SECURITY UPDATE: open_basedir restrictions bypass via posix_mkfifo
    - debian/patches/CVE-2009-3558.patch: check for open_basedir in
      ext/posix/posix.c.
    - CVE-2009-3558
  * SECURITY UPDATE: denial of service via large number of files in
    form-data POST request.
    - debian/patches/CVE-2009-4017.patch: introduce new "max_file_uploads"
      directive and enforce in main/main.c, main/rfc1867.c.
    - ATTENTION: this update changes previous php5 behaviour by limiting
      the number of files in a POST request to 50. This may be increased
      by adding a "max_file_uploads" directive to the php.ini configuration
      file.
    - CVE-2009-4017
  * SECURITY UPDATE: safe_mode_protected_env_vars bypass via proc_open()
    - debian/patches/CVE-2009-4018.patch: add safe_mode check in
      ext/standard/proc_open.c
    - CVE-2009-4018
  * debian/patches/fix-xmlrpc-datetime.diff
    - Prevent stack smashing when using xmlrpc and datetime. (LP: #239513)
 -- Marc Deslauriers <email address hidden> Thu, 26 Nov 2009 08:05:57 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.2.6-2ubuntu4.5

---------------
php5 (5.2.6-2ubuntu4.5) intrepid-security; urgency=low

  * SECURITY UPDATE: file truncation via key with null byte
    - debian/patches/CVE-2008-7068.patch: make sure key and value are sane
      in ext/dba/libinifile/inifile.c.
    - CVE-2008-7068
  * SECURITY UPDATE: certificate spoofing via null-byte certs (LP: #446313)
    - debian/patches/CVE-2009-3291.patch: validate certificate's CN length
      in ext/openssl/openssl.c.
    - CVE-2009-3291
  * SECURITY UPDATE: denial of service via malformed exif images
    (LP: #446313)
    - debian/patches/CVE-2009-3292.patch: check length, return codes, and
      nesting level in ext/exif/exif.c.
    - CVE-2009-3292
  * SECURITY UPDATE: safe_mode bypass via tempam function
    - debian/patches/CVE-2009-3557.patch: check for safe_mode in
      ext/standard/file.c.
    - CVE-2009-3557
  * SECURITY UPDATE: open_basedir restrictions bypass via posix_mkfifo
    - debian/patches/CVE-2009-3558.patch: check for open_basedir in
      ext/posix/posix.c.
    - CVE-2009-3558
  * SECURITY UPDATE: denial of service via large number of files in
    form-data POST request.
    - debian/patches/CVE-2009-4017.patch: introduce new "max_file_uploads"
      directive and enforce in main/main.c, main/rfc1867.c.
    - ATTENTION: this update changes previous php5 behaviour by limiting
      the number of files in a POST request to 50. This may be increased
      by adding a "max_file_uploads" directive to the php.ini configuration
      file.
    - CVE-2009-4017
  * SECURITY UPDATE: safe_mode_protected_env_vars bypass via proc_open()
    - debian/patches/CVE-2009-4018.patch: add safe_mode check in
      ext/standard/proc_open.c
    - CVE-2009-4018
  * debian/patches/fix-xmlrpc-datetime.diff
    - Prevent stack smashing when using xmlrpc and datetime. (LP: #239513)
 -- Marc Deslauriers <email address hidden> Thu, 26 Nov 2009 08:06:47 -0500

Changed in php5 (Ubuntu Intrepid):
status: Confirmed → Fix Released
Changed in php5 (Ubuntu Jaunty):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.