Bug #697181 “DoS: Infinite loop processing 2.2250738585072011e-3...” : Bugs : php5 package : Ubuntu

php --version
PHP 5.3.3-1ubuntu9.1 with Suhosin-Patch (cli) (built: Oct 15 2010 14:17:04)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Suhosin v0.9.31, Copyright (c) 2007-2010, by SektionEins GmbH

see also:
http://www.exploringbinary.com/php-hangs-on-numeric-value-2-2250738585072011e-308/

Changed in php5 (Ubuntu):
status:	New → Confirmed

Paul Sladen (sladen) on 2011-01-04

Changed in php5 (Ubuntu Maverick):
status:	New → Confirmed
Changed in php5 (Ubuntu Lucid):
status:	New → Incomplete

Steven van der Vegt (s-vandervegt) wrote on 2011-01-05:

And there's a patch:

Fix: http://svn.php.net/viewvc?view=revision&revision=307095
Test case: http://svn.php.net/viewvc?view=revision&revision=307097

See:
http://bugs.php.net/bug.php?id=53632

John Edwards (john-cornerstonelinux) wrote on 2011-01-05:

Confirmed in Ubuntu 10.04 "lucid" using:
echo '<?php $d = 2.2250738585072011e-308; ?>' | time -p php5
which hangs.

Ubuntu 8.04 "hardy" does not hang.

Changed in php5 (Ubuntu Lucid):
status:	Incomplete → Confirmed

Paul Sladen (sladen) on 2011-01-07

description:

updated

Jamie Strandboge (jdstrand) on 2011-01-07

Changed in php5 (Ubuntu Maverick):
assignee:	nobody → Steve Beattie (sbeattie)
Changed in php5 (Ubuntu Lucid):
assignee:	nobody → Steve Beattie (sbeattie)

Steve Beattie (sbeattie) wrote on 2011-01-07:

I've confirmed that marking the double variables as volatile in maverick's php causes the infinite loop not to get triggered on i386 (and think I understand why that's the case). However, attempts to reproduce the issue with php from 9.10 (karmic), 8.04 (hardy), and 6.06 (dapper) fail for no apparent reason -- the zend_strtod.c code is nearly identical between karmic and lucid's versions. Does anyone have an indication as to what's different that woul cause this issue not to be triggered on older releases? Thanks.

Daniel Hahler (blueyed) wrote on 2011-01-07:

Maybe it is related to some compiler flags? (e.g. it can be worked around by using "-ffloat-store" in CFLAGS).
See http://news.ycombinator.com/item?id=2066084 for more discussion.

Daniel Hahler (blueyed) on 2011-01-07

description:

updated

Launchpad Janitor (janitor) wrote on 2011-01-07:

This bug was fixed in the package php5 - 5.3.3-1ubuntu12

---------------
php5 (5.3.3-1ubuntu12) natty; urgency=low

* debian/patches/fix-upstream-bug53632.patch: Fix infinite loop bug (php bug #53632)
(LP: #697181)
-- Chuck Short <email address hidden> Fri, 07 Jan 2011 12:57:59 -0500

Changed in php5 (Ubuntu Natty):
status:	Confirmed → Fix Released

Bug Watch Updater (bug-watch-updater) on 2011-01-10

Changed in php5 (Debian):
status:	Unknown → Fix Released

Launchpad Janitor (janitor) wrote on 2011-01-11:

This bug was fixed in the package php5 - 5.3.3-1ubuntu9.2

---------------
php5 (5.3.3-1ubuntu9.2) maverick-security; urgency=low

  * SECURITY UPDATE: open_basedir bypass
    - debian/patches/php5-CVE-2010-3436.patch: more strict checking in
      php_check_specific_open_basedir()
    - CVE-2010-3436
  * SECURITY UPDATE: NULL pointer dereference crash
    - debian/patches/php5-CVE-2010-3709.patch: check for NULL when
      getting zip comment
    - CVE-2010-3709
  * SECURITY UPDATE: memory consumption denial of service
    - debian/patches/php5-CVE-2010-3710.patch: check for email address
      longer than RFC 2821 allows
    - CVE-2010-3710
  * SECURITY UPDATE: xml decode bypass
    - debian/patches/php5-CVE-2010-3870.patch: improve utf8 decoding
    - CVE-2010-3870
  * SECURITY UPDATE: memory disclosure
    - debian/patches/php5-CVE-2010-4156.patch: check for excessive
      length in mb_strcut()
    - CVE-2010-4156
  * SECURITY UPDATE: integer overflow can cause an application crash
    - debian/patches/php5-CVE-2010-4409.patch: fix invalid args in
      NumberFormatter::getSymbol()
    - CVE-2010-4409
  * SECURITY UPDATE: infinite loop/denial of service when dealing with
    certain textual forms of MAX_FLOAT (LP: #697181)
    - debian/patches/php5-CVE-2010-4645.patch: treat local doubles
      as volatile to avoid x87 registers in zend_strtod()
    - CVE-2010-4645
-- Steve Beattie <email address hidden> Wed, 05 Jan 2011 22:45:19 -0800

Launchpad Janitor (janitor) wrote on 2011-01-11:

This bug was fixed in the package php5 - 5.3.2-1ubuntu4.6

---------------
php5 (5.3.2-1ubuntu4.6) lucid-security; urgency=low

  * SECURITY UPDATE: open_basedir bypass
    - debian/patches/php5-CVE-2010-3436.patch: more strict checking in
      php_check_specific_open_basedir()
    - CVE-2010-3436
  * SECURITY UPDATE: NULL pointer dereference crash
    - debian/patches/php5-CVE-2010-3709.patch: check for NULL when
      getting zip comment
    - CVE-2010-3709
  * SECURITY UPDATE: memory consumption denial of service
    - debian/patches/php5-CVE-2010-3710.patch: check for email address
      longer than RFC 2821 allows
    - CVE-2010-3710
  * SECURITY UPDATE: xml decode bypass
    - debian/patches/php5-CVE-2010-3870.patch: improve utf8 decoding
    - CVE-2010-3870
  * SECURITY UPDATE: integer overflow can cause an application crash
    - debian/patches/php5-CVE-2010-4409.patch: fix invalid args in
      NumberFormatter::getSymbol()
    - CVE-2010-4409
  * SECURITY UPDATE: infinite loop/denial of service when dealing with
    certain textual forms of MAX_FLOAT (LP: #697181)
    - debian/patches/php5-CVE-2010-4645.patch: treat local doubles
      as volatile to avoid x87 registers in zend_strtod()
    - CVE-2010-4645
-- Steve Beattie <email address hidden> Fri, 07 Jan 2011 10:56:23 -0800

Changed in php5 (Ubuntu Lucid):
status:	Confirmed → Fix Released
Changed in php5 (Ubuntu Maverick):
status:	Confirmed → Fix Released

Ubuntu
php5 package

DoS: Infinite loop processing 2.2250738585072011e-308

Bug Description

Related branches

CVE References

Duplicates of this bug

Other bug subscribers

Remote bug watches

Ubuntuphp5 package