Please backport the upstream patch to prevent attacks based on hash collisions
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | php5 (Ubuntu) |
Medium
|
Unassigned | ||
| | Hardy |
Medium
|
Steve Beattie | ||
| | Lucid |
Medium
|
Steve Beattie | ||
| | Maverick |
Medium
|
Steve Beattie | ||
| | Natty |
Medium
|
Steve Beattie | ||
| | Oneiric |
Medium
|
Steve Beattie | ||
| | Precise |
Medium
|
Unassigned | ||
Bug Description
According to CVE-2011-4885: PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
CVE link: http://
upstream php changes: http://
| visibility: | private → public |
| visibility: | private → public |
| Changed in php5 (Ubuntu Hardy): | |
| status: | New → Confirmed |
| Changed in php5 (Ubuntu Lucid): | |
| status: | New → Confirmed |
| Changed in php5 (Ubuntu Maverick): | |
| status: | New → Confirmed |
| Changed in php5 (Ubuntu Natty): | |
| status: | New → Confirmed |
| Changed in php5 (Ubuntu Oneiric): | |
| status: | New → Confirmed |
| Changed in php5 (Ubuntu Precise): | |
| status: | New → Confirmed |
| Changed in php5 (Ubuntu Hardy): | |
| importance: | Undecided → Medium |
| Changed in php5 (Ubuntu Lucid): | |
| importance: | Undecided → Medium |
| Changed in php5 (Ubuntu Maverick): | |
| importance: | Undecided → Medium |
| Changed in php5 (Ubuntu Natty): | |
| importance: | Undecided → Medium |
| Changed in php5 (Ubuntu Oneiric): | |
| importance: | Undecided → Medium |
| Changed in php5 (Ubuntu Precise): | |
| importance: | Undecided → Medium |
| Ted Reed (treed) wrote : | #1 |
| Ted Reed (treed) wrote : | #2 |
Also, I might bump this up a little higher than medium. This is a verified bug with trivially reproducible DoS capability.
| Ted Reed (treed) wrote : | #3 |
Initial testing shows a crash from the error message there. A version with the error message pulled out seems to be functioning.
There may be additional code from 2.3.9 that the Ubuntu version doesn't have and needs to support the error message.
| Geoff Flarity (geoff-flarity) wrote : | #4 |
This should really be fixed soon. Please up vote it!
BTW, watch out, the fix caused an even worse (remote code execution) bug:
| Steve Beattie (sbeattie) wrote : | #5 |
Thanks for reporting this; I am currently working on the update to fix this and other open php issues. I'm aware of the introduced vulnerability CVE-2012-0830 that the fix for this issue introduced (Tom Reed's patch above includes the vulnerability). It's addressed upstream by http://
| Changed in php5 (Ubuntu Lucid): | |
| assignee: | nobody → Steve Beattie (sbeattie) |
| Changed in php5 (Ubuntu Hardy): | |
| assignee: | nobody → Steve Beattie (sbeattie) |
| Changed in php5 (Ubuntu Natty): | |
| assignee: | nobody → Steve Beattie (sbeattie) |
| Changed in php5 (Ubuntu Maverick): | |
| assignee: | nobody → Steve Beattie (sbeattie) |
| Changed in php5 (Ubuntu Oneiric): | |
| assignee: | nobody → Steve Beattie (sbeattie) |
| Ondřej Surý (ondrej) wrote : | #6 |
Why not cherry-pick from Debian? (That way you can also check if I haven't missed anything on your radar.)
| Launchpad Janitor (janitor) wrote : | #7 |
This bug was fixed in the package php5 - 5.3.6-13ubuntu3.5
---------------
php5 (5.3.6-13ubuntu3.5) oneiric-security; urgency=low
* SECURITY UPDATE: memory allocation failure denial of service
- debian/
zend_strdup() and calloc() for failed allocations
- CVE-2011-4153
* SECURITY UPDATE: predictable hash collision denial of service
(LP: #910296)
- debian/
directive with default limit of 1000
- ATTENTION: this update changes previous php5 behavior by
limiting the number of external input variables to 1000.
This may be increased by adding a "max_input_vars"
directive to the php.ini configuration file. See
http://
for more information.
- CVE-2011-4885
* SECURITY UPDATE: remote code execution vulnerability introduced by
the fix for CVE-2011-4885 (LP: #925772)
- debian/
continuing if max_input_vars limit is reached
- CVE-2012-0830
* SECURITY UPDATE: XSLT arbitrary file overwrite attack
- debian/
ini option to define forbidden operations within XSLT stylesheets
- CVE-2012-0057
* SECURITY UPDATE: PDORow session denial of service
- debian/
attempting to serialize PDORow instances
- CVE-2012-0788
* SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability
- debian/
magic_
- CVE-2012-0831
-- Steve Beattie <email address hidden> Wed, 08 Feb 2012 20:56:28 -0800
| Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package php5 - 5.3.5-1ubuntu7.6
---------------
php5 (5.3.5-1ubuntu7.6) natty-security; urgency=low
* SECURITY UPDATE: memory allocation failure denial of service
- debian/
zend_strdup() and calloc() for failed allocations
- CVE-2011-4153
* SECURITY UPDATE: predictable hash collision denial of service
(LP: #910296)
- debian/
directive with default limit of 1000
- ATTENTION: this update changes previous php5 behavior by
limiting the number of external input variables to 1000.
This may be increased by adding a "max_input_vars"
directive to the php.ini configuration file. See
http://
for more information.
- CVE-2011-4885
* SECURITY UPDATE: remote code execution vulnerability introduced by
the fix for CVE-2011-4885 (LP: #925772)
- debian/
continuing if max_input_vars limit is reached
- CVE-2012-0830
* SECURITY UPDATE: XSLT arbitrary file overwrite attack
- debian/
ini option to define forbidden operations within XSLT stylesheets
- CVE-2012-0057
* SECURITY UPDATE: PDORow session denial of service
- debian/
attempting to serialize PDORow instances
- CVE-2012-0788
* SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability
- debian/
magic_
- CVE-2012-0831
-- Steve Beattie <email address hidden> Wed, 08 Feb 2012 20:58:41 -0800
| Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package php5 - 5.3.3-1ubuntu9.9
---------------
php5 (5.3.3-1ubuntu9.9) maverick-security; urgency=low
* SECURITY UPDATE: memory allocation failure denial of service
- debian/
zend_strdup() and calloc() for failed allocations
- CVE-2011-4153
* SECURITY UPDATE: predictable hash collision denial of service
(LP: #910296)
- debian/
directive with default limit of 1000
- ATTENTION: this update changes previous php5 behavior by
limiting the number of external input variables to 1000.
This may be increased by adding a "max_input_vars"
directive to the php.ini configuration file. See
http://
for more information.
- CVE-2011-4885
* SECURITY UPDATE: remote code execution vulnerability introduced by
the fix for CVE-2011-4885 (LP: #925772)
- debian/
continuing if max_input_vars limit is reached
- CVE-2012-0830
* SECURITY UPDATE: XSLT arbitrary file overwrite attack
- debian/
ini option to define forbidden operations within XSLT stylesheets
- CVE-2012-0057
* SECURITY UPDATE: PDORow session denial of service
- debian/
attempting to serialize PDORow instances
- CVE-2012-0788
* SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability
- debian/
magic_
- CVE-2012-0831
-- Steve Beattie <email address hidden> Wed, 08 Feb 2012 20:59:18 -0800
| Changed in php5 (Ubuntu Maverick): | |
| status: | Confirmed → Fix Released |
| Changed in php5 (Ubuntu Natty): | |
| status: | Confirmed → Fix Released |
| Changed in php5 (Ubuntu Oneiric): | |
| status: | Confirmed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package php5 - 5.3.2-1ubuntu4.13
---------------
php5 (5.3.2-1ubuntu4.13) lucid-security; urgency=low
* SECURITY UPDATE: memory allocation failure denial of service
- debian/
zend_strdup() and calloc() for failed allocations
- CVE-2011-4153
* SECURITY UPDATE: predictable hash collision denial of service
(LP: #910296)
- debian/
directive with default limit of 1000
- ATTENTION: this update changes previous php5 behavior by
limiting the number of external input variables to 1000.
This may be increased by adding a "max_input_vars"
directive to the php.ini configuration file. See
http://
for more information.
- CVE-2011-4885
* SECURITY UPDATE: remote code execution vulnerability introduced by
the fix for CVE-2011-4885 (LP: #925772)
- debian/
continuing if max_input_vars limit is reached
- CVE-2012-0830
* SECURITY UPDATE: XSLT arbitrary file overwrite attack
- debian/
ini option to define forbidden operations within XSLT stylesheets
- CVE-2012-0057
* SECURITY UPDATE: PDORow session denial of service
- debian/
attempting to serialize PDORow instances
- CVE-2012-0788
* SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability
- debian/
magic_
- CVE-2012-0831
* SECURITY UPDATE: arbitrary files removal via cronjob
- debian/
session files (overlooked in a previous update).
- http://
- CVE-2011-0441
-- Steve Beattie <email address hidden> Wed, 08 Feb 2012 20:55:57 -0800
| Changed in php5 (Ubuntu Lucid): | |
| status: | Confirmed → Fix Released |
According to this issue it is not yet released for Hardy nor Precise, but the announcement for 5.2.4-2ubuntu5.22 says it is: https:/
Was that tracked somewhere else and this issue just needs to be updated?
Related question: I searched for the bug for the remote arbitrary code execution that this fix introduced (PHP 5.3.10, CVE-2012-0830) and couldn't find it
| Steve Beattie (sbeattie) wrote : | #12 |
Yes, this has been fixed in hardy (8.04 LTS); however, I forgot to incorporate the bug number in the changelog entry for the hardy version. You are correct that this issue has not been addressed in precise, yet.
As for CVE-2012-0830, there is no separate bug report; the security team doesn't track all security issues via bug reports due to some inadequacies in launchpad. Issues are tracked publicly in the Ubuntu CVE tracker at http://
Thanks!
| Changed in php5 (Ubuntu Hardy): | |
| status: | Confirmed → Fix Released |
| Steve Beattie (sbeattie) wrote : | #13 |
This was addressed in precise in the 5.3.10-1ubuntu1 merge, closing.
| Changed in php5 (Ubuntu Precise): | |
| status: | Confirmed → Fix Released |
You actually need two commits for this fix.
This one is the 5.3 branch commit for the first commit:
http://
There was a fix to that commit later:
http://
I've combined both of these patches into one patch that can be applied to 5.3.2-1ubuntu4.11:
https:/
Should just be able to drop it into debian/patches and add it to the end of debian/
I'm still confirming if that patch fixes the DoS.