Bugzilla – Bug 976997
VUL-1: CVE-2016-4070: php5,php53: Integer overflow in php_raw_url_encode
Last modified: 2016-06-21 11:18:46 UTC
Integer overflow in php_raw_url_encode https://bugs.php.net/bug.php?id=71798 https://git.php.net/?p=php-src.git;a=commit;h=95433e8e339dbb6b5d5541473c1661db6ba2c451 It was discovered that the PHP rawurlencode() function incorrectly handled large strings. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. Use CVE-2016-4070. Note that the 71798 [2016-03-27 21:25 UTC] comment says "Not sure if this qualifies as security issue (probably not)." References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4070 http://seclists.org/oss-sec/2016/q2/138 http://bugs.gw.com/view.php?id=522#c1237
bugbot adjusting priority
Setting P3 to not get lost between my P4s.
Tested with 13.2 and 11. $ cat test.php <?php ini_set('memory_limit', -1); rawurlencode(str_repeat('&', 0xffffffff/3)); ?> $ BEFORE $ php test.php Segmentation fault (core dumped) $ AFTER $ php test.php $
Packages submitted.
This is an autogenerated message for OBS integration: This bug (976997) was mentioned in https://build.opensuse.org/request/show/391944 13.2 / php5
In sle11-sp4: Before + After the same results: ceasar:/tmp/kostas # php 976997.php PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 1431655766 bytes) in /tmp/kostas/976997.php on line 4 ceasar:/tmp/kostas # cat 976997.php <?php ini_set('memory_limit', -1); rawurlencode(str_repeat('&', 0xffffffff/3)); ?> So is this right or not? Fixed or still vulnerable? Host: ceasar.qam.suse.de Pass: standard r&d
This is an autogenerated message for OBS integration: This bug (976997) was mentioned in https://build.opensuse.org/request/show/393784 13.2 / php5
This is an autogenerated message for OBS integration: This bug (976997) was mentioned in https://build.opensuse.org/request/show/394633 13.2 / php5
openSUSE-SU-2016:1274-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 976775,976996,976997,977000,977003,977005 CVE References: CVE-2015-8866,CVE-2015-8867,CVE-2016-3074,CVE-2016-4070,CVE-2016-4071,CVE-2016-4073 Sources used: openSUSE 13.2 (src): php5-5.6.1-57.1
SUSE-SU-2016:1277-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 976996,976997,977000,977003,977005 CVE References: CVE-2015-8866,CVE-2015-8867,CVE-2016-4070,CVE-2016-4071,CVE-2016-4073 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php5-5.5.14-56.1 SUSE Linux Enterprise Software Development Kit 12 (src): php5-5.5.14-56.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-56.1
comment 7
(In reply to Konstantinos Tsamis from comment #7) > ceasar:/tmp/kostas # php 976997.php > PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to > allocate 1431655766 bytes) in /tmp/kostas/976997.php on line 4 [..] > So is this right or not? Fixed or still vulnerable? Not decided by your test. Firstly, you cannot just change memory limit from the script, you need to set it also in php.ini (I should have to write it in the bug). I have changed it on the host, but you seem to have low memory for this kind of test there anyway, if I understand it correctly. $ php 976997.php PHP Fatal error: Out of memory (allocated 1432616960) (tried to allocate 4294967296 bytes) in /tmp/kostas/976997.php on line 4 $
(In reply to Petr Gajdos from comment #16) > (In reply to Konstantinos Tsamis from comment #7) > > ceasar:/tmp/kostas # php 976997.php > > PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to > > allocate 1431655766 bytes) in /tmp/kostas/976997.php on line 4 > [..] > > So is this right or not? Fixed or still vulnerable? > > Not decided by your test. Firstly, you cannot just change memory limit from > the script, you need to set it also in php.ini (I should have to write it in > the bug). I have changed it on the host, but you seem to have low memory for > this kind of test there anyway, if I understand it correctly. > > $ php 976997.php > PHP Fatal error: Out of memory (allocated 1432616960) (tried to allocate > 4294967296 bytes) in /tmp/kostas/976997.php on line 4 > $ So how do I verify the bug is fixed if not with the script? How much memory do I need to allow in php.ini to see the reproducer from comment #3? I saw you changed the limit to: "memory_limit = -1" so you removed the limit and the reproducer still is not working? From what I understand the more I raise the limit (or even add more memory in the VM?) the more it will try to consume. For me the question becomes: How can I verify the bug as fixed? Do I just validate that the patch is applied and assume (I say assume since I can't see any difference yet) that it fixes the bug?
https://bugs.php.net/bug.php?id=71798 As php_raw_url_encode tries to alocate 3*len+1, you will probably need something around 2^32. Anyway, test I did in comment 3 I did on my workstation where $ free -h total used free shared buff/cache available Mem: 7.8G 1.3G 3.8G 70M 2.7G 6.3G Swap: 2.0G 0B 2.0G $
After increasing the memory in the VM to 8 gb and removing the limit in php.ini, the reproducer works as expected before + after. I mean I get a segfault before and nothing (terminates with 0) after. Thanks for the help, Petr.
Welcome.
released
SUSE-SU-2016:1310-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 976996,976997,977003,977005 CVE References: CVE-2015-8866,CVE-2015-8867,CVE-2016-4070,CVE-2016-4073 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-62.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-62.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-62.1
openSUSE-SU-2016:1373-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 976996,976997,977000,977003,977005 CVE References: CVE-2015-8866,CVE-2015-8867,CVE-2016-4070,CVE-2016-4071,CVE-2016-4073 Sources used: openSUSE Leap 42.1 (src): php5-5.5.14-47.1
SUSE-SU-2016:1581-1: An update that fixes 31 vulnerabilities is now available. Category: security (important) Bug References: 949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162 CVE References: CVE-2014-9767,CVE-2015-4116,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: SUSE OpenStack Cloud 5 (src): php53-5.3.17-71.1 SUSE Manager Proxy 2.1 (src): php53-5.3.17-71.1 SUSE Manager 2.1 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): php53-5.3.17-71.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): php53-5.3.17-71.1
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available. Category: security (important) Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162 CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php53-5.3.17-47.1