Bugzilla – Attachment 27493 Details for
Bug 63635
VUL-0: CVE-2004-1064: php multiple vulnerabilities
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
discussion about the broken patch
joey (text/plain), 11.57 KB, created by
Ludwig Nussel
on 2005-01-10 17:47:49 UTC
(
hide
)
Description:
discussion about the broken patch
Filename:
MIME Type:
Creator:
Ludwig Nussel
Created:
2005-01-10 17:47:49 UTC
Size:
11.57 KB
patch
obsolete
>From vendor-sec-admin@lst.de Wed Dec 22 19:49:55 2004 >Return-Path: <vendor-sec-admin@lst.de> >X-Original-To: lnussel@wotan.suse.de >Received: from hermes.suse.de (hermes.suse.de [149.44.160.1]) > by wotan.suse.de (Postfix) with ESMTP id 13D4111D28C > for <lnussel@wotan.suse.de>; Wed, 22 Dec 2004 19:49:55 +0100 (CET) >Received: by hermes.suse.de (Postfix) > id 083EA11195C; Wed, 22 Dec 2004 19:49:55 +0100 (CET) >Received: from scanhost.suse.de (scanhost.suse.de [149.44.160.36]) > by hermes.suse.de (Postfix) with ESMTP > id F0E66111954; Wed, 22 Dec 2004 19:49:54 +0100 (CET) >Received: from hermes.suse.de ([149.44.160.1]) > by scanhost.suse.de (scanhost [149.44.160.36]) (amavisd-new, port 10025) > with ESMTP id 06019-06; Wed, 22 Dec 2004 19:49:50 +0100 (CET) >Received: from Cantor.suse.de (ns.suse.de [195.135.220.2]) > (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) > (No client certificate requested) > by hermes.suse.de (Postfix) with ESMTP > id 4CB51111946; Wed, 22 Dec 2004 19:49:50 +0100 (CET) >Received: from mail.lst.de (verein.lst.de [213.95.11.210]) > (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) > (No client certificate requested) > by Cantor.suse.de (Postfix) with ESMTP id 226C01259456; > Wed, 22 Dec 2004 19:49:50 +0100 (CET) >Received: from verein.lst.de (localhost [127.0.0.1]) > by mail.lst.de (8.12.3/8.12.3/Debian-7.1) with ESMTP id iBMImI6s022563; > Wed, 22 Dec 2004 19:48:18 +0100 >Received: from luonnotar.infodrom.org (luonnotar.infodrom.org [195.124.48.78]) > by mail.lst.de (8.12.3/8.12.3/Debian-7.1) with ESMTP id iBMIlB6s022519 > for <vendor-sec@lst.de>; Wed, 22 Dec 2004 19:47:11 +0100 >Received: by luonnotar.infodrom.org (Postfix, from userid 10) > id 38F4D366B8C; Wed, 22 Dec 2004 19:47:14 +0100 (CET) >Received: at Infodrom Oldenburg (/\##/\ Smail-3.2.0.102 1998-Aug-2 #2) > from infodrom.org by finlandia.Infodrom.North.DE > via smail from stdin > id <m1ChBPi-000ohCC@finlandia.Infodrom.North.DE> > for vendor-sec@lst.de; Wed, 22 Dec 2004 19:40:46 +0100 (CET) >From: Martin Schulze <joey@infodrom.org> >To: Stefan Esser <sesser@suspekt.org> >Cc: vendor-sec@lst.de, security@php.net >Message-ID: <20041222184046.GA26930@finlandia.infodrom.north.de> >References: <41A9D40B.8040100@suspekt.org> <0411281529210.22321@dell1.moose.awe.com> <20041130170913.GA9789@redhat.com> <0412031005300.29716@dell1.moose.awe.com> <41B04A8A.4060109@suspekt.org> >Mime-Version: 1.0 >Content-Type: text/plain; charset=iso-8859-1 >Content-Disposition: inline >In-Reply-To: <41B04A8A.4060109@suspekt.org> >User-Agent: Mutt/1.5.6+20040907i >Subject: [vendor-sec] Re: PHP: Multiple vulnerabilities >Sender: vendor-sec-admin@lst.de >Errors-To: vendor-sec-admin@lst.de >X-BeenThere: vendor-sec@lst.de >X-Mailman-Version: 2.0.11 >Precedence: bulk >List-Help: <mailto:vendor-sec-request@lst.de?subject=help> >List-Post: <mailto:vendor-sec@lst.de> >List-Subscribe: <https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec>, > <mailto:vendor-sec-request@lst.de?subject=subscribe> >List-Id: <vendor-sec.lst.de> >List-Unsubscribe: <https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec>, > <mailto:vendor-sec-request@lst.de?subject=unsubscribe> >List-Archive: <https://www.lst.de/cgi-bin/mailman/private/vendor-sec/> >X-Original-Date: Wed, 22 Dec 2004 19:40:46 +0100 >Date: Wed, 22 Dec 2004 19:40:46 +0100 >X-Virus-Scanned: by amavisd-new at scanhost.suse.de >X-Spam-Status: No, hits=0.0 tagged_above=-20.0 required=5.0 tests= >X-Spam-Level: >Status: RO >Content-Length: 3656 >Lines: 101 > >Stefan Esser wrote: >> [08] TSRM/tsrm_virtual_cwd.c - virtual_popen() safe_mode_exec_dir bypass >> >> When PHP is running multithreaded (f.e. multithreaded apache2, >> roxen-zts, ...) popen() automaticly gets a "cd CURRENTDIR ; " prepended. >> This happens directly before execution and after all checks. This means >> a script could create a directory with shellcommands in its name and >> execute them. Even if safe_mode_exec_dir is set to something like >> "/wont/ever/execute/anything/because/this/dir/does/not/exist" >> >> http://cvs.php.net/diff.php/TSRM/tsrm_virtual_cwd.c?r1=1.41.2.7&r2=1.41.2.8&ty=h >> >> Credits: Stefan Esser > >I have a question about the referenced patch: > >=================================================================== >RCS file: /repository/TSRM/tsrm_virtual_cwd.c,v >retrieving revision 1.41.2.7 >retrieving revision 1.41.2.8 >diff -p --unified=3 -r1.41.2.7 -r1.41.2.8 >--- tsrm_virtual_cwd.c 2004/12/02 00:44:33 1.41.2.7 >+++ tsrm_virtual_cwd.c 2004/12/02 01:04:46 1.41.2.8 >@@ -17,7 +17,7 @@ > +----------------------------------------------------------------------+ > */ > >-/* $Id: tsrm_virtual_cwd.c,v 1.41.2.7 2004/12/02 00:44:33 sesser Exp $ */ >+/* $Id: tsrm_virtual_cwd.c,v 1.41.2.8 2004/12/02 01:04:46 sesser Exp $ */ > > #include <sys/types.h> > #include <sys/stat.h> >@@ -835,13 +835,24 @@ CWD_API FILE *virtual_popen(const char * > CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC) > { > int command_length; >+ int dir_length, extra = 0; > char *command_line; >- char *ptr; >+ char *ptr, *dir; > FILE *retval; > > command_length = strlen(command); > >- ptr = command_line = (char *) malloc(command_length + sizeof("cd ; ") + CWDG(cwd).cwd_length+1); >+ dir_length = CWDG(cwd).cwd_length; >+ dir = CWDG(cwd).cwd; >+ while (dir_length > 0) { >+ if (*dir == '\'') extra+=3; >+ dir++; >+ dir_length--; >+ } >+ dir_length = CWDG(cwd).cwd_length; >+ dir = CWDG(cwd).cwd; >+ >+ ptr = command_line = (char *) malloc(command_length + sizeof("cd '' ; ") + dir_length +1+1); > if (!command_line) { > return NULL; > } >@@ -851,8 +862,21 @@ CWD_API FILE *virtual_popen(const char * > if (CWDG(cwd).cwd_length == 0) { > *ptr++ = DEFAULT_SLASH; > } else { >- memcpy(ptr, CWDG(cwd).cwd, CWDG(cwd).cwd_length); >- ptr += CWDG(cwd).cwd_length; >+ *ptr++ = '\''; >+ while (dir_length > 0) { >+ switch (*dir) { >+ case '\'': >+ *ptr++ = '\''; >+ *ptr++ = '\\'; >+ *ptr++ = '\''; >+ /* fall-through */ >+ default: >+ *ptr++ = *dir; >+ } >+ dir++; >+ dir_length--; >+ } >+ *ptr++ = '\''; > } > > *ptr++ = ' '; > >The extra variable doesn't seem to be used except to count additional >space requirements. It is not used afterwards, so there is either no >need to count additional string space, or there is "+ extra" missing >in the malloc command from above. Hence, doesn't the above code write >over the end of the allocated area? > >Regards, > > Joey > >-- >All language designers are arrogant. Goes with the territory... > -- Larry Wall >_______________________________________________ >Vendor Security mailing list >Vendor Security@lst.de >https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec > >From vendor-sec-admin@lst.de Wed Dec 22 20:03:01 2004 >Return-Path: <vendor-sec-admin@lst.de> >X-Original-To: lnussel@wotan.suse.de >Received: from hermes.suse.de (hermes.suse.de [149.44.160.1]) > by wotan.suse.de (Postfix) with ESMTP id BAC9EF3D96 > for <lnussel@wotan.suse.de>; Wed, 22 Dec 2004 20:03:01 +0100 (CET) >Received: by hermes.suse.de (Postfix) > id AC60211137F; Wed, 22 Dec 2004 20:03:01 +0100 (CET) >Received: from scanhost.suse.de (scanhost.suse.de [149.44.160.36]) > by hermes.suse.de (Postfix) with ESMTP > id A063610FFDF; Wed, 22 Dec 2004 20:03:01 +0100 (CET) >Received: from hermes.suse.de ([149.44.160.1]) > by scanhost.suse.de (scanhost [149.44.160.36]) (amavisd-new, port 10025) > with ESMTP id 09498-16; Wed, 22 Dec 2004 20:02:59 +0100 (CET) >Received: from Cantor.suse.de (mail-ex.suse.de [195.135.220.2]) > (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) > (No client certificate requested) > by hermes.suse.de (Postfix) with ESMTP > id 4BE44111154; Wed, 22 Dec 2004 20:02:59 +0100 (CET) >Received: from mail.lst.de (verein.lst.de [213.95.11.210]) > (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) > (No client certificate requested) > by Cantor.suse.de (Postfix) with ESMTP id 1F45012595C2; > Wed, 22 Dec 2004 20:02:59 +0100 (CET) >Received: from verein.lst.de (localhost [127.0.0.1]) > by mail.lst.de (8.12.3/8.12.3/Debian-7.1) with ESMTP id iBMJ2B6s022969; > Wed, 22 Dec 2004 20:02:11 +0100 >Received: from e-matters.de (hermes.e-matters.de [217.69.76.213]) > by mail.lst.de (8.12.3/8.12.3/Debian-7.1) with SMTP id iBMJ1I6s022948 > for <vendor-sec@lst.de>; Wed, 22 Dec 2004 20:01:18 +0100 >Received: (qmail 30638 invoked by uid 0); 22 Dec 2004 18:58:04 -0000 >Received: from p548753ec.dip.t-dialin.net (HELO ?192.168.1.77?) (84.135.83.236) > by /var/run/qmail-smtp.pid with SMTP; 22 Dec 2004 18:58:04 -0000 >Message-ID: <41C9C476.80701@php.net> >From: Stefan Esser <sesser@php.net> >User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >To: Martin Schulze <joey@infodrom.org> >Cc: Stefan Esser <sesser@suspekt.org>, vendor-sec@lst.de, > security@php.net >References: <41A9D40B.8040100@suspekt.org> <0411281529210.22321@dell1.moose.awe.com> <20041130170913.GA9789@redhat.com> <0412031005300.29716@dell1.moose.awe.com> <41B04A8A.4060109@suspekt.org> <20041222184046.GA26930@finlandia.infodrom.north.de> >In-Reply-To: <20041222184046.GA26930@finlandia.infodrom.north.de> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed >Content-Transfer-Encoding: 7bit >Subject: [vendor-sec] Re: PHP: Multiple vulnerabilities >Sender: vendor-sec-admin@lst.de >Errors-To: vendor-sec-admin@lst.de >X-BeenThere: vendor-sec@lst.de >X-Mailman-Version: 2.0.11 >Precedence: bulk >List-Help: <mailto:vendor-sec-request@lst.de?subject=help> >List-Post: <mailto:vendor-sec@lst.de> >List-Subscribe: <https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec>, > <mailto:vendor-sec-request@lst.de?subject=subscribe> >List-Id: <vendor-sec.lst.de> >List-Unsubscribe: <https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec>, > <mailto:vendor-sec-request@lst.de?subject=unsubscribe> >List-Archive: <https://www.lst.de/cgi-bin/mailman/private/vendor-sec/> >X-Original-Date: Wed, 22 Dec 2004 20:01:10 +0100 >Date: Wed, 22 Dec 2004 20:01:10 +0100 >X-Virus-Scanned: by amavisd-new at scanhost.suse.de >X-Spam-Status: No, hits=-0.1 tagged_above=-20.0 required=5.0 > tests=LOCAL_RCVD_FROM_TONLINE >X-Spam-Level: >Status: RO >X-Status: A >Content-Length: 1244 >Lines: 27 > >Ohhhhh.... > >> The extra variable doesn't seem to be used except to count additional >> space requirements. It is not used afterwards, so there is either no >> need to count additional string space, or there is "+ extra" missing >> in the malloc command from above. Hence, doesn't the above code write >> over the end of the allocated area? > >It seems you are right. The situation that allowed arbitrary shell >command execution in the last version does now overflow the buffer. > >Stefan > >-- >-------------------------------------------------------------------------- > Stefan Esser s.esser@e-matters.de > e-matters Security http://security.e-matters.de/ > > GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0x15ABDA78 > Key fingerprint 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78 >-------------------------------------------------------------------------- > Did I help you? Consider a gift: http://wishlist.suspekt.org/ >-------------------------------------------------------------------------- >_______________________________________________ >Vendor Security mailing list >Vendor Security@lst.de >https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=27493">View the attachment on a separate page</a>.</b>
Actions:
View
Attachments on
bug 63635
: 27493