Bug 72441 (CVE-2004-1065)

Summary: VUL-0: CVE-2004-1065: PHP unserialize terrible performance
Product: [Novell Products] SUSE Security Incidents Reporter: Michal Čihař <mcihar>
Component: IncidentsAssignee: Michal Čihař <mcihar>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2004-1065: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:NVD:CVE-2004-1018:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: separated patches

Description Michal Čihař 2005-03-14 15:03:39 UTC 
Subject: PHP unserialize terrible performance
From: Leonard den Ottolander <leonard@den.ottolander.nl>
To: mcihar@suse.de
   
Hello,

I hope you don't mind me contacting you about this directly.

Since the update of mod_php4 to version 4.3.3-183 (SuSE 9.0) the
performance of unserialize() has deteriorated. I noticed this when
loading index.php in phpGedView-3.00.1. The rendering of the page used
to take a few seconds, but it now takes over 2 minutes! Reverting to
-179 fixes the issue.

It seems this issue is known by the php developers and has been fixed in
CVS (http://bugs.php.net/bug.php?id=31332).

The fix essentially is to update var_unserialize.c to CVS rev. 1.18.4.15
(or maybe even 1.18.4.14 although the CVS comments suggest the former)
and var_php.h to CVS rev. 1.21.4.5. The only fix is the "#if 1" below
"yy67:" as php_get_nan() and php_get_inf() are not yet defined.

I split out the fixes for CAN-2004-1018, CAN-2004-1019 and CAN-2004-1065
from php-4.3.3-secfix1.patch and updated the fix for CAN-2004-1019. You
no longer need the patches that touch var_unserializer.c. So you should
drop patches #10, #20 and #21 and add three separate patches for these
CAN issues.

Attached you find the three patches. I'd send you a SPEC file if you'd
like, but I suspect you can update it yourself.

I hope this patch (or a similar one) gets included in SuSE 9.0 soon so
people can enjoy a reasonable performance from unserializer() again.

Regards,
Leonard den Ottolander.
Comment 1 Michal Čihař 2005-03-14 15:04:18 UTC 
Created attachment 31459 [details]
separated patches
Comment 2 Michal Čihař 2005-03-14 15:04:55 UTC 
Filed against SLES9 as it seems to be affected as well.
Comment 3 Michal Čihař 2005-03-14 15:58:42 UTC 
5.0.3 in stable/9.3 is affected as well.
Comment 4 Michal Čihař 2005-04-07 08:59:53 UTC 
Fixed together with bug #75704.
Comment 5 Michal Čihař 2005-04-07 09:00:36 UTC 
Forgot to change state...
Comment 6 Marcus Meissner 2005-04-14 11:03:25 UTC 
released updates now.
Comment 7 Thomas Biege 2009-10-13 20:12:28 UTC 
CVE-2004-1065: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)