Bugzilla – Bug 1081790
VUL-0: CVE-2015-9253: php5, php53, php7: The php-fpm master process restarts a child process in an endless loop when using program execution functions
Last modified: 2022-03-29 13:45:23 UTC
CVE-2015-9253 An issue was discovered in PHP through 7.2.2. The php-fpm master process restarts a child process in an endless loop when using program execution functions (e.g., passthru, exec, shell_exec, or system) with a non-blocking STDIN stream, causing this master process to consume 100% of the CPU, and consume disk space with a large volume of error logs, as demonstrated by an attack by a customer of a shared-hosting facility. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9253 https://www.futureweb.at/Futureweb-OG-php-fpm-master-process-restarts-child-process-in-a_pid,54177,type,firmeninfo.html https://bugs.php.net/bug.php?id=75968 https://bugs.php.net/bug.php?id=70185
These codestreams are not affected, since we do not ship fpm there: - SUSE:SLE-10-SP3:Update - SUSE:SLE-11:Update Affected: - SUSE:SLE-11-SP3:Update (php53) - SUSE:SLE-12:Update (php5, php7)
This does not seem to have a solution for a long time. The newer bug is private now, I will try to follow it on php-security@ for some time.
https://bugs.php.net/bug.php?id=75968 is now public, points to another bug: https://bugs.php.net/bug.php?id=73342 (with patch included)
No news in upstream bugs. I tried at least reproduce the bug. I did on leap 42.3. $ git clone https://github.com/pgajdos/apache-rex.git $ cd apache-rex $ ./run-rex mod_proxy_fcgi-php-fpm [..] See for details: /tmp/apache-rex/mod_proxy_fcgi-php-fpm [..] $ cd /tmp/apache-rex/mod_proxy_fcgi-php-fpm $ /usr/sbin/php-fpm --fpm-config $PWD/php-fpm.conf $ /usr/sbin/httpd -f $PWD/httpd.conf $ curl -s http://localhost:60080/poc.php see ./php-fpm.log is filling with [02-Mar-2018 13:13:06] NOTICE: [pool www] child 9793 started [02-Mar-2018 13:13:06] NOTICE: [pool www] child 9793 exited with code 0 after 0.001849 seconds from start
Do you see a reason why this is a security bug?(In reply to Petr Gajdos from comment #6) > No news in upstream bugs. I tried at least reproduce the bug. I did on leap > 42.3. > > $ git clone https://github.com/pgajdos/apache-rex.git > $ cd apache-rex > $ ./run-rex mod_proxy_fcgi-php-fpm > [..] > See for details: /tmp/apache-rex/mod_proxy_fcgi-php-fpm > [..] > $ cd /tmp/apache-rex/mod_proxy_fcgi-php-fpm > $ /usr/sbin/php-fpm --fpm-config $PWD/php-fpm.conf $ echo "<?php stream_set_blocking(fopen('php://stdin', 'r'), false); ?>" > htdocs/poc.php > $ /usr/sbin/httpd -f $PWD/httpd.conf > $ curl -s http://localhost:60080/poc.php > > see ./php-fpm.log is filling with > > [02-Mar-2018 13:13:06] NOTICE: [pool www] child 9793 started > [02-Mar-2018 13:13:06] NOTICE: [pool www] child 9793 exited with code 0 > after 0.001849 seconds from start
Do you see a reason why this is a security bug?
At the very least you can (1) spam the syslog with error logs about php-fpm constantly respawning. You can easily create several MBs of logs per second, which will lead to DoS due to missing disk space pretty quick. This might be a problem for shared hosting providers, etc. While there might be means to mitigations to restrict CPU usage, syslog´usage usually is not restricted. Furthermore (2) you'll burn CPU cycles since the respawning of php-fpm processes will take up to 100% of CPU time.
Okay, understand. No news in the upstream bugs, suspending.
No fix upstream or downstream horizon as far as I can see.
(Patch from the upstream bug is not applied.)
(In reply to Petr Gajdos from comment #5) > https://bugs.php.net/bug.php?id=75968 > > is now public, points to another bug: > > https://bugs.php.net/bug.php?id=73342 > (with patch included) In the meantime bug 73342 was marked as a duplicate of 75968 and the change in 73342 was accepted into PHP 7.1.x: https://github.com/php/php-src/commit/69dee5c732fe982c82edb17d0dbc3e79a47748d8
Used: https://github.com/php/php-src/commit/69dee5c732fe982c82edb17d0dbc3e79a47748d8 https://github.com/php/php-src/commit/cc5c51e7f0732067f105d13c6d355fcab5965c2f
Submitted for 15/php7, 12/php72, 11sp3/php53. I believe all fixed.
7.4+ have this fix in.
SUSE-SU-2022:0577-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1038980,1081790,1193041 CVE References: CVE-2015-9253,CVE-2017-8923,CVE-2021-21707 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php72-7.2.5-1.75.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php72-7.2.5-1.75.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:0679-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1038980,1081790,1192050,1193041 CVE References: CVE-2015-9253,CVE-2017-8923,CVE-2021-21703,CVE-2021-21707 JIRA References: Sources used: openSUSE Leap 15.4 (src): php7-7.2.5-4.89.4
SUSE-SU-2022:0679-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1038980,1081790,1192050,1193041 CVE References: CVE-2015-9253,CVE-2017-8923,CVE-2021-21703,CVE-2021-21707 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): php7-7.2.5-4.89.4 SUSE Linux Enterprise Server for SAP 15 (src): php7-7.2.5-4.89.4 SUSE Linux Enterprise Server 15-SP1-LTSS (src): php7-7.2.5-4.89.4 SUSE Linux Enterprise Server 15-SP1-BCL (src): php7-7.2.5-4.89.4 SUSE Linux Enterprise Server 15-LTSS (src): php7-7.2.5-4.89.4 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): php7-7.2.5-4.89.4 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): php7-7.2.5-4.89.4 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): php7-7.2.5-4.89.4 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): php7-7.2.5-4.89.4 SUSE Enterprise Storage 6 (src): php7-7.2.5-4.89.4 SUSE CaaS Platform 4.0 (src): php7-7.2.5-4.89.4 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Released.