Bug 827317 – VUL-1: CVE-2013-2110: php53: php_quot_print_encode heap based overflow

Bug 827317 - (CVE-2013-2110) VUL-1: CVE-2013-2110: php53: php_quot_print_encode heap based overflow

(CVE-2013-2110)
Summary:	VUL-1: CVE-2013-2110: php53: php_quot_print_encode heap based overflow

Status:	RESOLVED INVALID

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Petr Gajdos
QA Contact:	Security Team bot

URL:
Whiteboard:	.
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2013-06-28 07:55 UTC by Marcus Meissner
Modified:	2014-06-12 15:17 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2013-06-28 07:55:14 UTC

is public, via cve db

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2110

Heap-based buffer overflow in the php_quot_print_encode function in ext/standard/quot_print.c in PHP before 5.3.26 and 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted argument to the quoted_printable_encode function. 

CONFIRM:http://www.php.net/ChangeLog-5.php
CONFIRM:https://bugs.php.net/bug.php?id=64879

Comment 1 Marcus Meissner 2013-06-28 07:59:19 UTC

PHP 5.2 and older does not seem to have the function, so are not affected.

Comment 2 Marcus Meissner 2013-06-28 08:00:21 UTC

affected piece exists in our code in php53 on SLE11 SP2.

Comment 3 Swamp Workflow Management 2013-06-28 22:00:24 UTC

bugbot adjusting priority

Comment 4 Petr Gajdos 2013-07-02 17:10:45 UTC

Marcus, can you reproduce it with the testcase given in description of php bug? I can't or I haven't understood the real issue.

For multiplier=1000,

ret = safe_emalloc(1, 3 * length + 3 * (((3 * length)/PHP_QPRINT_MAXL) + 1), 0);

should allocate 1*(3*1000 + 3*(((3*1000)/75) + 1)) + 0 = 3123 bytes and *ret_length == 3117 at the end of the php_quot_print_encode() which is below allocated amount and *d is monotone. 

For multiplier=100000 (second testcase of bug64879.phpt), it allocates 312003 bytes, which also suffice, because *ret_length == 311997 at the end of this function in this case.

Or have made a mistake somewhere?

Comment 5 Petr Gajdos 2013-07-03 07:59:44 UTC

Tested with php 5.3.25.

Comment 6 Petr Gajdos 2013-07-03 09:01:32 UTC

Here we are:
https://bugzilla.redhat.com/show_bug.cgi?id=964969#c2

The commit referenced there appears to not be in 5.3 branch, which leads me to suspicion 
http://git.php.net/?p=php-src.git;a=commitdiff;h=93e0d78ec655f59ebfa82b2c6f8486c43651c1d0 
is redundant.

I tend to believe we are not affected by this flaw then. 5.4 we have only in factory, which is fixed yet by upgrading to 5.4.16.

I suggest to close this as invalid.

Comment 7 Marcus Meissner 2013-07-03 09:59:05 UTC

I looked over it and I think you are correct.

The heap overflow problem was introduced by the additional linebreak handling introduced by the commit you mentioned.


The issue does not affect PHP 5.3 on SLE11 SP2 or SP3.

Comment 8 Petr Gajdos 2013-07-03 10:38:47 UTC

Just for the record, issue _can_ be reproduced with 5.4.15 as described in php bug.