gentoo php 5.1.6-pl6 htmlentities() double free

During "software development" with Di Paola we
found that latest php5
stable version available for gentoo (5.1.6) is affected by a
double
free in the htmlentities() function, commonly exposed to
user input.

This is not bug #28067, it's already patched in ubuntu and
debian but
triggerable under gentoo with this released and public poc:

http://downloads.securityfocus.com/vulnerab
ilities/exploits/20879.php

The author of the poc is Zarathu.

We added some UTF tests included this in to our software on
01/17/07,
the public poc is even older and today is 02/10/07 so
probably somebody
hasn't noticed the bug/patch.

Glibc backtrace http://rafb.net/p/b35
aEl20.html

You can verify this comparing the file

/var/tmp/portage/php-5.1.6-r6/work/php-5.1.6/ext/standard/ht
ml.c

with ext/standard/html.c of ubuntu with patches applied

function php_escape_html_entities(), called by
php_html_entities()

+-  if (len + 9 > maxlen)
++  if (len + 16 > maxlen)
....
+    if (matches_map) {
++    int l = strlen(rep);
++    /* increase the buffer size */
++    if (len + 2 + l >= maxlen) {
++     replaced = erealloc(replaced, maxlen += 128);
++    }
++
+     replaced[len++] = '&';
+     strcpy(replaced + len, rep);
+-    len += strlen(rep);
++    len += l;
+     replaced[len++] = ';';
+    }

Original code:

if (matches_map) {
 replaced[len++] = '&';
 strcpy(replaced + len, rep);
 len += strlen(rep);
 replaced[len++] = ';';
}

Ubuntu (not vulnerable)

PHP 5.1.6 (cli) (built: Nov  2 2006 12:49:10)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend
Technologies

Gentoo (vulnerable)

PHP 5.1.6-pl6-gentoo (cli) (built: Feb  9 2007 22:00:21)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend
Technologies

Stripped comm between ubuntu and gentoo:
http://rafb.net/p/Bm2
Qjb83.html

Gentoo involved functions
http://rafb.net/p/LmZ
CaL28.html
http://rafb.net/p/48U
Wl028.html

Gentoo pathcset
http://rafb.net/p/und
1hw52.html

Ubuntu involved functions (prior patching)
http://rafb.net/p/chi
QsJ98.html

Ubuntu/debian pathc
http://rafb.net/p/kvv
ZGh68.html

Moral: this is patched in the official php 5.2 source tree
and in
ubuntu/debian 5.1.6 but not in gentoo 5.1.6 so imho it could
be a
nice idea to push out a new stable version (like additional
patching for
5.1.6 or a release upgrade using the 5.2 sources).

Regards,
Francesco `ascii` Ongaro
http://www.ush.it/

Stefano `wisec` Di Paola
http://www.wisec.it/
-- 
gentoo-servergentoo.org mailing list

ASCII WROTE:
> DURING "SOFTWARE DEVELOPMENT" WITH DI PAOLA
WE FOUND THAT LATEST PHP5
> STABLE VERSION AVAILABLE FOR GENTOO (5.1.6) IS AFFECTED
BY A DOUBLE
> FREE IN THE HTMLENTITIES() FUNCTION, COMMONLY EXPOSED
TO USER INPUT.
> 

THE RIGHT PLACE TO FILE THESE REQUESTS IS
HTTPS://BUGS.GENTOO.ORG

REGARDS,
PETTERI

Petteri Räty wrote:
> The right place to file these requests is https://bugs.gentoo.org

hi Petteri,

i'm sorry but i have really no time to use that interface,
is there
any email address dedicated to this so that i can forward
the mail?

regards,
Francesco `ascii` Ongaro
http://www.ush.it/
-- 
gentoo-servergentoo.org mailing list

ASCII WROTE:
> PETTERI RäTY WROTE:
>> THE RIGHT PLACE TO FILE THESE REQUESTS IS
HTTPS://BUGS.GENTOO.ORG
> 
> HI PETTERI,
> 
> I'M SORRY BUT I HAVE REALLY NO TIME TO USE THAT
INTERFACE, IS THERE
> ANY EMAIL ADDRESS DEDICATED TO THIS SO THAT I CAN
FORWARD THE MAIL?
> 
> REGARDS,
> FRANCESCO `ASCII` ONGARO
> HTTP://WWW.USH.IT/

THERE ISN'T. YOU CAN HOPE THAT SOMEONE FROM THE PHP TEAM
READS THE
SERVER LIST OF COURSE.

REGARDS,
PETTERI

On Sun, 11 Feb 2007, ascii wrote:

> During "software development" with Di Paola
we found that latest php5
> stable version available for gentoo (5.1.6) is affected
by a double
> free in the htmlentities() function, commonly exposed
to user input.
> 

it's https:
//bugs.gentoo.org/show_bug.cgi?id=153911

The php team is working on putting php-5.2.1 into portage.

Please note that the htmlentities() and htmlspecialchars()
issues can
only be triggered if you chose UTF-8 charset, which is not
the default.


Cheers,
-- 
Raphaël Marichez aka Falco

ascii wrote:
> During "software development" with Di Paola
we found that latest php5
> stable version available for gentoo (5.1.6) is affected
by a double
> free in the htmlentities() function, commonly exposed
to user input.
> ...

We already know of this, please search https://bugs.gentoo.org/
when
reporting such stuff, you'd have noticed
https:
//bugs.gentoo.org/show_bug.cgi?id=153911 already. I know
we're
terribly late on this one, but a combination of things is
holding this
up until I can get 5.2.1 in the tree, which should be in a
few days, and
that will fix this and many other problems.

-- 
Best regards,
Luca Longinotti aka CHTEKK

LongiTEKK Networks Admin: chtekklongitekk.com
Gentoo Dev: chtekkgentoo.org
SysCP Dev: chtekksyscp.org
TILUG Supporter: chtekktilug.ch

Luca Longinotti wrote:
> but a combination of things is holding this
> up until I can get 5.2.1 in the tree, which should be
in a few days, and
> that will fix this and many other problems.

no polemic at all, as a gentoo user i'm happy that there
will be a
solution in the next days

regards,
Francesco `ascii` Ongaro
http://www.ush.it/

-- 
gentoo-servergentoo.org mailing list