PHP :: Sec Bug #69418 :: CVE-2006-7243 fix regressions in 5.4+

Sec Bug #69418	CVE-2006-7243 fix regressions in 5.4+
Submitted:	2015-04-10 12:46 UTC	Modified:	2015-05-19 05:34 UTC
From:	thoger at redhat dot com	Assigned:	laruence (profile)
Status:	Closed	Package:	*Directory/Filesystem functions
PHP Version:	5.5.23	OS:
Private report:	No	CVE-ID:	2015-4025

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	thoger at redhat dot com
New email:
PHP Version:		OS:

New Comment:

[2015-04-10 12:46 UTC] thoger at redhat dot com

Description:
------------
After seeing CVE-2015-2348 and CVE-2014-5120, which are both 5.4+ regressions of parts of the CVE-2006-7243 fix, I ran some quick testing to catch more similar regressions (only for ext/standard).  Here are few more issues I noticed.  Tested on 5.5.23, quick look at git 5.6 branch suggests 5.6 should be affected similarly.

* set_include_path - not sure if this can use 5.4-like fix using zend_parse_parameters() 'p' format, or needs 5.3-like fix with strlen(new_value) != new_value_len

$ php -r 'var_dump(set_include_path("/path/to/php\0extra")); echo get_include_path()."\n";'
string(32) ".:/usr/share/pear:/usr/share/php"
/path/to/php

* tempnam - dir is checked to be path and not contain \0, prefix is not

$ php -r 'var_dump(tempnam("/tmp\0extra", "prefix"));'
PHP Warning:  tempnam() expects parameter 1 to be a valid path, string given in Command line code on line 1
NULL

$ php -r 'var_dump(tempnam("/tmp/", "prefix\0extra"));'
string(17) "/tmp/prefixh3EaGL"

* rmdir

$ php -r 'var_dump(rmdir("/tmp/foo\0extra"));'
PHP Warning:  rmdir(/tmp/foo): No such file or directory in Command line code on line 1
bool(false)

* readlink

$ php -r 'var_dump(readlink("/bin/sh\0extra"));'
string(4) "bash"

For reference, here are links for CVE-2006-7243 fixes in 5.3 and 5.4:

5.3 http://git.php.net/?p=php-src.git;a=commitdiff;h=ce96fd6
5.4 http://git.php.net/?p=php-src.git;a=commitdiff;h=32b5f8a

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-04-10 22:22 UTC] yohgaki@php.net

-Status: Open +Status: Verified

[2015-04-10 22:22 UTC] yohgaki@php.net

[yohgaki@dev php-src]$ php -r 'ini_set("open_basedir","/tmp/foo\0bar"); var_dump(ini_get("open_basedir"));'
string(8) "/tmp/foo"

Looks like we need to check path related codes to be complete.

[2015-04-16 21:30 UTC] yohgaki@php.net

-Type: Bug +Type: Security -Private report: No +Private report: Yes

[2015-05-12 19:40 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=be9b2a95adb504abd5acdc092d770444ad6f6854
Log: Fixed bug #69418 - more s-&gt;p fixes for filenames

[2015-05-12 19:40 UTC] stas@php.net

-Status: Verified +Status: Closed

[2015-05-12 22:58 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=be9b2a95adb504abd5acdc092d770444ad6f6854
Log: Fixed bug #69418 - more s-&gt;p fixes for filenames

[2015-05-13 10:53 UTC] jpauli@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bbe4b87e1d1fa858c208368a28c0fb17c7774fe0
Log: Fixed bug #69418 - more s-&gt;p fixes for filenames

[2015-05-19 05:34 UTC] laruence@php.net

-Assigned To: +Assigned To: laruence -CVE-ID: +CVE-ID: 2015-4025

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC