php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53275 dynamic loading bug related with CVE-2010-3847
Submitted: 2010-11-09 10:46 UTC Modified: 2011-11-15 19:12 UTC
From: dr dot cyberowl at gmail dot com Assigned:
Status: Not a bug Package: Dynamic loading
PHP Version: 5.3.3 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: dr dot cyberowl at gmail dot com
New email:
PHP Version: OS:

 

 [2010-11-09 10:46 UTC] dr dot cyberowl at gmail dot com
Description:
------------
I'm running apache with setuid as root.
When I convert string from euc-kr to utf-8 through iconv, I met next message.
iconv(): Wrong charset, conversion from 'EUC-KR' to 'UTF-8' is now allowed

after some google. I found solution.
This problem caused by security patch on glibc ld.so dynamic linker.
http://www.securityfocus.com/bid/44154

glibc-2.11 and over has patched. so you can produce same results.

Test code
<?
$test='adasdasd';
echo iconv('euc-kr', 'utf-8', $test);
?>
Here are some strace results.
1. with plain php cli binary
------------ CLIP -----------------
futex(0xb73aca8c, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open("/usr/lib/gconv/EUC-KR.so", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\4\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=13624, ...}) = 0
mmap2(NULL, 12316, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb722f000
mmap2(0xb7231000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0xb7231000
close(3)                                = 0
open("/usr/lib/gconv/tls/i686/sse2/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/gconv/tls/i686/sse2/cmov", 0xbf9d912c) = -1 ENOENT (No such file or directory)
open("/usr/lib/gconv/tls/i686/sse2/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/gconv/tls/i686/sse2", 0xbf9d912c) = -1 ENOENT (No such file or directory)
open("/usr/lib/gconv/tls/i686/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/gconv/tls/i686/cmov", 0xbf9d912c) = -1 ENOENT (No such file or directory)
open("/usr/lib/gconv/tls/i686/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/gconv/tls/i686", 0xbf9d912c) = -1 ENOENT (No such file or directory)
open("/usr/lib/gconv/tls/sse2/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/gconv/tls/sse2/cmov", 0xbf9d912c) = -1 ENOENT (No such file or directory)
open("/usr/lib/gconv/tls/sse2/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/gconv/tls/sse2", 0xbf9d912c) = -1 ENOENT (No such file or directory)
open("/usr/lib/gconv/tls/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/gconv/tls/cmov", 0xbf9d912c) = -1 ENOENT (No such file or directory)
open("/usr/lib/gconv/tls/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/gconv/tls", 0xbf9d912c) = -1 ENOENT (No such file or directory)
open("/usr/lib/gconv/i686/sse2/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/gconv/i686/sse2/cmov", 0xbf9d912c) = -1 ENOENT (No such file or directory)
open("/usr/lib/gconv/i686/sse2/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/gconv/i686/sse2", 0xbf9d912c) = -1 ENOENT (No such file or directory)
open("/usr/lib/gconv/i686/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/gconv/i686/cmov", 0xbf9d912c) = -1 ENOENT (No such file or directory)
open("/usr/lib/gconv/i686/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/gconv/i686", 0xbf9d912c) = -1 ENOENT (No such file or directory)
open("/usr/lib/gconv/sse2/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/gconv/sse2/cmov", 0xbf9d912c) = -1 ENOENT (No such file or directory)
open("/usr/lib/gconv/sse2/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/gconv/sse2", 0xbf9d912c) = -1 ENOENT (No such file or directory)
open("/usr/lib/gconv/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/gconv/cmov", 0xbf9d912c) = -1 ENOENT (No such file or directory)
open("/usr/lib/gconv/libKSC.so", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0 \4\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=46384, ...}) = 0
mmap2(NULL, 49172, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7222000
mmap2(0xb722d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa) = 0xb722d000
close(3)                                = 0
mprotect(0xb722d000, 4096, PROT_READ)   = 0
mprotect(0xb7231000, 4096, PROT_READ)   = 0
------------ CLIP -----------------

2. with php cli binary setuided as root (run as normal user)
------------ CLIP -----------------
futex(0xb7469a8c, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open("/usr/lib/gconv/EUC-KR.so", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\4\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=13624, ...}) = 0
mmap2(NULL, 12316, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb72ec000
mmap2(0xb72ee000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0xb72ee000
close(3)                                = 0
open("$ORIGIN/tls/i686/sse2/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("$ORIGIN/tls/i686/sse2/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("$ORIGIN/tls/i686/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("$ORIGIN/tls/i686/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("$ORIGIN/tls/sse2/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("$ORIGIN/tls/sse2/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("$ORIGIN/tls/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("$ORIGIN/tls/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("$ORIGIN/i686/sse2/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("$ORIGIN/i686/sse2/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("$ORIGIN/i686/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("$ORIGIN/i686/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("$ORIGIN/sse2/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("$ORIGIN/sse2/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("$ORIGIN/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("$ORIGIN/libKSC.so", O_RDONLY)     = -1 ENOENT (No such file or directory)
open("/home/betmaster/apps/mysql/lib/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=16316, ...}) = 0
mmap2(NULL, 16316, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb72e8000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libKSC.so", O_RDONLY)        = -1 ENOENT (No such file or directory)
------------ CLIP -----------------




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-11-15 19:12 UTC] felipe@php.net
-Status: Open +Status: Bogus
 [2011-11-15 19:12 UTC] felipe@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Jul 23 18:01:30 2024 UTC