php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63297 Phar fails to write an openssl based signature
Submitted: 2012-10-17 09:20 UTC Modified: 2012-10-23 08:50 UTC
From: ab@php.net Assigned:
Status: Closed Package: PHAR related
PHP Version: 5.3Git-2012-10-17 (Git) OS: irrelevant
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ab@php.net
New email:
PHP Version: OS:

 

 [2012-10-17 09:20 UTC] ab@php.net
Description:
------------
The test below fails on Windows




Test script:
---------------
ext\phar\tests\tar\phar_setsignaturealgo2.phpt

Expected result:
----------------
test Pass

Actual result:
--------------
There are several popups with the following messages when runnign on a debug build:

Run-Time Check Failure #2 - Stack around the variable 'data_len' was corrupted
Run-Time Check Failure #2 - Stack around the variable 'md_ctx' was corrupted

After the test has run, it's marked as passed though.

On a release build here's the diff

031+ phar error: unable to write signature to tar-based phar: unable to write phar "C:/php-sdk/php-test-pack-5.3-nts-windows-vc9-x86-r5d9fb8f/ext/phar/tests/tar/phar_setsignaturealgo2.phar.tar" with requested openssl signature===DONE===
031- array(2) {
032-   ["hash"]=>
033-   string(%d) "%s"
034-   ["hash_type"]=>
035-   string(7) "OpenSSL"
036- }
037- ===DONE===


Patches

bug63297 (last revision 2012-10-17 09:22 UTC by ab@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-10-17 09:22 UTC] ab@php.net
The following patch has been added/updated:

Patch Name: bug63297
Revision:   1350465738
URL:        https://bugs.php.net/patch-display.php?bug=63297&patch=bug63297&revision=1350465738
 [2012-10-17 09:25 UTC] ab@php.net
After looking close I can see the same behaviour on this three tests

ext\phar\tests\tar\phar_setsignaturealgo2.phpt
ext\phar\tests\test_signaturealgos.phpt
ext\phar\tests\zip\phar_setsignaturealgo2.phpt

and also on 5.4 ... just a side note.
 [2012-10-17 22:13 UTC] mattficken@php.net
I’ve tried your patch on PHP_5_4…

All 3 of those tests pass for me. The only failing test I get is fatal_error_webphar.phpt.
 [2012-10-23 08:50 UTC] ab@php.net
-Operating System: Windows +Operating System: irrelevant
 [2012-10-23 08:50 UTC] ab@php.net
Running with the valgrind, there is the following trace:

==22867== Use of uninitialised value of size 4
==22867==    at 0x829FFF2: phar_hex_str (util.c:1641)
==22867==    by 0x82A0ED4: phar_create_signature (util.c:2212)
==22867==    by 0x82A5923: phar_tar_flush (tar.c:1159)
==22867==    by 0x82C4CDF: phar_flush (phar.c:2611)
==22867==    by 0x82D31DD: zim_Phar_setSignatureAlgorithm (phar_object.c:3124)
==22867==    by 0x85AE738: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:320)
==22867==    by 0x85AEDDA: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:425)
==22867==    by 0x85ADC35: execute (zend_vm_execute.h:107)
==22867==    by 0x857C919: zend_execute_scripts (zend.c:1236)
==22867==    by 0x8505EB0: php_execute_script (main.c:2308)
==22867==    by 0x864F24A: main (php_cli.c:1189)
==22867==
==22867== Use of uninitialised value of size 4
==22867==    at 0x82A0019: phar_hex_str (util.c:1642)
==22867==    by 0x82A0ED4: phar_create_signature (util.c:2212)
==22867==    by 0x82A5923: phar_tar_flush (tar.c:1159)
==22867==    by 0x82C4CDF: phar_flush (phar.c:2611)
==22867==    by 0x82D31DD: zim_Phar_setSignatureAlgorithm (phar_object.c:3124)
==22867==    by 0x85AE738: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:320)
==22867==    by 0x85AEDDA: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:425)
==22867==    by 0x85ADC35: execute (zend_vm_execute.h:107)
==22867==    by 0x857C919: zend_execute_scripts (zend.c:1236)
==22867==    by 0x8505EB0: php_execute_script (main.c:2308)
==22867==    by 0x864F24A: main (php_cli.c:1189)
==22867==
==22867==
==22867== Syscall param write(buf) points to uninitialised byte(s)
==22867==    at 0x24E363: __write_nocancel (syscall-template.S:82)
==22867==    by 0x851F8A9: _php_stream_write_buffer (streams.c:1055)
==22867==    by 0x851FB5D: _php_stream_write (streams.c:1166)
==22867==    by 0x82A5A75: phar_tar_flush (tar.c:1190)
==22867==    by 0x82C4CDF: phar_flush (phar.c:2611)
==22867==    by 0x82D31DD: zim_Phar_setSignatureAlgorithm (phar_object.c:3124)
==22867==    by 0x85AE738: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:320)
==22867==    by 0x85AEDDA: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:425)
==22867==    by 0x85ADC35: execute (zend_vm_execute.h:107)
==22867==    by 0x857C919: zend_execute_scripts (zend.c:1236)
==22867==    by 0x8505EB0: php_execute_script (main.c:2308)
==22867==    by 0x864F24A: main (php_cli.c:1189)
==22867==  Address 0x58ae570 is 0 bytes inside a block of size 129 alloc'd
==22867==    at 0x400682F: malloc (vg_replace_malloc.c:236)
==22867==    by 0x855734A: _emalloc (zend_alloc.c:2348)
==22867==    by 0x82A0C15: phar_create_signature (util.c:2145)
==22867==    by 0x82A5923: phar_tar_flush (tar.c:1159)
==22867==    by 0x82C4CDF: phar_flush (phar.c:2611)
==22867==    by 0x82D31DD: zim_Phar_setSignatureAlgorithm (phar_object.c:3124)
==22867==    by 0x85AE738: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:320)
==22867==    by 0x85AEDDA: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:425)
==22867==    by 0x85ADC35: execute (zend_vm_execute.h:107)
==22867==    by 0x857C919: zend_execute_scripts (zend.c:1236)
==22867==    by 0x8505EB0: php_execute_script (main.c:2308)
==22867==    by 0x864F24A: main (php_cli.c:1189)
==22867==
 [2012-10-23 09:20 UTC] ab@php.net
Note that the previous trace was produced on CentOS using openssl 1.0.0 where under windows the bug shows up with openssl 0.9.8x .
 [2012-10-23 15:30 UTC] ab@php.net
I've tried with the following snippet: 

============= START SNIPPET ================

#include <stdlib.h>

#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/rsa.h>

int
main(int argc, char *argv[])
{
    EVP_MD_CTX *mdctx = NULL;
    unsigned char sign_value[1024];
    int sign_len, i;
    EVP_PKEY *pkey = NULL;
    RSA *rpkey = NULL;
    FILE *rpkey_file;

    mdctx = EVP_MD_CTX_create();

    rpkey_file = fopen("./rsa.key", "r");
    if (!rpkey_file) {
        return 3;
    }
    PEM_read_RSAPrivateKey(rpkey_file, &rpkey, NULL, NULL);

    pkey = EVP_PKEY_new();
    EVP_PKEY_set1_RSA(pkey, rpkey);

    EVP_SignInit_ex(mdctx, EVP_sha1(), NULL);
    EVP_SignUpdate(mdctx, "abracadabra0", strlen("abracadabra0"));
    EVP_SignUpdate(mdctx, "abracadabra1", strlen("abracadabra1"));
    EVP_SignUpdate(mdctx, "abracadabra2", strlen("abracadabra2"));
    EVP_SignUpdate(mdctx, "abracadabra3", strlen("abracadabra3"));
    EVP_SignUpdate(mdctx, "abracadabra4", strlen("abracadabra4"));
    EVP_SignFinal(mdctx, sign_value, (unsigned int *)&sign_len, pkey);

    sign_value[sign_len] = '\0';
    EVP_MD_CTX_destroy(mdctx);

    printf("Signature is: ");
    for(i = 0; i < sign_len; i++) {
        printf("%02x", sign_value[i]);
    }
    printf("\n");

    fclose(rpkey_file);

    return 0;
}

============= END SNIPPET ================

It does the same thing as the code in the phar extension producing a signature. Running that with valgrind gives a bunch of messages about openssl. After reading the openssl wiki http://www.openssl.org/support/faq.html#PROG13 I think the actual issue here is that no cleanup is performed on openssl, but that's a more global issue.

Thus, there is no clean run with or without the patch using valgrind. But the patch fixes the test run on windows, so i think it's worth to apply it.
 [2012-10-24 12:47 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a88379e03d806a1218926e9bf2c9bcd74c4124c7
Log: Fixed bug #63297 Phar fails to write an openssl based signature
 [2012-10-24 12:47 UTC] ab@php.net
-Status: Open +Status: Closed
 [2014-10-07 23:21 UTC] stas@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=a88379e03d806a1218926e9bf2c9bcd74c4124c7
Log: Fixed bug #63297 Phar fails to write an openssl based signature
 [2014-10-07 23:32 UTC] stas@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=a88379e03d806a1218926e9bf2c9bcd74c4124c7
Log: Fixed bug #63297 Phar fails to write an openssl based signature
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 04 09:01:27 2024 UTC